tracker issue : CF-4205250

select a category, or use search below
(searches all categories and all time range)
Title:

Nest CFOUTPUT error in hotfix 5 (hf-2018-00005-315699)

| View in Tracker

Status/Resolution/Reason: To Test//Fixed

Reporter/Name(from Bugbase): Kevin K. / ()

Created: 09/25/2019

Components: Installation/Config, Hotfix Installer

Versions: 2016,2018

Failure Type:

Found In Build/Fixed In Build: hf-2018-00005-315699 /

Priority/Frequency: Normal /

Locale/System: / Win 2016

Vote Count: 24

Problem Description:

A <CFOUTPUT> tag at a higher level (i.e. outside of a function call) will cause a nested tag error if the function call contains a <CFOUTPUT QUERY="">.

Steps to Reproduce:

test.cfm:

{code:java}
<CFSET testObj = new test() />
<CFOUTPUT>#testObj.Test()#</CFOUTPUT>
{code}


test.cfc:

{code:java}
<cfcomponent>
    <cffunction name="test">
        <CFQUERY NAME="GetData">
        SELECT SomeCol FROM SomeTable
        </CFQUERY>
        <CFOUTPUT QUERY="GetData">
            <!--- error --->
        </CFOUTPUT>
    </cffunction>
</cfcomponent>
{code}

Actual Result:

 "Invalid tag nesting configuration."

Expected Result:

No error

Any Workarounds:

Rollback to Update 4

Attachments:

Comments:

