Highlighted

Bug in CF11/2016 in http.addParam

Explorer ,
Mar 19, 2018

Copy link to clipboard

Copied

Hi there

I have found an annoying bug in CF11/CF2016, both versions, both updated to latest Hotfixes.

It is in the http() object. Setting a header strips out %0A …. Absolutely weird.

To repro, do this (shortened):

---

GET https://nova-test-ws.sbb.ch/login HTTP/1.1

Authorization: Basic bm92YV9tZ2JfYXBwX3Rlc3Q6NzB4WTBIRE9nSkFYakl2dzgzdHk=

Host: nova-test-ws.sbb.ch

Accept-Encoding: gzip,deflate

---

You will get a large cookie, like this (only start is shown):

---

Set-Cookie: SAML-Ticket=%3Csaml2%3AAssertion+Version%3D%222.0%22+ID%3D%22SAML-afb7ce33-11c0-40fa-8ed6-acfb070f5b01%22+IssueInstant%3D%222018-03-19T13%3A19%3A14Z%22+xmlns%3Asaml2%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%3Csaml2%3AIssuer%3ESBB-WSG-TEST%3C%2Fsaml2%3AIssuer%3E%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%0A%3CSignedInfo%3E%0A++%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010315%22%2F%3E%0A++%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1%22%2F%3E%0A++%3CReference+URI%3D%22%23SAML-afb7ce33-11c0-40fa-8ed6-acfb070f5b01%22%3E%0A++++%3CTransforms%3E%0A++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature%22%2F%3E%0A++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010315%22%2F%3E%0A++++%3C%2FTransforms%3E%0A++++%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22%2F%3E%0A++++%3CDigestValue%3Ermc17n90iP74fIMgugaysiRgedc%3D%3C%2FDigestValue%3E%0A++%3C%2FReference%3E%0A%3C%2FSignedInfo%3E%0A++++%3CSignatureValue%3EZo%

---

I store it to a variable because I have to use it on another call ….

My code is

---

saml_cookie = login.ResponseHeader["Set-Cookie"];

h = new http ( Charset = "utf-8", Method  = "POST", URL     = "https://nova-test-ws.sbb.ch/kontrolle/1.6/sicherheitselementservice");

h.addParam (type="header", name="Content-Type", value="text/xml;charset=utf-8");

h.addParam (type="header", name="Cookie", value=saml_cookie);

h.addParam (type="body", value='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sic="http://nova.voev.ch/kontrolle/1.6.0/sicherheitselemente"> <soapenv:Header/> <soapenv:Body> <sic:sicherheitselementPingRequest/> </soapenv:Body> </soapenv:Envelope>');

result = h.send().getPrefix();

---

When you use a tool like Fiddler to intercept SSL and to see what is going on, you inspect that cookie and see this difference (red parts show that %0A is no longer there):

---

SAML-Ticket=%3Csaml2%3AAssertion+Version%3D%222.0%22+ID%3D%22SAML-afb7ce33-11c0-40fa-8ed6-acfb070f5b01%22+IssueInstant%3D%222018-03-19T13%3A19%3A14Z%22+xmlns%3Asaml2%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%3Csaml2%3AIssuer%3ESBB-WSG-TEST%3C%2Fsaml2%3AIssuer%3E%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%3CSignedInfo%3E++%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010315%22%2F%3E++%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1%22%2F%3E++%3CReference+URI%3D%22%23SAML-afb7ce33-11c0-40fa-8ed6-acfb070f5b01%22%3E++++%3CTransforms%3E++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature%22%2F%3E++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010315%22%2F%3E++++%3C%2FTransforms%3E++++%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22%2F%3E++++%3CDigestValue%3Ermc17n90iP74fIMgugaysiRgedc%3D%3C%2FDige

---

As you see, the %0A are stripped out … there is ABSOLUTELY NO REASON why CF does this.

Since the whole cookie is digitally signed I cannot use this cookie to authenticate cause it is broken ... the ping soap request therefore gets a 403 forbidden.

I have tried tons of variants to preserve the cookie value. It is not the value itself, it is definitively the assignment.

---

  1. h.addParam (type="header", name="Cookie", value=saml_cookie);

---

I assume that is does that do all headers because in http header section, there should be no LF ... but here it is escaped! Looks as if there is a bug in a validation code.

By April, I need to have a solution to this.

Please confirm receipt of this bug report and advise.

PS: Just to let you know: it IS CF's fault …. Since SOAP-UI, also based on Java, does not show this silly behavior.

