tracker issue : CF-4102180

select a category, or use search below
(searches all categories and all time range)

Prefix Serialized JSON, CFFILEUPLOAD, and SerializeJSON Error

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Elias Rivers / Elias Rivers (Elias Rivers)

Created: 12/21/2015

Components: Documentation

Versions: 10.0

Failure Type: Non Functioning

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Major / All users will encounter

Locale/System: English / Win 2012 Server x64

Vote Count: 0

Problem Description:
When I enable "Prefix Serialized JSON" in ColdFusion Administrator for ColdFusion 11, I get a red bar with an error message within CFFILEUPLOAD instead of a green bar with a success message.

Steps to Reproduce:
Turn on "Prefix Serialized JSON" in ColdFusion Administrator. Build a screen that calls CFFILEUPLOAD and point it to a page that will process the upload. On the processing page, output a valid JSON value and output it using serializeJSON().

Actual Result:
The CFFILEUPLOAD will display a red bar with an error message. If you turn off "Prefix Serialized JSON", it will bring back a green bar with a success message on it.

Expected Result:
I should see a green bar with a success message.

Any Workarounds:
Turn off "Prefix Serialized JSON" in the ColdFusion Administrator. If your goal is to make JSON more secure, the only work around is to not use CFFILEUPLOAD to perform multiple file uploads with a JSON response.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4102180

External Customer Info:
External Company:  
External Customer Name: Elias Rivers
External Customer Email:  
External Test Config: My Hardware and Environment details:



Calling File: --------------------------------------------------- <cffileupload maxuploadSize="200" url="upload.cfm" name="uploadFiles" title="File Selection" addButtonLabel="Select File(s)" uploadButtonLabel="Upload Listed File(s)" deleteButtonLabel="Cancel Highlighted Upload(s)" clearButtonLabel="Clear All Upload(s)" extensionfilter="txt" /> Processing file: --------------------------------------------------- <cfset str = {} /> <cfset str.STATUS = 200 /> <cfset str.MESSAGE = "File Upload Successful" /> <cfoutput>#serializeJSON(str)#</cfoutput>
Comment by External U.
5010 | December 21, 2015 07:50:39 AM GMT
When Secure JSON Prefix is enabled by default serializejson method puts the secure json prefix at the beginning of the json. If secure json prefix is not required change the code from #serializeJSON(str)# to #serializeJSON(str, "row", false)# We will update the documentation of serializejson function to reflect the correct syntax SerializeJSON(var [, serializeQueryByColumns, useSecureJSONPrefix, useCustomSerializer]) Thanks, Pavan.
Comment by S V.
5011 | August 08, 2016 08:20:55 AM GMT
I would not consider the status of this as closed. The requirements are: 1) enable "Prefix Serialized JSON" 2) Use it properly in your code The documentation says that the default is to use the encryption if it's provided. Based on how the response is working, I would say that it is indeed adding the prefix. The problem is that CFFILEUPLOAD does not compensate for the prefixed response and gives a red bar without a text response instead. Yes, I can set using the prefix to false and it will work. However, it does not solve my problem, it just bypasses it, and still leaves the vulnerability. I need CFFILEUPLOAD to know how to handle a JSON response when useSecuREJSONPrefix is enabled. I don't want to just bypass it by disabling the use of the prefix. There is no point in turning on the setting only to bypass it.
Comment by Elias R.
5012 | May 17, 2017 07:48:01 PM GMT