Confirmed after rollback that this does not cause an error prior to update 5.
Comment by Kevin K.
31377 | September 25, 2019 01:04:26 PM GMT
I've just attached working code samples using the cfartgallery, courtesy of Charlie Arehart.
Comment by Kevin K.
31378 | September 25, 2019 04:00:02 PM GMT
Installed this update (2018.0.05.315699) in our test environment today (9/25/2019) and I've experienced the same issue.
Vote by Neil L.
31380 | September 25, 2019 05:27:27 PM GMT
This issue is present on our servers as well.
Comment by dakota c.
31379 | September 25, 2019 05:49:33 PM GMT
I just had yet another client report the problem.
Comment by Charlie A.
31391 | September 25, 2019 10:02:38 PM GMT
This is the same problem I am experiencing and reported in https://tracker.adobe.com/#/view/CF-4205257
Vote by Vincent K.
31403 | September 26, 2019 03:25:32 PM GMT
Why does this indicate a reason code of "fixed", without a value for "fixed in build" (as I wrote, on 9/25/19)? How is it "fixed", and/or how does one obtain the fix? (I can't imagine that the fact that there's an offered workaround in the report would be a reason to regard the problem as 'fixed".)
Comment by Charlie A.
31402 | September 26, 2019 05:29:03 PM GMT
Thanks for reporting the bug , we have fixed this in our development branch and once testing is done we shall communicate our plans to make this fix available .
Comment by Suresh J.
31417 | September 26, 2019 07:22:52 PM GMT
As a result of this error (which I've verified on a staging server), means we can't upgrade this in production until this bug is fixed.
Vote by James M.
31431 | September 27, 2019 04:05:02 PM GMT
Confirmed here too. Calling a cfc function with a <cfoutput query="xxx"> tag throws the error when an <cfoutput> surrounds the call the cfc function. Exactly as described. NEED FIX ASAP -- as we are all vulnerable until we can install the original update.
Vote by Michael P.
31438 | September 27, 2019 07:02:57 PM GMT
Adding to Suresh's comment, I have been told elsewhere that Adobe does now have a fix for this. You need to ask them for it. They don't say here how to do it, but try cfsup@adobe.com. BTW, it appears they will not be "refreshing" the update, so those with the error will need to request this. I think that's unfortunate, as people will be bit by this only if/when they upgrade and if/when they do testing, and they may not know to look here, and they may not know they can even ask Adobe for a fix. (And this is not the only bug in this most recent update.) Grr.
Comment by Charlie A.
31437 | September 27, 2019 08:12:24 PM GMT
Vote +1 : NEED FIX ASAP. As this is preventing the critical vulnerabilities update for update 12 on CF2016. Another simple example to reproduce the error is at : https://community.adobe.com/t5/ColdFusion/Errors-after-update-12-on-coldfusion-2016/m-p/10636488 Rolled Back to Update 11.
Vote by Nas K.
31441 | September 28, 2019 02:17:55 AM GMT
Guys, this is crazy. We have live client deployments that are suddenly getting errors because of this. Please fix this and give us a patch asap!
Comment by Nick G.
31444 | September 28, 2019 06:25:56 PM GMT
Hi All, This issue is fixed now. Please reach out to ColdFusion support @ [cfinstal@adobe.com|mailto:cfinstal@adobe.com] to get the patch. -Nimit
Comment by Nimit S.
31459 | September 29, 2019 05:30:44 PM GMT
This issue touches the very foundation of CF and should be marked as critical.
Comment by Nas K.
31467 | September 29, 2019 11:45:32 PM GMT
hi nimit, is this patch going to be available for cf2016?
Comment by luke m.
31475 | September 30, 2019 06:33:26 AM GMT
According to Adobe's website, CF 2016 is under core support until 2/17/2021 so I sure hope this patch is available for CF2016. https://helpx.adobe.com/support/programs/eol-matrix.html#CD
Comment by Vincent K.
31479 | September 30, 2019 03:09:26 PM GMT
Hi Luke & Vincent, Yes, this patch is available for ColdFusion 2016 as well. You can contact ColdFusion Support @ [cfinstal@adobe.com|mailto:cfinstal@adobe.com] to get the patch. -Nimit
Comment by Nimit S.
31480 | September 30, 2019 04:18:43 PM GMT
I received the patch (via Dropbox). I placed the JAR file in the lib/updates sub-directry, restarted the ColdFusion Application service (Windows) and continued to experience the same error using Windows/CF2016u5. I killed the process, allowed it to restart and there wasn't any change. Has anyone received the patch and had it fix the CF error? (Just curious.)
Comment by James M.
31482 | September 30, 2019 06:43:17 PM GMT
Is the fix only good for update 12? I'm still waiting for them to send it to me. I'm on update 12 and getting the same error as you.
Comment by Dave D.
