问题
I am currently having issues with users (or bots, not sure) visiting non-existent links that have three periods in a sub-directory.
For example, if someone goes to:
http://www.example.com/.../test/index.cfm?
Then I receive the following error:
String index out of range: -1 null
The error occurred on line -1.
I have tested it with just 1 period and just 2 periods and it goes straight to a 404 error. Any link though that has 3 or more periods will cause this error.
My question is what can I do to stop this from happening? My thoughts are to send them to a 404 error page or redirect them. How could I do that?
I am running ColdFusion 8.0.1 on Microsoft-IIS/7.0.
Edit from Miguel-F
I have duplicated this issue with ColdFusion 9.0.1 on IIS 7.5 and also noticed it during PCI scans.
Error:
java.lang.StringIndexOutOfBoundsException
Stacktrace:
java.lang.StringIndexOutOfBoundsException: String index out of range: -1 at
java.lang.AbstractStringBuilder.delete(Unknown Source) at
java.lang.StringBuffer.delete(Unknown Source) at
coldfusion.util.Utils.collapseDotDots(Utils.java:647) at
coldfusion.util.Utils.canonicalizeURI(Utils.java:601) at
coldfusion.filter.PathFilter.invoke(PathFilter.java:43) at
coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at
coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at
coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at
coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at
coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at
coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at
coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at
coldfusion.CfmServlet.service(CfmServlet.java:201) at
coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at
jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at
coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at
coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at
jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at
jrun.servlet.FilterChain.service(FilterChain.java:101) at
jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at
jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at
jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at
jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at
jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at
jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at
jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
回答1:
Since you are on IIS, I would think you could use IIS URL rewrite to intercept and send a HTTP 400 (bad request) Error.
That'll catch it before it gets to Coldfusion.
来源:https://stackoverflow.com/questions/19577387/periods-in-url-causes-coldfusion-error