http://coldfusion.com logo
Join Slack
Channels
Powered by Linen
Title
t

Tim

10/12/2022, 7:59 PM
In the Update 15 release notes, there's this:
If the XML path contains a forward slash or backslash, it will be blocked. The flag, coldfusion.xml.allowPathCharacters, must be set to true to allow the same.
What does that mean, exactly? Like, 
XMLParse("a/path/to/an/xml/file.xml")
no longer works unless I set that flag? (in the JVM args? In the Application.cfc? the docs are a bit sparse here...)
That must not be what it means, because 
XMLParse("<https://an/xml/file>")
is still working.
r

rstewart

10/12/2022, 9:40 PM
I’ll be curious to know what you figure out with this, as our apps work extensively with XML processing.
t

Tim

10/12/2022, 9:45 PM
@priyank_adobe do you have any insights here?
r

rstewart

10/12/2022, 10:10 PM
@Tim I’m seeing something similar on the first dev box I sacrificed to this update: we’re parsing XML files based on a full path to the file and I’ve not done any server config related to that noted flag.
m

mtbrown

10/13/2022, 6:19 AM
I was assuming it was referring to the XPath in 
xmlSearch
, but still not clear on what is disallowed since slashes are going to be extremely common for that.
t

Tim

10/13/2022, 1:35 PM
yeah -- that was my second thought. but / is vital to how XPath works. And the same file that I have parsing XML files then runs a bunch of XmlSearch on them and all that was working too.
And then I thought well maybe they mean / in the xml files themselves? but that doesn't make sense either, because it's not allowed in tag values, except in closing tags where it's mandatory... And like schema definition references aren't blowing it up.
@Mark Takata (Adobe) do you have any details about this?
m

Mark Takata (Adobe)

10/13/2022, 6:01 PM
@saghosh can you speak to the language used and how it relates to the meaning re: XML?
b

Brian Reilly

10/13/2022, 7:05 PM
I haven't exhaustively tested this, but I can trigger the error: 
Expression Unable to process the XML string as it could probably contain file paths.
for an XSLT style sheet passed to XMLTransform() contains slashes or backslashes. But it also appears to trigger on 
<\xsl:stylesheet>
, which I don't think is right
p

priyank_adobe

10/13/2022, 7:08 PM
Sorry about delay in response but this change is for xmltransform()
@Brian Reilly can you try the flag which is mentioned in the helpx.
t

Tim

10/13/2022, 7:16 PM
@Brian Reilly shouldn't that be 
</xsl:stylesheet>
? The backslash there seems wrong.
b

Brian Reilly

10/13/2022, 7:20 PM
@priyank_adobe Sure - I can try. It's not directly impacting me, and I'm happy to take the conversation offline. I'm one of the folks who reported XMLTransform() issues. For security reasons, you may want to strip / and \ in some xsl elements, but there are lots of places where you will want or need them (or where they'll be innocuous) -- such as 
</xsl:stylesheet>
and 
<xsl:stylesheet version="1.0" xmlns:xsl="<http://www.w3.org/1999/XSL/Transform>">
👍 1
@Tim Ah - you're right. copy/paste error as I tried both / and \ since the Adobe note mentioned both. 
</xsl:stylesheet>
behaves the same way -- it will return the "Expression Unable to process the XML string as it could probably contain file paths." error
t

Tim

10/13/2022, 8:13 PM
@priyank_adobe adding to the list of places you'd want/need 
/
in a transform... embedded XPath selectors. So really, 
XmlTransform
is now useless, unless you enable that flag. because the xsl parameter of that function is not allowed to have / in it. But it takes an XML string which is required to have / in it...
1️⃣ 1
View count: 134
Back to #adobeJoin thread in Slack