0

I have a ColdFusion 9 server which serves the following error on any ColdFusion page where the URL contains the characters .. after a / e.g. http://www.example.com/..cfm or http://www.example.com/..foo/bar.cfm :

String index out of range: -1

java.lang.StringIndexOutOfBoundsException: String index out of range: -1
    at java.lang.AbstractStringBuilder.delete(AbstractStringBuilder.java:698)
    at java.lang.StringBuffer.delete(StringBuffer.java:373)
    at coldfusion.util.Utils.collapseDotDots(Utils.java:604)
    at coldfusion.util.Utils.canonicalizeURI(Utils.java:558)
    at coldfusion.filter.PathFilter.invoke(PathFilter.java:39)
    at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
    at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
    at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
    at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
    at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
    at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
    at coldfusion.CfmServlet.service(CfmServlet.java:175)
    at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
    at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
    at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
    at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
    at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
    at com.seefusion.Filter.doFilter(Filter.java:49)
    at com.seefusion.SeeFusion.doFilter(SeeFusion.java:1500)
    at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
    at jrun.servlet.FilterChain.service(FilterChain.java:101)
    at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
    at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
    at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
    at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
    at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
    at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
    at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
    at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
    at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

I haven't been able to reproduce this on every server I've tested, but it seems to occur on the majority. Looking at the error, it looks like it relates to part of ColdFusion rather than any ColdFusion code running on these sites. Can anyone shed any more light on this e.g. how to catch the error?

Miguel-F
  • 13,450
  • 6
  • 38
  • 63
Loftx
  • 1,760
  • 4
  • 29
  • 50
  • a URL should not contain double `..` . You should remove them before using it . – Raptor Jun 07 '12 at 09:08
  • @ShivanRaptor Can you explain what you mean here? I'm not entering the URL myself - these are examples of URLs I've seen in my error logs which have been visited by users. – Loftx Jun 07 '12 at 09:39
  • 1
    Um... if this is the case, it seems it is a server bug. – Raptor Jun 07 '12 at 10:27
  • @Loftx - did you ever find out what was causing this or how to handle this error? It has cropped up again - http://stackoverflow.com/q/19577387/1636917 – Miguel-F Oct 28 '13 at 12:44
  • @Miguel-F - I didn't find out what was causing this - we're currently just ignoring this error for the moment. – Loftx Oct 28 '13 at 14:37

1 Answers1

1

I was getting the above error and figured out that this can be handled by "Site-wide Error Handler" in ColdFusion Admin. I directed it to my 404.cfm.

Hope it helps.

Anit Kumar
  • 1,228
  • 8
  • 16