Any hints and work-arounds greatly welcome ...

Adobe Community Professional
Correct answer by BKBK | Adobe Community Professional

Hi Martin,

I do believe you. Report a bug. In your report, refer to this discussion.

You don't have to do much to reproduce the bug. Here's an example

<cfsavecontent variable="urlEncodedString">%3Csaml2%3AAssertion+Version%3D%222.0%22+ID%3D%22SAML-afb7ce33-11c0-40fa-8ed6 -acfb070f5b01%22+IssueInstant%3D%222018-03-19T13%3A19%3A14Z%22+xmlns%3Asaml2%3D%22urn%3Aoa sis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%3Csaml2%3AIssuer%3ESBB-WSG-TEST%3C%2Fsaml2 %3AIssuer%3E%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E %0A%3CSignedInfo%3E%0A++%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c 14n-20010315%22%2F%3E%0A++%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sh a1%22%2F%3E%0A++%3CReference+URI%3D%22%23SAML-afb7ce33-11c0-40fa-8ed6-acfb070f5b01%22%3E%0A++++%3CTransforms%3E%0A++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23envelope d-signature%22%2F%3E%0A++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010 315%22%2F%3E%0A++++%3C%2FTransforms%3E%0A++++%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22 %2F%3E%0A++++%3CDigestValue%3Ermc17n90iP74fIMgugaysiRgedc%3D%3C%2FDigestValue%3E%0A++%3C%2FReferenc e%3E%0A%3C%2FSignedInfo%3E%0A++++%3CSignatureValue%3EZo%</cfsavecontent>

<cfcookie name="testCookie" value="#urlEncodedString#">

<cfoutput>#cookie.testCookie#</cfoutput>

The output omits all occurrences of %0A. That's buggy.

Views

328

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Bug in CF11/2016 in http.addParam

Explorer ,
Mar 19, 2018

Copy link to clipboard

Copied

Hi there

I have found an annoying bug in CF11/CF2016, both versions, both updated to latest Hotfixes.

It is in the http() object. Setting a header strips out %0A …. Absolutely weird.

To repro, do this (shortened):

---

GET https://nova-test-ws.sbb.ch/login HTTP/1.1

Authorization: Basic bm92YV9tZ2JfYXBwX3Rlc3Q6NzB4WTBIRE9nSkFYakl2dzgzdHk=

Host: nova-test-ws.sbb.ch

Accept-Encoding: gzip,deflate

---

You will get a large cookie, like this (only start is shown):

---

Set-Cookie: SAML-Ticket=%3Csaml2%3AAssertion+Version%3D%222.0%22+ID%3D%22SAML-afb7ce33-11c0-40fa-8ed6-acfb070f5b01%22+IssueInstant%3D%222018-03-19T13%3A19%3A14Z%22+xmlns%3Asaml2%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%3Csaml2%3AIssuer%3ESBB-WSG-TEST%3C%2Fsaml2%3AIssuer%3E%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%0A%3CSignedInfo%3E%0A++%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010315%22%2F%3E%0A++%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1%22%2F%3E%0A++%3CReference+URI%3D%22%23SAML-afb7ce33-11c0-40fa-8ed6-acfb070f5b01%22%3E%0A++++%3CTransforms%3E%0A++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature%22%2F%3E%0A++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010315%22%2F%3E%0A++++%3C%2FTransforms%3E%0A++++%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22%2F%3E%0A++++%3CDigestValue%3Ermc17n90iP74fIMgugaysiRgedc%3D%3C%2FDigestValue%3E%0A++%3C%2FReference%3E%0A%3C%2FSignedInfo%3E%0A++++%3CSignatureValue%3EZo%

---

I store it to a variable because I have to use it on another call ….

My code is

---

saml_cookie = login.ResponseHeader["Set-Cookie"];

h = new http ( Charset = "utf-8", Method  = "POST", URL     = "https://nova-test-ws.sbb.ch/kontrolle/1.6/sicherheitselementservice");

h.addParam (type="header", name="Content-Type", value="text/xml;charset=utf-8");

h.addParam (type="header", name="Cookie", value=saml_cookie);

h.addParam (type="body", value='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sic="http://nova.voev.ch/kontrolle/1.6.0/sicherheitselemente"> <soapenv:Header/> <soapenv:Body> <sic:sicherheitselementPingRequest/> </soapenv:Body> </soapenv:Envelope>');

result = h.send().getPrefix();

---

When you use a tool like Fiddler to intercept SSL and to see what is going on, you inspect that cookie and see this difference (red parts show that %0A is no longer there):

---

SAML-Ticket=%3Csaml2%3AAssertion+Version%3D%222.0%22+ID%3D%22SAML-afb7ce33-11c0-40fa-8ed6-acfb070f5b01%22+IssueInstant%3D%222018-03-19T13%3A19%3A14Z%22+xmlns%3Asaml2%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%3Csaml2%3AIssuer%3ESBB-WSG-TEST%3C%2Fsaml2%3AIssuer%3E%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%3CSignedInfo%3E++%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010315%22%2F%3E++%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1%22%2F%3E++%3CReference+URI%3D%22%23SAML-afb7ce33-11c0-40fa-8ed6-acfb070f5b01%22%3E++++%3CTransforms%3E++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature%22%2F%3E++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010315%22%2F%3E++++%3C%2FTransforms%3E++++%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22%2F%3E++++%3CDigestValue%3Ermc17n90iP74fIMgugaysiRgedc%3D%3C%2FDige

---

As you see, the %0A are stripped out … there is ABSOLUTELY NO REASON why CF does this.

Since the whole cookie is digitally signed I cannot use this cookie to authenticate cause it is broken ... the ping soap request therefore gets a 403 forbidden.

I have tried tons of variants to preserve the cookie value. It is not the value itself, it is definitively the assignment.

---

  1. h.addParam (type="header", name="Cookie", value=saml_cookie);

---

I assume that is does that do all headers because in http header section, there should be no LF ... but here it is escaped! Looks as if there is a bug in a validation code.

By April, I need to have a solution to this.

Please confirm receipt of this bug report and advise.

PS: Just to let you know: it IS CF's fault …. Since SOAP-UI, also based on Java, does not show this silly behavior.

Any hints and work-arounds greatly welcome ...

Adobe Community Professional
Correct answer by BKBK | Adobe Community Professional

Hi Martin,

I do believe you. Report a bug. In your report, refer to this discussion.

You don't have to do much to reproduce the bug. Here's an example

<cfsavecontent variable="urlEncodedString">%3Csaml2%3AAssertion+Version%3D%222.0%22+ID%3D%22SAML-afb7ce33-11c0-40fa-8ed6 -acfb070f5b01%22+IssueInstant%3D%222018-03-19T13%3A19%3A14Z%22+xmlns%3Asaml2%3D%22urn%3Aoa sis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%3Csaml2%3AIssuer%3ESBB-WSG-TEST%3C%2Fsaml2 %3AIssuer%3E%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E %0A%3CSignedInfo%3E%0A++%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c 14n-20010315%22%2F%3E%0A++%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sh a1%22%2F%3E%0A++%3CReference+URI%3D%22%23SAML-afb7ce33-11c0-40fa-8ed6-acfb070f5b01%22%3E%0A++++%3CTransforms%3E%0A++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23envelope d-signature%22%2F%3E%0A++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010 315%22%2F%3E%0A++++%3C%2FTransforms%3E%0A++++%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22 %2F%3E%0A++++%3CDigestValue%3Ermc17n90iP74fIMgugaysiRgedc%3D%3C%2FDigestValue%3E%0A++%3C%2FReferenc e%3E%0A%3C%2FSignedInfo%3E%0A++++%3CSignatureValue%3EZo%</cfsavecontent>

<cfcookie name="testCookie" value="#urlEncodedString#">

<cfoutput>#cookie.testCookie#</cfoutput>

The output omits all occurrences of %0A. That's buggy.

Views

329

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Mar 19, 2018 0
Adobe Community Professional ,
Mar 19, 2018

Copy link to clipboard

Copied

I don't have an answer for your question, but this is not how you submit bugs to Adobe. This is an open forum. Use Adobe's bug tracker to submit bugs:

Tracker

Dave Watts, Fig Leaf Software

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 19, 2018 0
Adobe Community Professional ,
Mar 19, 2018

Copy link to clipboard

Copied

Tinu, Dave beat me to it on the point about your expectation of a "fix". But even before you may file a bug report, you could clarify something (for us and for them).

1) You say "it is definitively the assignment", but then you point to the addparam. Have you confirmed if it may well be already so in "the assignment" that preceded it:

saml_cookie = login.ResponseHeader["Set-Cookie"];

Because it may be. Have you dumped that saml_cookie? and better, the responseheader? or even the whole login object (you don't show us what's doing that, but perhaps a similar http/cfhttp call?

