CFLOCATION behavior change in CFMX7

Right after I upgraded to CFMX7 a while back, I started getting the following error on some of my pages:

ColdFusion was unable to perform the CFLOCATION operation. Location URL cannot contain (carriage return) CR or (line feed) LF characters

I noticed that all of the pages that were generating this error had the function encrypt within the cflocation tag. After a little bit of digging, I found out that the encrypt function may generate an encrypted string that will contain carriage return (CR) and line feed (LF) characters, which is considered a security hole. For this reason, beginning with ColdFusion MX 7, cflocation will no longer allow URL’s to contain CR and/or LF characters.

The solution proposed by Macromedia in one of their technotes was that instead of passing encrypted data from one ColdFusion template to another using URL variables appended to the URL specified in the cflocation tag, save the data to an Application, Client or Session variable (whichever makes sense for the data at hand) on the originating template and then read it out on the target template. This solution worked well for me.

Filed in ColdFusion on 29 Jun 05 | Tags: cflocation

Reader's Comments

Matt Robertson | 06 Jul 2005 2:55 pm
You could also change your encryption so that you are creating a url-safe string.

Eddie | 06 Jul 2005 4:10 pm

The problem is that any encrypted string that contains carriage return (CR) and line feed (LF) characters will fail. For example, the following will not work with ColdFusion MX 7 even if you URLEncode the encrypted string:

template1.cfm
---------------
<cfset docid = encrypt ( '12345','password')>
<cflocation 
url = 'template2.cfm?docid=#urlencodedformat(docid)#'
addtoken='Yes'>

template2.cfm
---------------
<cfset docid = decrypt(url.docid,'password')>
<cfoutput>docid=#docid#</cfoutput>

Now, following Matt Robertson’s advice, you could change the way the string is encrypted. By tweaking the example above, we can make it work:

template1.cfm
---------------
<cfset docid = 
 encrypt ( '12345', 'password', 'BLOWFISH', 'Hex')>
<cflocation 
url = 'template2.cfm?docid=#urlencodedformat(docid)#'
addtoken='Yes'>

template2.cfm
---------------
<cfset docid = 
decrypt(url.docid, 'password', 'BLOWFISH', 'Hex')>
<cfoutput>docid=#docid#</cfoutput>

I’m not sure whether this is a full proof solution or not, but at least it works in this example.

Ray Horn | 06 Dec 2005 7:08 am
Yes, but if you encrypt the string as a series of Hex digits rather than the default method there should be no problems in passing the encrypted Hex digit format via a URL.
Marcel | 13 Sep 2006 3:57 pm
I started to type a long story describing my problem i was working on… Then suddenly, it the cause popped into my head… I just tried and indeed it was the problem…

Let me now explain, maybe other people can use it, as i was 5 hours busy with it:

If you have a referring URL on another site like:

http://online-image-editor.com/index.cfm?fa=image_editor&id=aaaaa The visitor is entering with that path.

Now i add some session variables, and the next thing i redirect it with cflocation to: http://www.online-image-editor.com/index.cfm

If you do this with Explorer browser, things work fine. However, if you do this with a FireFox browser, things will fail

For some reason Colffusion is giving different session id’s to FireFox when the URL is with ‘www’ or without it.

So when the visitor first visits the page with URL http://online-image-editor.com/ the session id gets different when it is ‘redirected’ to http://www.online-image-editor.com. Thus failing then to retrieve the session variables you just put before the redirect.

I hope you have use from this information

CFLOCATION behavior change in CFMX7

Reader's Comments

Recent Posts

Tags

Topics

Archives

Recent Comments

My Lifestream

About This Blog