Recent behavior changes in ColdFusion's RegEx engine?

发布于 2020-04-23 18:49:45

We run ColdFusion 2018 on a Windows 2016 server with IIS.

We rebooted the Windows server on Jan 16, 2020 as part of routine maintenance. The next day we started seeing isolated stack overflow errors when users posted long strings (~2500 chars) in form data. The reboot seems unrelated but is the only recent change in our environment. Users have successfully submitted data equal to or greater in length for a number of years.

Here's the error:

java.lang.StackOverflowError 
at org.apache.oro.text.regex.Perl5Matcher.__match(Unknown Source) 
at org.apache.oro.text.regex.Perl5Matcher.__match(Unknown Source) 
at org.apache.oro.text.regex.Perl5Matcher.__match(Unknown Source) 
[Repeats many more times....]

The error originated from the "REFindNoCase" line of the code below, which checks for malicious-looking input coming from submitted forms.

var failedTest = false;
var doZealousTesting = true;
var badTagsAndEvents = "SCRIPT|OBJECT|APPLET|EMBED|FORM|LAYER|ILAYER|FRAME|IFRAME|FRAMESET|HREF|SRC|PARAM|META|onClick|onDblClick|onKeyDown|onKeyPress|onKeyUp|onMouseDown|onMouseOut|onMouseUp|onMouseOver|onBlur|onChange|onFocus|onSelect|javascript";
var zealousRegex = "((\%3C)|<)(.)+((\%3E)|>)";
var conservativeRegex = "((\%3C)|<)(.)*(#badTagsAndEvents#)+(.)*((\%3E)|>)";
var regexTest = iif(doZealousTesting,de(zealousRegex),de(conservativeRegex));
for (key in form) {
  failedTest = (failedTest or REFindNoCase(regexTest,left(form[key],3999)) neq 0);
}

Are we missing some inherent problem with the code?

(By the way, we were able to quell the errors by setting ColdFusion's "useJavaAsRegexEngine" flag to true.)

Questioner

bwhet

Viewed

Chinese

Original

Recent behavior changes in ColdFusion's RegEx engine?

Related issues