2) As for the addparam, the docs (for its corollary, cfhttpparam) say that headers are NOT encoded. I know you're saying it's "escaped" Could you try adding an argument telling it "no", don't encode/escape things, and see if that makes a difference. (The docs for addparam, ColdFusion Help | http, don't refer to such an argument, but I'd guess it would take it as a final argument.)

Let us know what you find, on my point 1 and 2.

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 19, 2018 0
Explorer ,
Mar 19, 2018

Copy link to clipboard

Copied

Hi Charlie

Many years ago, I met you in Zürich ... I still remember you ... of course

I included the reproduction ... please do it ... then you see you get the SAML-Ticket as an urlencoded ("escaped") string. The cookie itself is a XML stuff. Obviously, there is a LF after the closing > of an element. That is why the LF appears as %0A after each %3E

So I get the whole thing as a simple string. I save it to a variable. The task is to JUST MIRROR that string as a cookie in the next http call.

So it is obvious that I can only use h.addParam (type="header", name="Cookie", value=saml_cookie). I would prefer to learn about another method ...

This always caused a 403 Forbidden by the remote system. No one had an idea why this happens as everything looked well ... under 4 eyes too. So I had to intercept the SSL traffic and finally figured that the cookie CF delivers has the string parts %0A removed ...

I'd be glad to see my errors in the code ... if there are any ...

Regards

Martin

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 19, 2018 0
Adobe Community Professional ,
Mar 22, 2018

Copy link to clipboard

Copied

Thanks, Martin. But you didn't answer my question. I appreciate the added info (about how challenging it's been), and I realize you say that you have provided what we need to recreate the problem. Can you save us having to do that (since it's not as it stands a completely read-to-run example) and just let us know if you see the problem in the assignment, BEFORE the addparam? And if it is NOT, did you try adding the argument for that as I proposed?

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 22, 2018 0
Explorer ,
Mar 23, 2018

Copy link to clipboard

Copied

Hi Charlie

Thanks for caring.

Ok, I made an example to just copy&paste it. I use FW/1, therefore the rc structure exists and is the container to forward data collected in previous steps. To repro, just create a structure and feed it to ping_SBB (the test method, see below). All HTTP headers are the bare minimum as requested by the SBB API. The Login can be used to repro, since the target is a test system.

---

   public struct function SBB_Login ( rc ) {

      var l = {};

      l.h = new http ( Charset = "utf-8",

                       Method  = "GET",

                       URL     = "https://nova-test-ws.sbb.ch/login");

      l.h.addParam (type="header", name="Authorization", value="Basic bm92YV9tZ2JfYXBwX3Rlc3Q6NzB4WTBIRE9nSkFYakl2dzgzdHk=");

      l.result = l.h.send().getPrefix();

      return l.result;

   }

   public struct function SBB_Ping (rc ) {

      var l = {};

      l.soap =

      '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sic="http://nova.voev.ch/kontrolle/1.6.0/sicherheitselemente">

      <soapenv:Header/>

      <soapenv:Body>

         <sic:sicherheitselementPingRequest/>

      </soapenv:Body>

      </soapenv:Envelope>';

      l.h = new http ( Charset = "utf-8",

                       Method  = "POST",

                       URL     = "https://nova-test-ws.sbb.ch/kontrolle/1.6/sicherheitselementservice");

      l.h.addParam (type="header", name="Content-Type", value="text/xml;charset=utf-8");

      l.h.addParam (type="header", name="Cookie",       value=rc.sbb.saml_cookie);

      l.h.addParam (type="body", value=l.soap);

      l.result = l.h.send().getPrefix();

      return l.result;

   }

   public boolean function ping_SBB ( rc ) {

      var l = { res = false };

      l.login = SBB_Login (rc);

      if (l.login.StatusCode contains "200") {

         rc.sbb.saml_cookie = l.login.ResponseHeader["Set-Cookie"];

         l.ping = SBB_Ping (rc);

      }

      return l.res;

   }

---

Call ping_SBB and inspect the returned Set-Cookie header and then see what CF sends in SBB_Ping().

HTH, Martin

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 23, 2018 0
Adobe Community Professional ,
Mar 23, 2018

Copy link to clipboard

Copied

Martin, that's still not stand-alone enough, if one must have fw/1 and must still further tweak the code. 🙂

But first, and perhaps more important,, you still haven't answered the two simple questions I'd asked which, if you confirmed on your end, may save anyone needing to run the code:

"just let us know if you see the problem in the assignment, BEFORE the addparam? And if it is NOT, did you try adding the argument for that as I proposed?"

