Periods in URL causes ColdFusion error

Question

I am currently having issues with users (or bots, not sure) visiting non-existent links that have three periods in a sub-directory.

For example, if someone goes to:

http://www.example.com/.../test/index.cfm?

Then I receive the following error:

String index out of range: -1 null
The error occurred on line -1.

I have tested it with just 1 period and just 2 periods and it goes straight to a 404 error. Any link though that has 3 or more periods will cause this error.

My question is what can I do to stop this from happening? My thoughts are to send them to a 404 error page or redirect them. How could I do that?

I am running ColdFusion 8.0.1 on Microsoft-IIS/7.0.

Edit from Miguel-F

I have duplicated this issue with ColdFusion 9.0.1 on IIS 7.5 and also noticed it during PCI scans.

Error:

java.lang.StringIndexOutOfBoundsException

Stacktrace:

java.lang.StringIndexOutOfBoundsException: String index out of range: -1 at
java.lang.AbstractStringBuilder.delete(Unknown Source) at 
java.lang.StringBuffer.delete(Unknown Source) at 
coldfusion.util.Utils.collapseDotDots(Utils.java:647) at 
coldfusion.util.Utils.canonicalizeURI(Utils.java:601) at 
coldfusion.filter.PathFilter.invoke(PathFilter.java:43) at 
coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at 
coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at
coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at 
coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at 
coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at 
coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at 
coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at 
coldfusion.CfmServlet.service(CfmServlet.java:201) at 
coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at 
jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at 
coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at
coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at 
jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at 
jrun.servlet.FilterChain.service(FilterChain.java:101) at 
jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at 
jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at 
jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at 
jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at 
jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at 
jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at 
jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

Answer 1

Since you are on IIS, I would think you could use IIS URL rewrite to intercept and send a HTTP 400 (bad request) Error.

That'll catch it before it gets to Coldfusion.