tracker issue : CF-3919630

select a category, or use search below
(searches all categories and all time range)
Title:

CFZip requires "execute" permissions for "<<ALL FILES>>" when Sandbox Security is enabled

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Jake Hand / Jake Hand (Jake Hand)

Created: 01/12/2015

Components: Security

Versions: 11.0

Failure Type:

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Major / All users will encounter

Locale/System: English / Win 2012 Server x64

Vote Count: 1

Listed in the version 2016.0.0.297996 Issues Fixed doc
Verification notes: verified_fixed on September 06, 2019 using build 2016.0.01.298513 
Problem Description: 
When Sandbox Security is enabled, a sandbox must have "execute" permissions for "<<ALL FILES>>" listed or cfzip will give a permissions error.

Steps to Reproduce: 
Create a basic sandbox for a site, then try to unzip an archive:

<cfzip action = "unzip" 
				destination = "D:\path\to\zipfile\" 
				file = "D:\path\to\zipfile\test.zip" 
				overwrite="true">

Actual Result:
Error Occurred While Processing Request
Exception encountered while extracting from zip file D:/path/to/zipfile/test.zip.

    java.security.AccessControlException: access denied ("java.io.FilePermission" "<<ALL FILES>>" "execute")


Expected Result:
ColdFusion unzips file without error.

Any Workarounds:
Add an entry to the Files section of the sandbox, giving Execute permissions to <<ALL FILES>>. Alternatively, disable Sandbox Security if not required. Neither of these are viable workarounds for our environment.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3919630

External Customer Info:
External Company:  
External Customer Name: jakefusion
External Customer Email:  
External Test Config: My Hardware and Environment details:



- Windows 2012

- IIS 8

- CF 11,0,03,292480

Attachments:

Comments:

+1 ......................
Vote by External U.
8988 | September 23, 2015 01:09:06 AM GMT
Integrated in cfusion\lib
Comment by Deepraj J.
8981 | September 24, 2015 04:02:41 AM GMT
Fix verified and will be available in the next release of ColdFusion.
Comment by S P.
8982 | September 24, 2015 11:56:07 PM GMT
Just to clarify, are you saying the fix will be in the next update or the next major version?
Comment by External U.
8983 | September 25, 2015 10:27:27 AM GMT
I've taken over Jake's position at the company in question. Can we get a confirmation on if this was fixed in the latest hotfix or in ColdFusion 2016? We have a sites still on ColdFusion 11 in our environment that seem to be running into this issue still.
Comment by External U.
8984 | April 17, 2016 10:52:45 AM GMT
Hi Kyle, It has been fixed on the latest hotfix for CF11 as well for CF2016. Thanks, Preethi
Comment by S P.
8985 | April 18, 2016 12:49:10 AM GMT
It looks like we are still running into this issue on [11,0,07,296330]. Can you have a look at it again? java.security.AccessControlException: access denied ("java.io.FilePermission" "<<ALL FILES>>" "execute")
Comment by External U.
8986 | April 18, 2016 10:57:23 AM GMT
Hi Kyle, The fix is not part of update 7, it will be available to you as part of the latest hotfix 8 that will be out. Thanks, Preethi
Comment by S P.
8987 | April 18, 2016 08:27:57 PM GMT
Hi Adobe, I've verified this is fixed in CF2016 Update 1 (build 2016.0.01.298513), as the exception is no longer thrown for a new sandbox. Thanks!, -Aaron
Comment by Aaron N.
31294 | September 06, 2019 04:35:59 AM GMT