Hello guys I need your help After I upgraded my Lucee to the cfml #box-products

Hello guys, I need your help. After I upgraded my ...

cubortea

07/27/2023, 6:52 AM

Hello guys, I need your help. After I upgraded my Lucee to the latest version, 5.4.2.17, My application, which is under coldbox 5.2.0, now gets this error; maybe someone has had this experience? Below is the error info:

Copy code

org.xml.sax.SAXParseException; lineNumber: 2; columnNumber: 10; DOCTYPE is disallowed when the feature "<http://apache.org/xml/features/disallow-doctype-decl>" set to true.
Stacktrace 	The Error Occurred in
/app/gdh/modules/cbsecurity/interceptors/Security.cfc: line 349

    347: setProperty('rulesFile',rulesFile);
    348: // Read in and parse
    349: xmlRules = xmlSearch(XMLParse(rulesFile),"/rules/rule");
    350: // Loop And create Rules
    351: for(x=1; x lte Arraylen(xmlRules); x=x+1){

called from /app/gdh/modules/cbsecurity/interceptors/Security.cfc: line 68
called from /app/gdh/modules/cbsecurity/interceptors/Security.cfc: line 107
called from /app/gdh/coldbox/system/web/context/InterceptorState.cfc: line 446
called from /app/gdh/coldbox/system/web/context/InterceptorState.cfc: line 314
called from /app/gdh/coldbox/system/web/context/InterceptorState.cfc: line 140
called from /app/gdh/coldbox/system/web/services/InterceptorService.cfc: line 154
called from /app/gdh/coldbox/system/web/services/LoaderService.cfc: line 67
called from /app/gdh/coldbox/system/Bootstrap.cfc: line 98
called from /app/gdh/Application.cfc: line 44

seandaniels

07/27/2023, 5:24 PM

This is not going to help you fix the issue, but since both components at play here are third party code (Lucee and CBSecurity module), your best bet to workaround or fix the issue is to either roll back Lucee to a version that worked, or update ColdBox to current and see if the problem persists. Specifically, the version of ColdBox your are under, 5.2.0, is at least 4 years old and many, many updates out of date (current stable release is 7.0.0).

seandaniels

07/27/2023, 5:24 PM

Upgrading from 5.2.0 directly to 7.0.0 may have it's own set of challenges, so you may be better off upgrading incrementally. Also, you should check the version of the cbsecurity module and see if that is out of date and can be updated? You maybe able to update that module without updating ColdBox itself, although I am not positive of that.

seandaniels

07/27/2023, 5:24 PM

cbsecurity is currently at version 3.4.0 - not sure if it is compat with CB 5.2.0 or not.

jclausen

07/27/2023, 7:10 PM

@cubortea Add the following to your

Application.cfc

. This error is from some changes Lucee made to harden XML Parsing:

Copy code

/**
	 * XML Security Features - <https://foundeo.com/security/guide/xml-external-entities/>
	 */
	this.xmlFeatures = {
		externalGeneralEntities : false,
		secure                  : true,
		disallowDoctypeDecl     : false
	};

👍 1

jclausen

07/27/2023, 7:10 PM

That will ensure that you can still parse XML with DocType declarations

jclausen

07/27/2023, 7:11 PM

I’m guessing you have an XML rules file for

cbSecurity

. You could also open that up and remove any DocType declaration, as well.

bdw429s

07/27/2023, 10:05 PM

https://dev.lucee.org/t/lucee-5-4-2-and-6-0-now-has-anti-xxe-configuration-enabled-by-default/12811

cubortea

07/28/2023, 2:20 AM

You are right guys, I have removed <!DOCTYPE rules> in security xml setting and now work very good

👍 2

2 Views

Open in Slack

Previous Next