http://livedocs.adobe.com/ Macromedia LiveDocs - online documentation with user feedback. Copyright 2009, Macromedia, Inc. 2009-11-25T23:59:48 en-us http://livedocs.adobe.com/coldfusion/7/htmldocs/00000284.htm#85707 There appears to be no way to make <cflocation> default to addtoken="false" - If you don't want tokens you must specify addtoken="false" for every single <cflocation> tag.<br /><br />The following trick will fix that. Put this at the start of every request: (I put mine in the onRequest function) This will cause there to never be any tokens regardless of the setting of addtoken<br /><br /><cfset StructDelete(session, "urltoken") > 0 0 2008-07-13T21:11:39 http://livedocs.adobe.com/coldfusion/7/htmldocs/00000284.htm#39744 We had the same problem, and in addition to the previous solution, here's another method that works:<br /><br />Change:<br /><CFLOCATION URL="myTemplate.cfm?myVar=#URLEncodedFormat(Encrypt(myValue, myKey))#" ADDTOKEN="Yes"><br /><br />To:<br /><CFLOCATION URL="myTemplate.cfm?myVar=#URLEncodedFormat(Trim(Encrypt(myValue, myKey)))#" ADDTOKEN="Yes"><br /><br />Adding Trim() around the Encrypt() function fixes this. Giskard 0 0 2005-09-21T06:40:21 http://livedocs.adobe.com/coldfusion/7/htmldocs/00000284.htm#38786 I have found a solution to my problem listed earlier.<br /><br />Change:<br /><cflocation url="myTemplate.cfm?myVar=#URLEncodedFormat(Encrypt(form.User,"somekey"))#" ADDTOKEN="Yes"><br /><br />To:<br /><cflocation url="myTemplate.cfm?myVar=#Encrypt(form.User,"somekey","CFMX_COMPAT", Hex")#" ADDTOKEN="Yes"><br /><br />The 4th parameter "Hex" will convert the encrypted data to a hex stream which can be passed on the URL even though LF and CR may be embedded in it. Of course, you have to also add the 3rd and 4th parms to the Decrypt() statements to make it work.<br /><br />Another bonus is that URLEncodedFormat() is not needed because there will be no special characters in the hex stream. sjibben 0 0 2005-08-18T20:53:13 http://livedocs.adobe.com/coldfusion/7/htmldocs/00000284.htm#38752 This change also breaks another implementation of URLEncodedFormat.<br /><br />For example, it is very common for developers to use the following syntax for encrypting URL variables:<br /><br /><cflocation url="myTemplate.cfm?myVar=#URLEncodedFormat(Encrypt(form.User,"somekey"))#" ADDTOKEN="Yes"><br /><br />This works fine until Encrypt translates a perfectly normal user variable like 'JoeCool' to include CR or LF characters. Even though URLEncodedFormat is working correctly CFLocation throws an error. So, how is it possible to even encrypt URL variables with this implementation of CFLocation???<br /><br />This needs to be corrected! sjibben 0 0 2005-08-17T14:26:56 http://livedocs.adobe.com/coldfusion/7/htmldocs/00000284.htm#35477 The problem is not line feeds, but URL encoded strings.<br /><br />%0A and %0D ( chr(10), chr(13) ) are actually okay, and will not cause http response splitting.<br /><br />Essentially an response header is given to the browser. If an attacker makes the first thing a line break then can fool IE or Mozzilla into displaying content. <br /><br />The problem in the document is that PHP was incorrectly take %0A and %0D and putting it in there. If CF does not URL decode the values then IE or Mozzila would not break.,<br /><br />Furthermore the attack only works if the line feed is the first characters like to make the response looks something like this.<br /><br />HTTP 302<br />Location:<br />HTTP 220<br />Look at me I think I'm a cool hacker.<br /><br />I want this to happen in my code.<br /><br />HTTP 302<br />Location:http://www.somesite.com/index.cfm?variable=%0A%Dae%2D<br /><br />I'm really irritated that <br /><br />A) they just stuck this in without telling anyone.<br />B) it ignore the switch to protect against cross site scripting that is in the administrator<br />C) That Macromedia is being take such a crappy stance on this. They did not all site around and really think about whether or not the solution was correct, just read some "tech doc" about it and stuck it in. <br /><br />Please correct this problem. It is a bug, regardless of whether it was intential or not. twillerror 0 0 2005-06-14T08:52:32 http://livedocs.adobe.com/coldfusion/7/htmldocs/00000284.htm#30520 Yes. I believe that the full CF7 error is:<br><br> Failed to perform redirection. <br> ColdFusion was unable to perform the CFLOCATION operation. <br> Location URL cannot contain (carriage return) CR or (line feed) LF characters <br><br>The rule that CR and LF characters are not allowed in headers was added to CF7.<br>This is a general rule for all headers - including the headers created by <cflocation>.<br><br>This is an intentional change in CF7 to deter "split-response" security attacks, like those described in:<br>http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf <br>http://seclists.org/lists/webappsec/2004/Jan-Mar/0263.html jrunrandy 1 1 2005-03-29T13:52:59 http://livedocs.adobe.com/coldfusion/7/htmldocs/00000284.htm#30177 CFLocation has a bug whereby it unduly fails when a carriage-return, or line-feed, is properly encoded in a url parameter.<br /><br />Consider the following code -- which simulates a typical user input being passed in the URL:<br /><br /> <cfscript><br /> sCR_LF = Chr (13) & Chr (10);<br /> sRawRemarks = "First Line. #sCR_LF# Second Line. #sCR_LF#";<br /> sEncodedRemarks = URLEncodedFormat (sRawRemarks);<br /> </cfscript><br /><br /> <cflocation addtoken="no" url="#CGI.SCRIPT_NAME#?sRemarks=#sEncodedRemarks#"><br /><br />The script name is legal. The URL variable, "sRemarks", has a legal value.<br />Yet cflocation trips an exception saying "Failed to perform redirection." MikerRoo 0 0 2005-03-18T21:11:05