1SmartSolution Blog: Morning head-breaker: anyone with a solution?

Morning head-breaker: anyone with a solution?

Posted At : Jul 17, 2008 17:12 PM | Posted By : Ed Tabara
Related Categories: ColdFusion

Given:
1) an XML having the % sign in one of the values
example:

<?xml version='1.0' encoding='utf-8' ?>

<tst>

   <details>

      <somename>less than 50% </somename>

   </details>

</tst>

2) a script on a website (WS1) that submit that XML to other website (WS2) that is running CF8 (if the actual verion even matter)
The issue:
When submitting that XML with HTTP POST the following error is happening on WS2:

500



ROOT CAUSE: 

java.lang.IllegalArgumentException

   at coldfusion.filter.FormScope.parseName(FormScope.java:367)

   at coldfusion.filter.FormScope.parseQueryString(FormScope.java:324)

   at coldfusion.filter.FormScope.parsePostData(FormScope.java:293)

   at coldfusion.filter.FormScope.fillForm(FormScope.java:243)

   at coldfusion.filter.FusionContext.SymTab_initForRequest(FusionContext.java:430)

   at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:33)

   at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)

   at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126)

   at coldfusion.CfmServlet.service(CfmServlet.java:175)

   at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)

   at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)

   at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)

   at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)

   at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)

   at jrun.servlet.FilterChain.service(FilterChain.java:101)

   at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)

   at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)

   at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:284)

   at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)

   at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)

   at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)

   at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)

   at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)

   at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)





javax.servlet.ServletException: ROOT CAUSE: 

java.lang.IllegalArgumentException

   at coldfusion.filter.FormScope.parseName(FormScope.java:367)

   at coldfusion.filter.FormScope.parseQueryString(FormScope.java:324)

   at coldfusion.filter.FormScope.parsePostData(FormScope.java:293)

   at coldfusion.filter.FormScope.fillForm(FormScope.java:243)

   at coldfusion.filter.FusionContext.SymTab_initForRequest(FusionContext.java:430)

   at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:33)

   at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)

   at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126)

   at coldfusion.CfmServlet.service(CfmServlet.java:175)

   at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)

   at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)

   at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)

   at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)

   at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)

   at jrun.servlet.FilterChain.service(FilterChain.java:101)

   at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)

   at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)

   at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:284)

   at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)

   at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)

   at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)

   at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)

   at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)

   at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)



   at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:70)

   at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)

   at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)

   at jrun.servlet.FilterChain.service(FilterChain.java:101)

   at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)

   at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)

   at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:284)

   at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)

   at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)

   at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)

   at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)

   at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)

   at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

IF the % sign is taken off from the XML everything works fine and no error is generated.

NOTE 1: If the script doing the post is emulated on WS2 (so that the XML being submitted from WS2 to WS2), that "500" does not happen.

NOTE 2: The error seem to happen not on the application (because an test output followed by CFABORT just at the start of Application.cfm file does not change anything and the script on WS2 still get the error and not the test output).

NOTE 3: First the CF8 was on Java 1.5 . Then we reinstalled CF8, so it's on the default Java 6 now. But the error is still there.

ANY suggestions would be VERY appreciated!!!

| 8528 Views | 10% / 3% Popularity

Comments

If you replace "50%" with <![CDATA[50%]] do you still get the error?

# Posted By David | Jul 17, 2008 17:21 PM

yes. The error does not go away with that change

# Posted By Ed Tabara | Jul 17, 2008 17:24 PM

Perhaps using CDATA

# Posted By Kevin Schmidt | Jul 17, 2008 17:24 PM

OK, my last comment didn't come out very well, so I'll try again:
replace 50% with "<![CDATA[50%]]" - without the quotes, obviously.
Lets see if that renders properly in the comments.
Cheers,
Davo

# Posted By David | Jul 17, 2008 17:24 PM

yes, i tried the CDATA thing but it didn't help

# Posted By Ed Tabara | Jul 17, 2008 17:30 PM

Can you post your code, so we can re-produce and play with it?
Davo

# Posted By David | Jul 17, 2008 17:35 PM

WOOHOO!!!

# Posted By Ed Tabara | Jul 17, 2008 17:40 PM

I'm going to guess that the PHP sending the xml is not urlencoding the post varibles correctly. Get a trace of the raw HTTP request and confirm the verb, content type, and request body.
I assume that the following are true:
* the ver is POST
* the content type is some form of urlencoded
* the xml is coming across as a name=value pair
* the % has NOT been url encoded properly to "%25"

# Posted By Brad Wood | Jul 17, 2008 18:09 PM

WOOHOO!!!
After % being changed to %25 things DID work well, thx Brad!
But i am wondering if why this would break ColdFusion. I would get CF have to allow it to pass anyway just like any other data and the problem to appear on the application end if not being treated correctly. Wonder if it may be considered ColdFusion bug or not.

# Posted By Ed Tabara | Jul 17, 2008 18:29 PM

I'm glad that worked for you. I need to know the content type of the http request to your ColdFusion server to confirm this, but I'm pretty certain the problem is most definitely NOT a ColdFusion bug. In fact ColdFusion doesn't even have anything to do with it.
The Java code buried deep in the belly of CF is attempting to parse form fields of the HTTP request based on internet protocols. When you submit a form with your browser, the actual request to your server looks something like this:
POST /youpage.cfm HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Content-Length: 999
Host: www.yourserver.com
formfield1=value1&formfield2=value2&formfield3=value3
The form above had three form fields, formfield1, formfield2, and formfield3 whose values were value1, value2, and value3 respectively. The information is presented as a name=value pair in an ampersand (&) delimited list. Look familiar? That?s because URLs follow the same syntax. Notice that the request is sent with a content-type ?urlencoded? This is what tells your server how to parse the data out properly. url encoding is defined in RFC 1738. http://www.blooberry.com/indexdot/html/topics/urlencoding.htm It states that all special characters must be encoded so they aren?t confused. The % is a special character and MUST be url encoded by the client sending the request IF the content type is urlencoded.
The following would be INVALID form fields:
formfield1=value1&formfield2=Tom & Jerry (the ampersand and space need to be encoded)
formfield1=20% increase (the % is ONLY allowed if followed by a valid hexadecimal number)
What does all this mean? If the PHP script sending you the request was using a content type of urlencoded, it was incorrectly sending you illegal characters in the xml that should have been escaped. This is not your problem. It is the other server?s problem. I don?t know anything about PHP, but it needs to send data over in the correctly encoded format that match the request?s content type.
If you don?t know how to get the request headers, change your ColdFusion page which receives the XML to cfdump the output of the GetHttpRequestData function. It contains the original headers sent from the client.
The page I provided the link for does a good job of explaining url encoding.

# Posted By Brad Wood | Jul 18, 2008 19:34 PM

Yes. I agree with all that and i did try to dump all the coming info with headers and all before to write this post. But that info would not even fire because the error was happening before the application to be even hit. That un-encrypted % sign was just "killing" CF. That's why i said that this doesn't seem really correct to me. And i think this may give an additional way to hack or break you by generating a whole lot of such bad requests. Because, as i said, the error was happening not on the application side (so it being possible to be catched, analyzed, etc etc etc) but right in the moment CF Server was hit.

# Posted By Ed Tabara | Jul 18, 2008 19:48 PM

Search

Calendar

Sun	Mon	Tue	Wed	Thu	Fri	Sat
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Tags Cloud

1ssblog about access adobe ajax amazon caching cfhssf cfsqlmaster cfwatcher coldfusion data deals fun jquery moldova mssql my projects optimization other performance profit ria server sites sql this transerfing using your

ColdFusion	166	[RSS]
Other	101	[RSS]
My Projects	61	[RSS]
Fun	54	[RSS]
SQL	52	[RSS]
Deals	19	[RSS]
RIA	18	[RSS]
1ssBlog	16	[RSS]
cfSQLMaster	12	[RSS]
Profit	9	[RSS]
Caching	8	[RSS]
Transerfing	6	[RSS]
AJAX	5	[RSS]
cfHSSF	5	[RSS]
cfWatcher	5	[RSS]
JavaScript	5	[RSS]
Amazon	4	[RSS]
cfFirewall	4	[RSS]
Security	4	[RSS]
SEO	4	[RSS]
jQuery	3	[RSS]
1ssChat	2	[RSS]
Adobe Air	1	[RSS]
jQuery Mobile	1	[RSS]
MMA	1	[RSS]

Categories

Recent Entries

Recent Comments

Search

Calendar

Tags Cloud