tracker issue : CF-4205822

select a category, or use search below
(searches all categories and all time range)
Title:

AccessControlException in XMLParse with Java 8u231

| View in Tracker

Status/Resolution/Reason: Open//

Reporter/Name(from Bugbase): Markus W. / ()

Created: 11/07/2019

Components: Security, Sandbox

Versions: 2016

Failure Type: Non Functioning

Found In Build/Fixed In Build: 2016,0,12,315717 /

Priority/Frequency: Normal / Few users will encounter

Locale/System: English / Win 2012 Server x64

Vote Count: 0

Problem Description:

Calling XMLParse() with xmlText passed as string can fail with a java.security.AccessControlException since Java 8u231. Only seems to happen on Windows, not Linux.

Steps to Reproduce:

<cfsavecontent variable="xmlText"><test>. </test></cfsavecontent>
<cfdump var="#XMLParse(xmlText)#">

Actual Result:

When the code is in D:\inetpub\wwwroot\test\xmlparse-test.cfm you get

access denied ("java.io.FilePermission" "D:\inetpub\wwwroot\test\<test>. <\test>" "read") 

(so it tries to open "current template directory + xmlText" as file)

Expected Result:

Dump of the XML-Object created by XMLParse().

Any Workarounds:

The trigger is the "dot space" in the XML,  if the space is encoded as "&#x20;" it works! Downgrading to Java 8u221 also works.

Attachments:

Comments: