tracker issue : CF-3989771

select a category, or use search below
(searches all categories and all time range)
Title:

Call to non-existing component method returns Internal Server Error in IIS 7

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/Fixed

Reporter/Name(from Bugbase): Jeff Carpenter / Jeff Carpenter (Jeff Carpenter)

Created: 05/18/2015

Components: Language, CF Component

Versions: 11.0

Failure Type:

Found In Build/Fixed In Build: CF11_Final / 2016

Priority/Frequency: Normal / All users will encounter

Locale/System: ALL / Win 2008 Server

Vote Count: 0

Listed in the version 2016.0.0.297996 Issues Fixed doc
Verification notes: verified_partially_fixed on July 27, 2017 using build 2016.0.01.298513 
Problem Description:  Calling a non-existent component method returns Internal Server error 500 in IIS, or within ColdFusion returns NullPointerException error instead of a 404 type error. 

Steps to Reproduce:  Call a non-existent method in Coldfusion cfc similar to https://myserver.com/lib.cfc?method=nonexistant

Actual Result:  NullPointerException

Expected Result:  404 / "method not found in component" message

Any Workarounds:

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3989771

External Customer Info:
External Company:  
External Customer Name: Jeff
External Customer Email:  
External Test Config: My Hardware and Environment details: ColdFusion 11, IIS 7

Calling a non-existent component method returns Internal Server error 500 instead of a 404 type error.  This is a problem because security scanning software calls the 500 error as a medium security risk.  Unchecking the "Enable HTTP Status codes" box in the server settings will return the CF  specific error which triggers the NullPointerException error.

Attachments:

Comments:

The same scenario throws an "InvalidMethodNameException" on CF10.
Comment by S P.
7400 | May 20, 2015 03:56:09 AM GMT
-> This has been checked in coldfusion build: 295595 -> Test case used was: Calling.cfc: <html> <head> <title>CF Bugs</title> <script type="text/javascript"> $(document).ready(function() { $.ajax( { type: "POST", url: "called_file.cfc?method=RemoteFunc", success: function( response ) { console.log(response); $("#result").html(response); } }); }); </script> </head> Called.cfc: <cfcomponent> <cffunction access="remote" name="RemoteFunc" output="false" returntype="Any" returnformat="plain" method="POST" > <cfargument name="name" type="string" default="" > <cfreturn "I Came Here"> </cffunction> </cfcomponent> -> NPE error was seen on older versions (CF11 Final) -> Now it says: "The method RemoteFunc1 was not found in component"
Comment by Kailash B.
7401 | September 21, 2015 07:26:54 AM GMT
If we are calling for remote cfc with method not present, currently we are throwing 500 error, but the customer is expecting 404 error.
Comment by Kailash B.
7402 | September 21, 2015 07:32:35 AM GMT
Can you check whether CF10 was throwing 404 error? (Comment added from ex-user id:sandeepp)
Comment by Adobe D.
7403 | September 21, 2015 09:14:51 PM GMT
Its throwing 500 for cf10 too. The message shown is: "The method RemoteFunc1 was not found in component Testing.CF-3989771.called_file"
Comment by Kailash B.
7404 | September 21, 2015 10:57:55 PM GMT
We don't need to change the status code in this case as its old CF behavior. The NPE being thrown has been fixed. (Comment added from ex-user id:sandeepp)
Comment by Adobe D.
7405 | September 21, 2015 11:22:13 PM GMT
Verified the issue is fixed (NPE changed to InvalidMethodNameException) in CF2016 Update 1 (build 2016.0.01.298513). Thanks!, -Aaron
Comment by Aaron N.
7406 | July 27, 2017 06:49:09 AM GMT
The bug is fixed only if you uncheck "Enable HTTP status codes" in the administrator. If you uncheck this option, then the server will return error 500 "Server Error". This should be 404 and not 500. I don't know what you mean by accepting this problem by saying this is "old CF behavior". Returning 500 is incorrect. Security Scanning software will and does flag this is a problem when scanning for vulnerabilities!
Comment by Jeff C.
7407 | July 27, 2017 07:25:43 PM GMT
Ooops - I meant to say, if you check the "Enable HTTP status codes" option, the server will return 500.
Comment by Jeff C.
7408 | July 27, 2017 07:26:55 PM GMT
Hi Adobe, I agree w/ Jeff. Calling remote CFC w/ method not present should return 404, not 500, even when "Enable HTTP status codes" is checked in CF Admin. CF10 is no longer supported. Backward-compat should not be maintained for an incorrect response (500). This ticket isn't fully fixed until CF11 and CF2016 return 404 (not 500). Thanks!, -Aaron
Comment by Aaron N.
7409 | September 30, 2017 08:16:48 PM GMT
The same problem is happening with Coldfusion 2016 as well
Comment by Jeff C.
7410 | October 03, 2017 03:03:04 PM GMT
Hi Aaron, Now CF will return 404 if a non-existent CFC function is called via browser. But, it will still return 500(internal server error), when the same non-existent function is called from a CFM since it is not a RPC call anymore. Thanks, Kailash
Comment by Kailash B.
7411 | January 24, 2018 04:53:14 AM GMT