31483 | September 30, 2019 06:46:30 PM GMT
Sorry... I meant CF2016 update 12 (not 5). I'm using 2016,0,12,315717 to be exact.
Comment by James M.
31484 | September 30, 2019 06:53:12 PM GMT
James,  Are you getting any error while starting the CF server? Can you please share the settings summary and coldfusion-out.log/coldfusion-error.log to investigate it further? -Nimit
Comment by Nimit S.
31485 | September 30, 2019 07:31:17 PM GMT
The patch provided does not work for me either. Error: Invalid tag nesting configuration. A query driven queryloop tag is nested inside a queryloop tag that also has a query attribute. This is not allowed. Nesting these tags implies that you want to use grouped processing. However, only the top-level tag can specify the query that drives the processing.
Comment by Dave D.
31486 | September 30, 2019 07:35:18 PM GMT
No start up errors for me. I think what I may have been testing was actually badly nested cfml. I migrated my test script to a non-updated CF2016u4 server and it threw the same error. I modified the same sample code in the report (to use CFDirectory instead of CFQuery) and it worked correctly.
Comment by James M.
31487 | September 30, 2019 08:24:09 PM GMT
James, Can you please confirm if it is still an issue or not?   Dave, Can you please share the exception stack trace and sample code that you are trying? I will try the same code at my end.   -Nimit
Comment by Nimit S.
31488 | September 30, 2019 09:02:51 PM GMT
For me, the demonstration script that is available with this bug report does not cause any CF error when the provided patch is applied.
Comment by James M.
31489 | September 30, 2019 11:14:04 PM GMT
I've attached sample script showing it broken. It appears related to the <cfoutput> within a <cfcomponent>. I show two versions, one where it is and one were it is not. Pretty simple code. Seems like a serious bug.
Comment by Dave D.
31491 | October 01, 2019 12:29:14 AM GMT
See nested-query-loop.zip attachment.
Comment by Dave D.
31492 | October 01, 2019 12:29:42 AM GMT
Unzip and place nested-query-loop directory in root and navigate to /nested-query-loop/index.cfm
Comment by Dave D.
31493 | October 01, 2019 12:30:38 AM GMT
Still broken for our codebase after installing the patch for CF 2016 Linux. Installing the patch DOES fix the code as described in this ticket (test.cfm and test.cfc) for CF 2016. However, if youe take it up one more level using a <cfinclude> it breaks again. To re-create error, create one more file that includes the test.cfm via a <cfinclude> surrounded by <cfoutput>: ------------------- test-include.cfm --------------- <cfoutput> <cfinclude template="test.cfm"> </cfoutput> ------------------------------------------------------ Returns the same error message as the original ticket states.
Comment by Michael P.
31494 | October 01, 2019 02:44:25 AM GMT
First, now that <cfloop> has all of <cfoutput>'s looping functionality, <cfoutput>'s looping functionality could be marked deprecated and the docs could recommend that users use <cfloop> instead. Next, since <cfoutput>'s encodefor attribute isn't a substitute for context-specific encoding, <cfoutput> itself could be deprecated :) JK, but.. Some (including me sometimes) just slap <cfoutput> at the top of a file, and </cfoutput> at the bottom, and be done w/ that tag. So, IMO, Michael P.'s example is not edge-case, b/c a <cfoutput> loop could be an arbitrary number of levels deep inside <cfoutput>-wrapped includes and function calls. What ticket is this issue fixing? Thanks!, -Aaron
Comment by Aaron N.
31495 | October 01, 2019 05:43:19 AM GMT
+1 ...........
Vote by Aaron N.
31500 | October 01, 2019 06:42:00 AM GMT
Hi Michael & Dave, I have tried both the suggestion for the repro case but I am unable to repro it with the patch. Can you please share the settings summary and exception stack trace so that I can confirm the patch is applied successfully? -Nimit
Comment by Nimit S.
31499 | October 01, 2019 07:06:45 AM GMT
Just to confirm, I was given patch hf201600-4205269 and running CF2016 Update 12. I this the right patch?
Comment by Dave D.
31511 | October 01, 2019 03:03:16 PM GMT
I placed the patch under /hf-updates instead of /lib/updates on my dev box. When I moved it to the right directory, my broken example works. I also added multiple levels deep as Michael P. suggests. It was still working with the patch. I will confirm in production.
Comment by Dave D.
31512 | October 01, 2019 03:19:37 PM GMT