But assuming neither gets you to a solution, another reason I press for perfectly stand-alone code is that in creating that, folks often find the answer on their own, as something they were doing based in a variable is now hard-coded, etc.

(And on the other hand, sometimes some of us--as I am now--are on phones looking at things here and so can't even put in the dependencies or tweaks you recommend, but we might see something in your complete standalone code without even needing to run it.)

So please try either of the above and let us know how it goes.

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 23, 2018 0
Explorer ,
Mar 23, 2018

Copy link to clipboard

Copied

Charlie, I get you ...

so this is a real standalone sample ... i cannot make it simpler for you to see the problem (which is invisible without an SSL proxy)

This standalone code below works withouth the proxy and dumps all results. Note the 403 in the response of SBB_Ping.

---

<cfscript>

   rc = {};

   public struct function SBB_Login ( rc ) {

      var l = {};

      l.h = new http ( Charset = "utf-8",

                       Method  = "GET",

                       URL     = "https://nova-test-ws.sbb.ch/login"

                       // , ProxyPort = 8888,

                       // ProxyServer = "127.0.0.1"

                     );

      l.h.addParam (type="header", name="Authorization", value="Basic bm92YV9tZ2JfYXBwX3Rlc3Q6NzB4WTBIRE9nSkFYakl2dzgzdHk=");

      l.result = l.h.send().getPrefix();

      return l.result;

   }

   public struct function SBB_Ping (rc ) {

      var l = {};

      l.soap =

      '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sic="http://nova.voev.ch/kontrolle/1.6.0/sicherheitselemente">

      <soapenv:Header/>

      <soapenv:Body>

         <sic:sicherheitselementPingRequest/>

      </soapenv:Body>

      </soapenv:Envelope>';

      l.h = new http ( Charset = "utf-8",

                       Method  = "POST",

                       URL     = "https://nova-test-ws.sbb.ch/kontrolle/1.6/sicherheitselementservice"

                       // , ProxyPort = 8888,

                       // ProxyServer = "127.0.0.1"

                     );

      l.h.addParam (type="header", name="Content-Type", value="text/xml;charset=utf-8");

      l.h.addParam (type="header", name="Cookie",       value=rc.sbb.saml_cookie);

      l.h.addParam (type="body", value=l.soap);

      l.result = l.h.send().getPrefix();

      return l.result;

   }

   public boolean function ping_SBB ( rc ) {

      var l = { res = false };

      l.login = SBB_Login (rc);

      rc.login = l.login; // just to have the whole thing in RC

      if (l.login.StatusCode contains "200") {

         rc.sbb.saml_cookie = l.login.ResponseHeader["Set-Cookie"];

         l.ping = SBB_Ping (rc);

         rc.ping = l.ping;   // just to have the whole thing in RC

      }

      return l.res;

   }

   ping_SBB (rc);

   writedump (var=#rc#);

</cfscript>

---

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 23, 2018 0
Adobe Community Professional ,
Mar 23, 2018

Copy link to clipboard

Copied

OK, Martin.

1) So I made my observation based on you saying that " I use FW/1, therefore the rc structure exists and is the container to forward data collected in previous steps. To repro, just create a structure and feed it to ping_SBB".

My point was that if running this would require us to have FW/1, or to "create a structure", then that did not make this "stand-alone enough". I noticed as well that you just offered 3 methods. It was not at all clear what to call, and what to pass. Further, I explained that I was looking at this on a phone, anyway, which made it all the more challenging to assess things.

2) So with that out of the way, I see from your new example that you went ahead and added calls to the method. (Why you set the variable at the top, before defining them, and then called them at the bottom, I don't know. To be clear, you can push that assignment to the bottom.)

And this is still pretty obtuse code. Why have one method called sbb_ping and another called ping_sbb?

3) MOST IMPORTANT: I HAVE ASKED YOU 3 TIMES TO ANSWER TWO SIMPLE QUESTIONS: what if you dumped the variable BEFORE the addparam, and what if you added the argument to tell addparam NOT to encode the value?.

Why have you not answered? I just figured you might get your solution before one of us might be able to a) run the code, b) interpret the results, and c) then sort through the code to see what may be amiss, whether in your code or in CF.

4) But growing weary of asking, and since you insisted again on us running the code, I did that. And I put a dump of the result of your assignment (rc.sbb.saml_cookie), BEFORE the use in addparam, and I do see that the missing "%0A" was there.

