Geek Answers Handbook

ColdFusion 11 - 500 Internal server error from non-food cookie without ASCII

In response to any request with a cookie containing a character other than ASCII, ColdFusion 11 fails. IIS 8.5 returns an internal HTTP 500 server error (blank white page).

Steps to play:

  • Run the following in the Javascript console and try loading any CFML page: document.cookie="a=Γ±";

  • (Optional) Request any .html or .txt file and get a normal response.

  • Request any ColdFusion page and get a blank white page, an internal HTTP 500 error.

  • The only workaround is to clear your browser cookies.

Environment:

  • Windows Server 2012 R2 Standard
  • IIS 8.5
  • Cold Fusion 11 (Standard)
  • All OS and software work with the latest patched versions.

I tried adding -Dfile.encoding=UTF-8 to the Java arguments.

I did not find anyone else to come across this problem in ColdFusion. There are similar issues that run Java code on Tomcat. However, since ColdFusion 11 ships with Tomcat, I don’t even know which version of Tomcat works and how to update it. (It seems ColdFusion 10 launches Tomcat 7) Adobe does not have documentation on the Tomcat ColdFusion 11 layer (in particular, how it relates to ColdFusion). I tried applying the <CookieProcessor /> configuration to context.xml, as suggested in this other post. I sent to the Adobe error database and did not receive a response.

Any ideas are welcome. Unfortunately, we have many users with β€œEspaΓ±ol” in the cookie, and we cannot execute any ColdFusion code to clear or modify this. We did not have this problem in ColdFusion 9 and skipped this when checking QA after upgrading to ColdFusion 11.

Full exception from coldfusion-error.log:

 Sep 03, 2015 11:43:58 PM org.apache.coyote.ajp.AjpProcessor process SEVERE: Error processing request java.lang.IllegalArgumentException: Control character in cookie value or attribute. at org.apache.tomcat.util.http.CookieSupport.isHttpSeparator(CookieSupport.java:193) at org.apache.tomcat.util.http.Cookies.getTokenEndPosition(Cookies.java:502) at org.apache.tomcat.util.http.Cookies.processCookieHeader(Cookies.java:349) at org.apache.tomcat.util.http.Cookies.processCookies(Cookies.java:168) at org.apache.tomcat.util.http.Cookies.getCookieCount(Cookies.java:106) at org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId(CoyoteAdapter.java:986) at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:743) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:417) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:199) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)
+8
coldfusion cookies tomcat jwplayer coldfusion-11
source share
1 answer

You can identify non-ASCII cookies using the IIS rewrite rule, and then redirect the user to a static HTML page and delete or rewrite the cookie. (I tested this with CF10 and it works.)

This non-ASCII cookie kills ColdFusion10 / 11. (NOTE: ColdFusion can only access cookie names with a top location.)

 document.cookie="a=Γ±";

Add this to your IIS web.config file.

 <rule name="Route Bad Cookie" enabled="true" stopProcessing="true"> <match url="^(.*)" /> <conditions logicalGrouping="MatchAll"> <add input="{PATH_INFO}" pattern=".*htm$" negate="true" /> <add input="{HTTP_COOKIE}" pattern="([^\x00-\x7F]+)" /> </conditions> <action type="Redirect" url="/clearCookie.htm" redirectType="Temporary"/> </rule>

NOTE. The above rule matches any script files except β€œ.htm” (if you are already using IIS Rewrite to hide .CFM in your URLs.)

  <match url="*.cfm*" />

If you are aware of security, you can replace the rewrite action with abort .

 <action type="AbortRequest" />

or custom answer:

 <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Invalid non-ASCII cookie" statusDescription="Only US-ASCII characters excluding CTLs, whitespace, DQUOTE, comma, semicolon, and backslash are allowed in a cookie." />

Here is a sample cookie removal code (/clearCookie.htm):

 <script> var mydate = new Date(); mydate.setTime(mydate.getTime() - 1); document.cookie = "a=; expires=" + mydate.toGMTString(); </script>
+3
source share

More articles:


All Articles