I tested in our production code and I still get "A query driven queryloop tag is nested inside a queryloop tag that also has a query attribute. This is not allowed. Nesting these tags implies that you want to use grouped processing. However, only the top-level tag can specify the query that drives the processing." The example I gave must not fully represent our live code. The patch did fix the example, but not in production. I'll continue to try and track down the cause and provide an updated example.
Comment by Dave D.
31513 | October 01, 2019 03:42:05 PM GMT
Ok, it found out where the issue still exists - which is slightly different from the test code. If called from a separate page via <CFINCLUDE> that is surrounded by <CFOUTPUT> and the function in the cfc is called via <CFINVOKE> instead of directly instantiating the cfc via 'new' or 'createObject' , it will throw the error: Detail: A query driven queryloop tag is nested inside a queryloop tag that also has a query attribute. If the <CFINCLUDE> is not surrounded by <CFOUTPUT> it will not throw the error. I've got test files created that i attached above: test-cfinclude-cfinvoke.zip - Michael
Comment by Michael P.
31514 | October 01, 2019 04:52:53 PM GMT
EDIT (2019/10/03): I was originally given a hotfix for CF2018 instead of CF2016. I contacted Adobe Support and got the correct hotfix, installed, and everything is working properly now. Please refer to my comment on the left side for more detailed info. ---------------------------------- +1. Created this account just to vote. I contacted cfinstal@adobe.com to receive the hotfix file. I renamed the .zip file to .jar as instructed, placed it in the cfusion/lib/updates folder, restarted CF Application Windows service, and still received the nesting code error. Tried putting the .jar file in the cfusion/hf-updates folder, restarted, and still receiving the error. I even went as far as trying to install the .jar file manually from the command line with: java -jar <jar file location> Received the error: "no main manifest attribute" and the file was not installed. It seems as though CF doesn't even try to read the hotfix file. While I have CF running, I cannot open an older hotfix file in the cfusion/lib/updates folder because it is locked (being used by the CF process). However, I can open this newer hotfix file as if CF isn't even reading it at all. I'm no java expert by any means, but I'm getting the impression this hotfix was not properly compiled.
Vote by Jason H.
31520 | October 01, 2019 08:18:00 PM GMT
+1 for receiving the error. Created this account just to vote. I contacted cfinstal@adobe.com to receive the hotfix file. I renamed the .zip file to .jar as instructed, placed it in the cfusion/lib/updates folder, restarted CF Application Windows service, and still received the nesting code error. Tried putting the .jar file in the cfusion/hf-updates folder, restarted, and still receiving the error. I even went as far as trying to install the .jar file manually from the command line with: java -jar <jar file location> Received the error: "no main manifest attribute" and the file was not installed. It seems as though CF doesn't even try to read the hotfix file. While I have CF running, I cannot open an older hotfix file in the cfusion/lib/updates folder because it is locked (being used by the CF process). However, I can open this newer hotfix file as if CF isn't even reading it at all. I'm no java expert by any means, but I'm getting the impression this hotfix was not properly compiled.
Comment by Jason H.
31516 | October 01, 2019 08:19:23 PM GMT
Thanks Dave for the confirmation. I am glad it worked for you.    
Comment by Nimit S.
31517 | October 01, 2019 11:00:31 PM GMT
Michael, I am able to repro the issue with the sample code you provided. Please contact me @ [nimsharm@adobe.com|mailto:nimsharm@adobe.com] so that I can assist you further -Nimit
Comment by Nimit S.
31518 | October 01, 2019 11:02:48 PM GMT
Hi Jason H, This patch should only be placed inside <instance_name>/lib/updates folder. There can be other issue if it is not getting loaded. Can you please share the settings summary and server start up log file @ [nimsharm@adobe.com|mailto:nimsharm@adobe.com] to investigate it further . -Nimit
Comment by Nimit S.
31519 | October 01, 2019 11:15:26 PM GMT
I think Michael has identified the difference between our production code and the example I provide. As a workaround for us, we've decide to just swap out the <cfoutput> tags with <cfloop> where appropriate. However; the example Michael posted is most like our prod issue. "If called from a separate page via <CFINCLUDE> that is surrounded by <CFOUTPUT> and the function in the cfc is called via <CFINVOKE> instead of directly instantiating the cfc via 'new' or 'createObject' , it will throw the error"
Comment by Dave D.
31521 | October 02, 2019 01:58:13 AM GMT
