Login/Register
ColdFusion 11 - 500 Internal Server Error from Non-ASCII Cookie Character
Asked Answered
tomcatcookiescoldfusionjwplayercoldfusion-11
P

1

9

In response to any request with a cookie containing a non-ASCII character, ColdFusion 11 appears to crash. IIS 8.5 returns an HTTP 500 Internal Server Error (blank white page).

Steps to reproduce:

  1. Run the following in Javascript console and attempt to load any CFML page: document.cookie="a=ñ";

  2. (Optional) Request any .html or .txt file and receive normal response.

  3. Request any ColdFusion a page and receive a blank white page, HTTP 500 Internal Server Error.

  4. The only workaround is to clear browser cookies.

Environment:

  • Windows Server 2012 R2 Standard
  • IIS 8.5
  • Cold Fusion 11 (Standard)
  • All OS and software are running latest patched versions.

I have tried adding -Dfile.encoding=UTF-8 to the Java arguments.

I haven't found anyone else running into this issue on ColdFusion. There are similar issues running Java code on Tomcat. However since ColdFusion 11 is bundled with Tomcat, I don't even know what version of Tomcat is running nor how to upgrade it. (It appears ColdFusion 10 runs Tomcat 7) Adobe does not appear to have documentation about ColdFusion 11's Tomcat layer (specifically how it relates to ColdFusion). I've tried applying the <CookieProcessor /> configuration to context.xml as suggested on that other post. I've posted to the Adobe bug base and received no response.

Any ideas are welcome. Unfortunately we have a lot of users with "Español" in a cookie, and we cannot execute any ColdFusion code to clear or change this. We did not have this problem in ColdFusion 9 and missed this in a QA check after upgrading to ColdFusion 11.

Full exception from coldfusion-error.log:

Sep 03, 2015 11:43:58 PM org.apache.coyote.ajp.AjpProcessor process
SEVERE: Error processing request
java.lang.IllegalArgumentException: Control character in cookie value or attribute.
    at org.apache.tomcat.util.http.CookieSupport.isHttpSeparator(CookieSupport.java:193)
    at org.apache.tomcat.util.http.Cookies.getTokenEndPosition(Cookies.java:502)
    at org.apache.tomcat.util.http.Cookies.processCookieHeader(Cookies.java:349)
    at org.apache.tomcat.util.http.Cookies.processCookies(Cookies.java:168)
    at org.apache.tomcat.util.http.Cookies.getCookieCount(Cookies.java:106)
    at org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId(CoyoteAdapter.java:986)
    at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:743)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:417)
    at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:199)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Pout answered 22/10, 2015 at 19:24 Comment(10)
pls report to bugbase.adobe.comPontiac
Are non-ASCII cookies valid? I thought only US-ASCII characters excluding CTLs, whitespace, DQUOTE, comma, semicolon and backslash characters were valid. https://mcmap.net/q/47525/-what-are-allowed-characters-in-cookies Are you able to write an IIS rule to identify it & sanitize it? Can CF's OWASP features catch it?Attract
I broke TryCF.com for myself trying to test this. After running document.cookie="a=ñ"; no code samples would run. If you use CFCookie instead, the cookie value is safely encoded as "%C3%B1".Attract
This bug doesn't exist when using ColdFusion 9, but is confirmed on CF10 & 11.Attract
Henry: as stated in the original post, it was posted to Adobe bug base (no activity in 8 days since).Pout
James: thank you for the IIS rewrite rule idea. We can make this work. Unfortunately we are not setting the cookie in ColdFusion--it's set by JWPlayer. I suppose I could dig into the Javascript source and try to modify the encoding, but that's really nasty and might be troublesome when we upgrade.Pout
Report this non-standard value to the JWPlayer devs too. They should use an ISO 639 ASCII code instead of non-ASCII localized language names. en.wikipedia.org/wiki/List_of_ISO_639-1_codesAttract
The JWPlayer Closed Caption Demo isn't using non-ASCII characters, so it must be due to how it's integrated or due to JWPlayer not using JavaScript's "encodeURIComponent" when saving the choice as a cookie. support.jwplayer.com/customer/portal/articles/…Attract
QUESTION: Is JWPlayer failing to encode the non-ASCII cookie or is it being manually added by another method without being encoded?Attract
I reported the issue to @JWPSupport on Twitter. Their plugin doesn't encode UTF8 values prior to saving as a cookie. gist.github.com/JamoCA/f8586d0dafc462cfd5d1Attract
A
4

You could identify non-ASCII cookies using an IIS Rewrite rule and then redirect the user to a static HTML page and delete or rewrite the cookie. (I tested this using CF10 and it works.)

This non-ASCII cookie kills ColdFusion10/11. (NOTE: ColdFusion can only access upper-cased cookie names.)

document.cookie="a=ñ";

Add this to your IIS web.config file.

<rule name="Route Bad Cookie" enabled="true" stopProcessing="true">
  <match url="^(.*)" />
    <conditions logicalGrouping="MatchAll">
      <add input="{PATH_INFO}" pattern=".*htm$" negate="true" />        
      <add input="{HTTP_COOKIE}" pattern="([^\x00-\x7F]+)" />
    </conditions>
  <action type="Redirect" url="/clearCookie.htm" redirectType="Temporary"/>
</rule>

NOTE: The above rule matches any script except ".htm" files (in case you are already using IIS Rewrite to hide .CFM in your URLs.)

  <match url="*.cfm*" />

If you are security conscious, you could replace the rewrite action with an abort.

<action type="AbortRequest" />

or a custom response:

<action type="CustomResponse" statusCode="403"
  statusReason="Forbidden: Invalid non-ASCII cookie"
  statusDescription="Only US-ASCII characters excluding CTLs, whitespace,
  DQUOTE, comma, semicolon, and backslash are allowed in a cookie." />

Here's some sample code to delete the cookie (/clearCookie.htm):

<script>
var mydate = new Date();
mydate.setTime(mydate.getTime() - 1);
document.cookie = "a=; expires=" + mydate.toGMTString();
</script>
Attract answered 22/10, 2015 at 23:15 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.