• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

APSB12-06: Exception When Posting File After Hotfix Applied

Enthusiast ,
Mar 20, 2012 Mar 20, 2012

Copy link to clipboard

Copied

After applying the fix for APSB12-06 the exception below is logged when attempting to upload a file via a form post. 

java.lang.NoSuchMethodError: com.oreilly.servlet.multipart.MultipartParser.<init>(Ljavax/servlet/http/HttpServletRequest;J)V

    at coldfusion.filter.FormScope.fillMultipart(FormScope.java:177)

    at coldfusion.filter.FusionContext.SymTab_initForRequest(FusionContext.java:436)

    at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:33)

    at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)

    at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126)

    at coldfusion.CfmServlet.service(CfmServlet.java:198)

    at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)

    at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)

    at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)

    at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)

    at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)

    at jrun.servlet.FilterChain.service(FilterChain.java:101)

    at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)

    at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)

    at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)

    at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)

    at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)

    at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)

    at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)

    at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)

    at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

   

This occurs on every post which includes a file, regardless of the post/file size.  I have edited my neo-runtime.xml file per the patch instructions.  Note that the site on which I am seeing this problem uses basic authentication.

   

If I remove the file {ColdFusion-Home}/lib/updates/hf801-00005.jar and restore the file hf801-00004.jar (which was removed per the patch instructions) the exception no longer occurs. 

My environment:

OS: Windows 2003 Server R2, service pack 2, 32bit

ColdFusion: 8.0.1 with all previous security hotfixes applied

JVM: 1.6.0_24

Is there a fix for this problem?

References:

ColdFusion Security Hotfix APSB12-06

http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html

Views

5.0K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Expert , Mar 22, 2012 Mar 22, 2012

Folks, there is talk among some that seems to be concluding that this security hotfix presumes to rely on elements implemented in Cumulative hotfix 3 (for 8.0.1. Have not heard similar discussions for other versions yet.)

If you have not yet implemented CHF 3, you may want to try adding that (if you don’t just want to remove the security HF, as some here have noted also “solves it”).

But if you might say you did previously implement CHF3, then make sure you didn’t mistakenly delete the CHF3 jar (

...

Votes

Translate

Translate
New Here ,
Mar 20, 2012 Mar 20, 2012

Copy link to clipboard

Copied

Just applied Security Hotfix APSB12-06 and within a few minutes I am got calls from users were complaining that they were unable to upload documents and recieved the same exact error.  I restored hf801-00004.jar and the error no longer occurs.

Any fix for this hotfix?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 22, 2012 Mar 22, 2012

Copy link to clipboard

Copied

Folks, there is talk among some that seems to be concluding that this security hotfix presumes to rely on elements implemented in Cumulative hotfix 3 (for 8.0.1. Have not heard similar discussions for other versions yet.)

If you have not yet implemented CHF 3, you may want to try adding that (if you don’t just want to remove the security HF, as some here have noted also “solves it”).

But if you might say you did previously implement CHF3, then make sure you didn’t mistakenly delete the CHF3 jar (in the lib\updates folder) while following the steps in the security hotfix technote (http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html). It said to remove certain specific jars only, not “all” of them. I’ve seen some people making that mistake.

Note also that the security hotfix technote has two sections, one for those who HAD and one for those who HAD NOT applied the previous Security Hotfix APSB11-29. Make sure you follow the right steps.

And yes, yes, all this just points out the desparate need for an improved hotfix mechanism. As many know, that’s coming in CF10. What about those on CF 8 or 9? Well, I’ll note that there was talk at various Adobe-led CF10 (Zeus) preview sessions offered at conferences last year where they said they were looking to offer such an auto-hotfix mechanism for these previous releases as well. No, there’s been no talk yet of that in the CF10 public beta—but technically, such an addition would not be “in CF10”, so I’m not surprised. Consider too that CF10 is still in beta. Perhaps the engineers needed to put aside work on that to wrap up CF10, though it is also possible that they decided they couldn’t do the auto-update mechanism for CF 8/9. Only time will tell (or if they may respond here.)

Hope the above is helpful to some. If it answers the question for the original poster, please mark it as “the answer”. Thanks.

BTW, there is another thread in this forum on the same topic (http://forums.adobe.com/thread/975850?), raising the same concerns as above. I will point readers there to this reply, if it may help them, too.

/charlie


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 22, 2012 Mar 22, 2012

Copy link to clipboard

Copied

All,

I have been using the "unofficial updater" for CF8 with GREAT success on three different servers.  In fact, this most recent update came just a week after I discovered this updater, and when I received notification of Adobe's hotfix (and our servers stopped passing Foundeo's HackMyCF tests), I returned to the download location to discover the hotfix was already applied to the updater and ready for me to grab!  Downloaded and re-ran it on three servers, and it worked perfectly -- now, all continue to pass the HackMyCF.com security tests, including the new hotfix.