Hi Dave, I have shared the patch with Michael and he has confirmed that the patch is working at his end. You can either contact [cfinstal@adobe.com|mailto:cfinstal@adobe.com] or [nimsharm@adobe.com|mailto:nimsharm@adobe.com] to get the patch.   -Nimit
Comment by Nimit S.
31522 | October 02, 2019 07:56:46 AM GMT
We installed CF2016 HF12 last night on our dev server and this morning all of my developers are a bit peeved at me as all of our websites appear to be impacted by this. Emailed requesting the patch file and I'll report back fix status to see if it resolves all of our issues or if we have the extra problem case others have reported.
Comment by Leith T.
31526 | October 02, 2019 01:28:10 PM GMT
We put the provided hf201600-4205269 in the lib\updates folder and restarted CF. A developer reported an issue they were having stopped but we've found others that continue to happen. I provided a code snippet to the support email I had to get the jar. In essence we have a CFOUTPUT of a query that calls a function that itself then does a CFQUERY and then another CFOUTPUT of that query and the issue happens on the call of the function. This code is in a CFC and is invoked as a method call to an object instance.
Comment by Leith T.
31538 | October 03, 2019 01:21:13 PM GMT
I've attached the hf201600-4205269.jar hotfix that I was given from Adobe support. Note that this was for Coldfusion 2016. This has been working great so far for me. Haven't experienced any nested CFOutput query loop errors since applying the hotfix. We haven't tested it in production just yet, but our dev server is practically identical to prod so I have high hopes. The Adobe support guys recommended deleting everything in this folder before restarting CF with the hotfix: cfusion\wwwroot\WEB-INF\cfclasses I backed mine up first, just in case. You'll have to stop the CF Application service before deleting, obviously. I don't know what this directory is for exactly, but I did notice that some of my CFC functions' names were cached in here. So yeah, guessing it's some sort of cache. Step 1: Make sure your CF server is updated to version 12. Step 2: Stop the CF service and place the jar in - \ColdFusion2016\cfusion\lib\updates folder Step 3: Restart the service and test your application. You can confirm the hotfix was applied by logging into the CF Admin page > Settings Summary > Server Details > Update Level. The hotfix JAR file location should be there.
Comment by Jason H.
31541 | October 03, 2019 08:24:14 PM GMT
@ All: This should work after the latest patch that is being shared by Adobe Support team, If anyone is still facing problems please let us know the exception with a standalone reproducible case for us to verify. Thanks
Comment by Ashudeep S.
31562 | October 08, 2019 07:22:12 AM GMT
@Ashudeep: hf201600-4205269.jar hotfix does not address all errors caused by 2016 update 12 - at least not on our test server. The errors we are still experiencing are two levels deep (cfoutput around a cfinclude that then uses cfinvoke to call a cfc with cfoutput query). I have shared the code with Sandip at cfsupport and I am still waiting for an update. Thanks
Comment by Shirzad K.
31563 | October 08, 2019 11:44:29 AM GMT
Can someone share here the hotfix jar for CF2018? What Jason offered (in the "attachments" section here) was the jar for CF2016 only. If anyone could offer it either as an attachment or a link (that Adobe may have shared), that would be appreciated. Of course, it would be best if it was offered by someone from Adobe, so that we know it's an official hotfix file. Also, really hoping someone will address how some folks say that the fix is NOT solving the problem completely for them. See Shirzad's comment just before mine, for instance. It's hard to put full faith in this fix, otherwise.
Comment by Charlie A.
31567 | October 08, 2019 06:55:59 PM GMT
We've been waiting to get the re-released patch from support because I'm not going to download a jar file from a non-Adobe employee to put on my servers.
Comment by Leith T.
31575 | October 09, 2019 12:53:17 PM GMT
Leith, Please send an email @ [nimsharm@adobe.com|mailto:nimsharm@adobe.com] so that I can share the patch with you. -Nimit
Comment by Nimit S.
31576 | October 09, 2019 04:43:00 PM GMT
Installing the patch for ColdFusion 2018 Update 5 eliminated my coldfusion.tagext.QueryLoop$InvalidQueryNestingException: Invalid tag nesting configuration.
Comment by Adrian W.
31583 | October 10, 2019 03:15:12 PM GMT
RE: Installing the patch for ColdFusion 2018 Update 5 I also deleted all files from \ColdFusion2018\cfusion\wwwroot\WEB-INF\cfclasses before restarting (per ColdFusion support instructions).
Comment by Adrian W.
31584 | October 10, 2019 03:20:58 PM GMT