Trouble with ESAPI after 5.3.9.141

dev support
1

Hi there,

I hope this is the right place for it. If it is the wrong place, sorry! I’ve updated from 5.3.8.206 to 5.3.9.141 via jar file and run into errors relating to ESAPI. I’ll add details below. I have similar issues with the PDF and compress extensions, but I will post those separately once I know the desired format / location

Don’t forget to tell us about your stack!

OS: Windows 2012 R2
Java Version: 11.0.3 (AdoptOpenJDK)
Tomcat Version: 9.0.50
Lucee Version: 5.3.9.141

ESAPI extension: 2.2.4.7

Relevant code in system:

<input type=“hidden” name=“#sField#” value=“#EncodeForHTMLAttribute(Replace(form[sField],'”‘,’',‘all’))#">

also

Error: #EncodeForHTML(oException.message)#

At 5.3.8.260, it worked ok

Update process:

  • Stop Lucee service
  • Remove old .jar file from lib folder
  • Add in 5.3.9.141 jar file
  • Start Lucee

Error in our application:

Application Error, Error: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception., Detail: , Template: 139 in /Installer/Forms/search_submit.cfm, Template: 729 in /Installer/Application.cfc

Error in application onError handler, Error: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception., Detail: , Template: 42 in /Installer/Includes/error_handling.cfm, Template: 950 in /Installer/Application.cfc

Workaround I tried:

  • Deleted file org.lucee.esapi-2.2.3.10001L.jar from C:\lucee\tomcat\lucee-server\bundles
  • Restarted Lucee

At that point, it worked ok for a while. However, the next day, the problem returned.

Note: Updating to Lucee 5.3.10.28-SNAPSHOT did not help with this issue.

2

Hi @west_coast thanks for posting a nice detailed bug report about your problem, this is definitely the right place.

(Side note, we have been trying to ask everyone to post here before creating tickets, but not everyone seems to pays attention to the banner in jira)

I have also been seeing the CTOR error sporadically as well, often when I’m viewing debug logs via the lucee admin

We have an open ticket about this problem [LDEV-2293] - Lucee

1 Like
3

Thank you, I saw that banner! (it worked at least once, eh?)

I’m having similar issues with the compress and the pdf extension. Should I make separate posts here for those?

1 Like
4

have a look in JIRA first

5

Hello. Coming back to this after a while. We found a process that worked for us consistently.

After updating to the newest version of Lucee (5.3.9.160 at the time we did the testing), we uninstalled the ESAPI extension from the web interface.

Then, from the location lucee\tomcat\lucee-server\bundles, we deleted the file esapi-extension-2-1-0-17-SNAPSHOT.jar.

Finally, we installed version 2.2.0.1 through the web interface. That has held up pretty well.

6

Hi,
When you say “uninstalled from the web interface”, do you mean the following? (Because that’s the page I can’t get to load) See image:

lucee_extensions
lucee_extensions1015×598 42.2 KB

Stuck here, happening on WIndows Server 2012 instances as well as dev.

|Version|Lucee 5.2.9.31|
|OS|Windows 10 (10.0) 64bit|
|Servlet Container|Apache Tomcat/8.0.30|
|Java|1.8.0_311 (Oracle Corporation) 64bit|
|Architecture|64bit|

7

Hi @taivo . Yes, that is the interface we used.

Reading the error on your screenshot, it looks like the ESAPI extension version and Lucee version might be incompatible. If you update your Lucee to at least the version mentioned (5.3.x), does it resolve that problem?