In order to mitigate the issues I ran into while trying to find a solution for an alleged memory issue in the FarCry core, I enabled the sandbox security feature in the ColdFusion 2018 administrator, disabled the
CFRegistry() tags, restricted the access to the application web root and its subdirectories, and left the default entries for the CF Functions – disabling
CreateObject(java) – as well as the
createClassLoader runtime permission.
Alas, this did not turn out to be a good idea.
I immediately witnessed the FarCry 7.2.12 core crash on run-up. As I was able to figure out so far, the issues are threefold:
The FarCry core uses the CF
GetTempDirectory()function to handle CDN, 3S, file and image uploads. Unfortunately, the
GetTempDirectory()returns a path outside the application’s realm, somewhere in the CF 2018 application file-tree.
So far I was able to resolve this issue for the front-end by adding an application variable
bUseSandbox, adding a
/temporarydirectory in the web root, and making adjustments in the CDN section, the file and image CFC, and a few others. This seems to work.
[Edit: The backend, however, still crashes during an image upload when trying to resize it in
local.cfc:ioFileWrite()(around line 163) in the CF
imageWrite()function with java.io error that a file or directory cannot be accessed.]
If anybody is interested, I’ll be happy to share what I figured out so far. (I don’t use the CDN and S3 functions myself but some testing will show where I erred.)
When FarCry starts up the first time after the server being (re)started with or without the
?updateapp=<your_secret_key>URl extenson, it throws an exception in
/core/application.cfcwhen trying to load the plugins in line 184:
<cfloop list="#(this.plugins ?: "")#" index="plugin">
The exception reads as follows:
java.security.AccessControlException: access denied ("java.io.FilePermission" "/Applications/ColdFusion2018/cfusion/wwwroot/WEB-INF/cfclasses/cfApplication2ecfc42533848$func_CF_ANONYMOUSCLOSURE_ELVIS0.class" "read")
If you change anything in the
/core/application.cfcfile (for example, by adding a
<cfdump>tag) and hitting the browser load button again, FarCry starts up just fine.
It seems that if you move the plugins preset
<cfparam name="this.plugins" default="" />(it should have been set to include farcrycms in the
farcryConstructor.cfmfile which will be processed before), prior to calling the
setupJARPaths()function, remove the ternary operator from the
<cfloop>tag, and remove the preset from the
initApplicationScopefunction, everything seems to be fine.
[Edit: The same seems to hold true for the ternary operator when calling the
addJARPath()function. Here too, I found it necessary to properly preset
this.projectDirectoryNamebefore the function all.]
(Again: I’m happy to share the code.)
To me, it seems that if a hosting provider denies runtime permission for the
createClassLoaderand/or the use of
CreateObject(java), you are screwed. (Or do you know about a shared hosting company which allows to use those CF features?
I am curious if anybody has been playing with the sandbox security and what your experience is. As always, any pointers in the right direction will be greatly appreciated.