3

I need to update the OWASP AntiSamy jar file which is located at ColdFusion11\cfusion\lib

The file currently in there is antisamy-1.4.4.jar but I want to update this to the latest version which is antisamy-1.5.3.jar which I have downloaded from OWASP and placed in the cfusion\lib folder.

Does anyone know how I can tell ColdFusion to use the latest version of the file? Is the path to the file in some configuration file anywhere?

In CF Administrator I can see both the old file and new file under 'Settings Summary' but how do I know which one its using to power the GetSafeHTML function?

volume one
  • 6,800
  • 13
  • 67
  • 146

1 Answers1

5

I want to update this to the latest version

AFAIK, there is no list of individual files. At least not for the "core" jar files used by the CF Server. It simply checks certain directories like {cf_root}\lib, web-inf\lib, etcetera and loads any *.jar files it finds.

If you want CF to use a different version for core tags and functions, you must replace the existing jar file with the new one. The actual jar file ame does not matter. What is important is having only a single version of the library in the CF class path. Otherwise, CF will simply use the first version it finds.

You can also try placing the new jar file in the jvm's lib/ext directory. IIRC, those jars should take precedence over the ones in {cf_root}\lib.

NB: Since you are replacing/overriding the version used by CF, you should do some testing to verify the new version of the library is backward compatible and that replacing it does not break anything. As noted in the comments below, there is always a risk of problems when messing with CF's built in jar files...

Community
  • 1
  • 1
Leigh
  • 28,765
  • 10
  • 55
  • 103
  • In case there is a problem with replacing the JAR file, what are the steps to add it so that you can use it seperately? (BIFs are nice, but not when the libraries aren't ever updated by Adobe.) Thanks. – James Moberg Sep 06 '15 at 23:13
  • (Edit) @JamesMoberg - Not sure what you are asking. If you are looking to replace core functions/tags you cannot run multiple versions AFAIK. Only with app specific code ie `this.javaSettings`. That said, there is always a risk when you mess with CF's built in libraries, as noted above. I have rarely done it, so I cannot say what would happen. – Leigh Sep 06 '15 at 23:18
  • So I went ahead and deleted `antisamy-1.4.4.jar` and placed `antisamy-1.5.3.jar` in the folder. It seems to be working exactly the same as before so I can't actually tell if CF is using the new library. I guess it must be using the new 1.5.3 version if the old one has been deleted right? – volume one Sep 06 '15 at 23:24
  • (Edit) You restarted CF afterward, yes? It is required for the change to be detected. See [Identifying which jar a class was loaded from..](http://www.bpurcell.org/blog/index.cfm?mode=entry&entry=982). Though do not just assume everything is fine ;-) You need to do some testing to verify it did not break anything. Obviously restore the original jar if needed. Also, James makes a fair point though. What would happen if a CF update tries to update the antisamy version? – Leigh Sep 06 '15 at 23:28
  • @Leigh Yes I had to stop CF server, change the file, and then start it again. I have noticed that when CF updates, it overwrites the antisamy-basic.xml policy file. I would have to update the antisamy xml and jar file manually after each CF update for now. The whole reason for the update is that I'm experiencing problems with antisamy processing HTML5 tags and thought an update would fix it. It hasn't. – volume one Sep 07 '15 at 09:24
  • 1
    Sorry to hear that. Not that it helps finding a "fix", but out of curiosity .. in terms of keeping CF from overriding the jar and xml file, did you might try placing the jar in `lib\ext`? Also, the docs say the location of the xml file can be [specified in the Application.cfc, ie `this.security.antisamypolicy`](https://www.adobe.com/devnet/coldfusion/articles/security-improvements-cf11.html). – Leigh Sep 08 '15 at 00:26
  • @volumeone I was hoping to not mess or use Adobe's outdated library. Is it possible to load an updated third-party java library without messing with Adobe's built-in functionality? For example, Apache POI has had many updates since Adobe initially integrated it. I'd love to take advantage of past bug library fixes (ie "wrap"), but ACF's blackbox dependency on older versions cause errors with newer libraries. Any recommendation on using newer libs w/o impacting ACF built-in, blackbox functions? – James Moberg Sep 08 '15 at 17:18