tracker issue : CF-3691874

select a category, or use search below
(searches all categories and all time range)
Title:

Invalid ReturnFormat Produces an Uncatchable Error

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/NotABug

Reporter/Name(from Bugbase): Mary Jo Sminkey / Mary Jo Sminkey (Mary Jo Sminkey)

Created: 01/10/2014

Components: CFComponent

Versions: 10.0

Failure Type: Incorrect w/Workaround

Found In Build/Fixed In Build: Final /

Priority/Frequency: Normal / Some users will encounter

Locale/System: English / Platforms All

Vote Count: 1

Problem Description: Recently a hacker threw an invalid returnformat into Ajax calls to a remote CF method. This produced errors that we do not seem to be able to catch and handle via normal methods. 

Steps to Reproduce: Call remote method with a returnFormat that is not in the allowed list. 

Any Workarounds: Since we aren't able to catch this error, we've had to use the global error handler to recognize and work around it.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3691874

External Customer Info:
External Company:  
External Customer Name: MaryJo
External Customer Email:

Attachments:

Comments:

What's the actual write your get? -- Adam
Comment by External U.
13701 | January 10, 2014 01:41:17 PM GMT
+1 .
Vote by External U.
13707 | January 10, 2014 02:14:43 PM GMT
Adam - don't understand the question. Can you re-phrase it another way??
Comment by External U.
13702 | January 10, 2014 11:00:09 PM GMT
Sorry MaryJo: autocorrupt on my phone got the better of me. I meant to type "What's the actual ERROR your get?" ;-) -- Adam
Comment by External U.
13703 | January 12, 2014 05:21:40 PM GMT
Hi MaryJo, Can you please provide some more info,like the error message and some sample code? Thanks ! (Comment added from ex-user id:vnigam)
Comment by Adobe D.
13704 | February 13, 2014 06:02:13 AM GMT
As I mentioned in the Description to reproduce, just hit a remote CFC (via Ajax) with a remoteFormat that is not valid. The one we get hit with seems to always be "jsPr". As a result, this is the error that gets thrown: coldfusion.filter.FilterUtils$InvalidReturnFormatException: Invalid returnFormat: jsPr. at coldfusion.filter.FilterUtils.printReturnValue(FilterUtils.java:262) at coldfusion.filter.ComponentFilter.invoke(ComponentFilter.java:202) ETC.... MESSAGE: Invalid returnFormat: jsPr. DIAGNOSTICS: Invalid returnFormat: jsPr. The returnFormat request parameter must be specified as wddx, json or plain. The error occurred on line -1.
Comment by External U.
13705 | February 21, 2014 09:34:52 PM GMT
The serializarion based on the rerurnformat is being handle by ColdFusion core engine and does not fall under Applicationcode. Hence there is no other way than global handler to handle this. If a wrong returnformat is really an issue then, you can pre-check it in the function (url.returnformat EQ jsPr) and take the appropriate action.
Comment by Awdhesh K.
13706 | November 26, 2014 01:59:58 AM GMT