Admin blows up when an extension has an invalid icon image and makes ALL extensions unusable

Description

We are publishing a new extension and noticed the icon path was wrong. When we click on the admin, the entire applications blows up, instead of just logging the icon error, or showing a not found icon. Right now, the entire extensions admin does not load.

1 2 3 source file [https://s3.amazonaws.com/downloads.ortussolutions.com/ortussolutions/mongodb-extension/mongodb-extension-icon.png] is not a file lucee.runtime.exp.ApplicationException: source file [https://s3.amazonaws.com/downloads.ortussolutions.com/ortussolutions/mongodb-extension/mongodb-extension-icon.png] is not a file at lucee.runtime.tag.FileTag.checkFile(FileTag.java:1170) at lucee.runtime.tag.FileTag.actionRead(FileTag.java:649) at lucee.runtime.tag.FileTag.doStartTag(FileTag.java:407) at ext_functions_cfm184$cf.udfCall3(/admin/ext.functions.cfm:203) at ext_functions_cfm184$cf.udfCall(/admin/ext.functions.cfm) at lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:106) at lucee.runtime.type.UDFImpl._call(UDFImpl.java:342) at lucee.runtime.type.UDFImpl.call(UDFImpl.java:215) at lucee.runtime.type.scope.UndefinedImpl.call(UndefinedImpl.java:765) at lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:768) at lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1707) at ext_applications_list_cfm966$cf.call(/admin/ext.applications.list.cfm:210) at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:911) at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:834) at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:816) at ext_applications_cfm184$cf.call(/admin/ext.applications.cfm:102) at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:911) at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:834) at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:816) at web_cfm$cf.call(/admin/web.cfm:457) at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:911) at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:834) at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:816) at server_cfm$cf.call(/admin/server.cfm:2) at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:911) at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:834) at lucee.runtime.listener.ModernAppListener._onRequest(ModernAppListener.java:216) at lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:42) at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2409) at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2399) at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2374) at lucee.runtime.engine.Request.exe(Request.java:43) at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1037) at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:983) at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97) at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.cfmlprojects.regexpathinfofilter.RegexPathInfoFilter.doFilter(RegexPathInfoFilter.java:47) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at sun.reflect.GeneratedMethodAccessor29.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.intergral.fusionreactor.j2ee.filterchain.WrappedFilterChain.doFilter(WrappedFilterChain.java:134) at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doNext(FusionReactorRequestHandler.java:764) at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doHttpServletRequest(FusionReactorRequestHandler.java:344) at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doFusionRequest(FusionReactorRequestHandler.java:207) at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.handle(FusionReactorRequestHandler.java:801) at com.intergral.fusionreactor.j2ee.filter.FusionReactorCoreFilter.doFilter(FusionReactorCoreFilter.java:36) at sun.reflect.GeneratedMethodAccessor28.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.intergral.fusionreactor.j2ee.filterchain.WrappedFilterChain.doFilter(WrappedFilterChain.java:71) at sun.reflect.GeneratedMethodAccessor27.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.intergral.fusionreactor.agent.filter.FusionReactorStaticFilter.doFilter(FusionReactorStaticFilter.java:54) at com.intergral.fusionreactor.agent.pointcuts.NewFilterChainPointCut$1.invoke(NewFilterChainPointCut.java:41) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:336) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

The issue lies in the fact that we blantely trust the URL in the location:

1 2 3 <cffile action="readbinary" file="#src#" variable="data"> <cfset src=toBase64(data)>

Actually, the entire method needs a try/catch, to prevent from malUrls or invalid binary data in the URL

 

Environment

None

Status

Assignee

Michael Offner

Reporter

Luis Majano

Labels

None

Sprint

None

Fix versions

Affects versions

5.3.3.14

Priority

Blocker
Configure