The only problem I ran into was that the hotfix worked "too well" - one of my clients actually did have a web form with over 100 fields, and that form submit broke after the hotfix, simply because that was a scenario related to what the hotfix was "fixing".  After editing neo-runtime.xml and upping the number of fields allowed, all was well.

For those struggling with applying these updates manually, I cannot recommend the CF Unoffical Updater enough... it can be found here:

http://uu2.riaforge.org/

it even backs up the important stuff in case you need to roll back - never had to do it so I don't know what's involved.

and of course, hackmycf.com is great for making sure your hotfixes are applied properly.

HTH

Marc

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 23, 2012 Mar 23, 2012

Copy link to clipboard

Copied

If you are refering to not deleting hf801-00003.jar when you say CHF3...it tells me in my instructions to delete it!  I am not sure if that is what you are talking aobut...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 23, 2012 Mar 23, 2012

Copy link to clipboard

Copied

No: hotfix jar filenames start with hf, while CHF (cumulative hotfix) jars start with chf. So I was suggesting that people, when following those steps, have mistakenly deleted chf* (or other hf* files than they were told). Some have even deleted all jars from that dir, none of which are what the steps say to do.

It’s an easy mistake, specifically because the filenames DO look so much alike. (I was just trying to help, with a suggestion that I help people with all the time.)

/charlie


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 12, 2012 Apr 12, 2012

Copy link to clipboard

Copied

LATEST

thanks!!! it worked putting the CHF 3 file back! I have ONE customer out of about 100 that is still having issues...post parameter issue...am going to try that specific fix...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Mar 26, 2012 Mar 26, 2012

Copy link to clipboard

Copied

Thanks a bunch Charlie. Was pulling my hair out with this and installing CHF 3 fixed it.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 26, 2012 Mar 26, 2012

Copy link to clipboard

Copied

Good to hear. Thanks for the update.

/charlie


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Mar 26, 2012 Mar 26, 2012

Copy link to clipboard

Copied

Has anyone tested the security hotfix along with Cumulative Hot Fix 4 for CF 8.0.1?  Does Cumulative Hot Fix 4 also resolve the file upload issues or does a server need Cumulative Hot Fix 3 specifically?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 28, 2012 Mar 28, 2012

Copy link to clipboard

Copied

I’ve not heard of it not working. I’ve only heard people who found it NOT working had to at least have CHF 2 or 3. I would suspect it would work fine with CHF4, or there would have been an outcry since that’s indeed the latest CHF for CF 8.0.1. Hope that’s helpful.

/charlie


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Mar 29, 2012 Mar 29, 2012

Copy link to clipboard

Copied

Thanks for the assistance Charlie.  I've applied cumulative hotfix 3 and no longer see any file upload problems.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 29, 2012 Mar 29, 2012

Copy link to clipboard

Copied

Great to hear. Thanks for the update. Thanks also for marking the thread answered. Much appreciated.

/charlie


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 30, 2012 Mar 30, 2012

Copy link to clipboard

Copied

Just a quick note that Adobe has updated the jar file for CF 8.01 to resolve this issue

From

http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html

Note - Updated on March 29, 2012

Following bug is reported for ColdFusion 801 against this security bulletin hotfix.

  java.lang.NoSuchMethodError Exception is thrown while using cffile upload.

We have updated the hotfix files of ColdFusion 801 to include the fix for the above issue. Users who have already applied the hotfix for ColdFusion 801 can just update the hotfix jar.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 31, 2012 Mar 31, 2012

Copy link to clipboard

Copied

Could I ask why the URLs to download CF801.zip and CF801jar.zip are not in the same published path as the other files listed in the technote?

CF801jar.zip - http://helpx.adobe.com/content/dam/help/attachments/CF801jar.zip

CF801.zip - http://helpx.adobe.com/content/dam/help/attachments/CF801.zip

CFIDE-801.zip - http://helpx.adobe.com/content/dam/kb/en/930/cpsid_93043/attachments/CFIDE-801.zip

Is it possible to correct the URLs so the updated CF801jar.zip and CF801.zip are published as the rest of the files?

Also would it be possible to put the note about the hotfix being updated at the top of the technote like previous security technotes that were updated multiple times like, http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb11-14.html so it is not missed by the reader.

Thanks

- David Epler

- Maintainer of Unofficial Updater 2 - Available on riaforge at http://uu2.riaforge.org and github at https://github.com/dcepler/unofficial-updater2#readme

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation