ColdFusion 11 - 500 Internal Server Error from Non-ASCII Cookie Character

Question

In response to any request with a cookie containing a non-ASCII character, ColdFusion 11 appears to crash. IIS 8.5 returns an HTTP 500 Internal Server Error (blank white page).

Steps to reproduce:

1. Run the following in Javascript console and attempt to load any CFML page: document.cookie="a=ñ";

2. (Optional) Request any .html or .txt file and receive normal response.

3. Request any ColdFusion a page and receive a blank white page, HTTP 500 Internal Server Error.

4. The only workaround is to clear browser cookies.

Environment:

• Windows Server 2012 R2 Standard
• IIS 8.5
• Cold Fusion 11 (Standard)
• All OS and software are running latest patched versions.

I have tried adding -Dfile.encoding=UTF-8 to the Java arguments.

I haven't found anyone else running into this issue on ColdFusion. There are similar issues running Java code on Tomcat. However since ColdFusion 11 is bundled with Tomcat, I don't even know what version of Tomcat is running nor how to upgrade it. (It appears ColdFusion 10 runs Tomcat 7) Adobe does not appear to have documentation about ColdFusion 11's Tomcat layer (specifically how it relates to ColdFusion). I've tried applying the <CookieProcessor /> configuration to context.xml as suggested on that other post. I've posted to the Adobe bug base and received no response.

Any ideas are welcome. Unfortunately we have a lot of users with "Español" in a cookie, and we cannot execute any ColdFusion code to clear or change this. We did not have this problem in ColdFusion 9 and missed this in a QA check after upgrading to ColdFusion 11.

Full exception from coldfusion-error.log:

Sep 03, 2015 11:43:58 PM org.apache.coyote.ajp.AjpProcessor process
SEVERE: Error processing request
java.lang.IllegalArgumentException: Control character in cookie value or attribute.
    at org.apache.tomcat.util.http.CookieSupport.isHttpSeparator(CookieSupport.java:193)
    at org.apache.tomcat.util.http.Cookies.getTokenEndPosition(Cookies.java:502)
    at org.apache.tomcat.util.http.Cookies.processCookieHeader(Cookies.java:349)
    at org.apache.tomcat.util.http.Cookies.processCookies(Cookies.java:168)
    at org.apache.tomcat.util.http.Cookies.getCookieCount(Cookies.java:106)
    at org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId(CoyoteAdapter.java:986)
    at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:743)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:417)
    at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:199)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)

Answer 1

You could identify non-ASCII cookies using an IIS Rewrite rule and then redirect the user to a static HTML page and delete or rewrite the cookie. (I tested this using CF10 and it works.)

This non-ASCII cookie kills ColdFusion10/11. (NOTE: ColdFusion can only access upper-cased cookie names.)

document.cookie="a=ñ";

Add this to your IIS web.config file.

<rule name="Route Bad Cookie" enabled="true" stopProcessing="true">
  <match url="^(.*)" />
    <conditions logicalGrouping="MatchAll">
      <add input="{PATH_INFO}" pattern=".*htm$" negate="true" />        
      <add input="{HTTP_COOKIE}" pattern="([^\x00-\x7F]+)" />
    </conditions>
  <action type="Redirect" url="/clearCookie.htm" redirectType="Temporary"/>
</rule>

NOTE: The above rule matches any script except ".htm" files (in case you are already using IIS Rewrite to hide .CFM in your URLs.)

  <match url="*.cfm*" />

If you are security conscious, you could replace the rewrite action with an abort.

<action type="AbortRequest" />

or a custom response:

<action type="CustomResponse" statusCode="403"
  statusReason="Forbidden: Invalid non-ASCII cookie"
  statusDescription="Only US-ASCII characters excluding CTLs, whitespace,
  DQUOTE, comma, semicolon, and backslash are allowed in a cookie." />

Here's some sample code to delete the cookie (/clearCookie.htm):

<script>
var mydate = new Date();
mydate.setTime(mydate.getTime() - 1);
document.cookie = "a=; expires=" + mydate.toGMTString();
</script>