So it does seem that somehow it's being "lost" when the http call is made (maybe in the addparam, but maybe not. We can't know).

5) I did also try adding the arg to tell it to not encode the param:

l.h.addParam (type="header", name="Cookie", value=rc.sbb.saml_cookie, encoded="no");

But that didn't make the error go away. By that I mean I still see the 403.

6) But to be clear, that doesn't tell me that this did or did not solve the problem. The 403 could be for any reason.

I know you had been watching the comm via fiddler, and I tried to get that to work. I already had it installed, I updated it, I uncommented your code to tell the http to proxy through port 8888, but I could never get fiddler to allow the call to work. I would see it in fiddler (the call to https://nova-test-ws.sbb.ch/ ), but I would never see it running successfully, and worse the CF page now failed with yet another error.

I tried for quite a while to sort out what may be amiss, and I had to give up.

7) But let's have YOU try that change in point 5 here, just to see if it maybe causes you to see the %0A in the stream being sent. If it IS, then this has solved THAT problem and your failure may have some OTHER cause (whereas perhaps all along you presumed it was this loss of the %0A).

8) But if that still fails to send it, I wondered finally what might happen if you instead changed the code from sending a "header" to sending a "cookie". As you may know, that's an option for the "type" arg for addparam (and CFHTTPPARAM). The challenge is that you need to send the cookie name and value separately. It was easy to see the cookie name (that you were extracting from the set-cookie header), but getting the value was a bit trickier. We needed to get what's on the right side of the = (in that header). There are various ways to do that but this works:

l.h.addParam (type="cookie", name="SAML-Ticket",value=listgetat(rc.sbb.saml_cookie,2,"="));

I confirmed that that function would get the entire cookie value (and only the cookie value, since there were no other cookies being set. If there were, it would not be enough to avoid getting other cookie info.)

Anyway, I tried that code and it still did not "help", in that I still got a 403.

But again I couldn't see the stream being sent in fiddler. Maybe if you try it you may see that this DOES fix the %0A problem, and if so then it means that is NOT the issue causing the 403. It's worth a shot.

Let us know what you find.

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 23, 2018 0
Adobe Community Professional ,
Mar 23, 2018

Copy link to clipboard

Copied

This is just a thought, but it might be interesting to perform the same test using CFML tags instead of CFSCRIPT and functions. One would expect them to do the same thing, but ... maybe not.

Dave Watts, Fig Leaf Software

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 23, 2018 0
Explorer ,
Mar 23, 2018

Copy link to clipboard

Copied

Charlie

Thanks for your efforts.

I also tried your variation and to no avail.

I did not think it worth mentioning that OF COURSE I tried tons of variations to encode the cookie before I reach out for help ... I did write that, I just did not enumerate all my tries.

Amongst all, I did for instance

rc.sbb.saml_cookie = toBase64 (l.login.ResponseHeader["Set-Cookie"]); and then addParam (type="header", ... value=rc.sbb.saml_cookie.tostring()

or

rc.sbb.saml_xml    = URLDecode (ListRest (rc.sbb.saml_cookie, "="));  and then addParam (type="cookie", ... value=rc.sbb.saml_xml)

etc. etc. nothing helped.

In any case, Fiddler revealed that %0A was removed from the cookie actually sent. Hence, my original message.

PS: For Fiddler to work ... you must let it create a certificate and export it. then you MUST add the cert to the Java Keystore . If you don't do this, CF will never talk to fiddler since it is not trustworthy.

Like so:

C:\ColdFusion2016> jre\bin\keytool.exe -keystore jre\lib\security\cacerts -importcert -file C:\Users\Development\Desktop\FiddlerRoot.cer -alias fiddler

Regards

Martin

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 23, 2018 0
Explorer ,
Mar 23, 2018

Copy link to clipboard

Copied

Hi Dave

Good idea. I tried it. No change in behavior. Still wrong. Fiddler again proved it. The %0A is stripped .. I begin to assume that this is because on Windows Platforms LF is not the Line limiter ... CR/LF is. Maybe CF tries to correct "wrong" CR/LFs ..

Since I am not that good in Java, I am now looking for some trick to get to the http parameters by Java ... to set the string .... any hints here for me? Can I somehow access the Java http object beneath CF?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 23, 2018 0
Adobe Community Professional ,
Mar 24, 2018

Copy link to clipboard

Copied

Hi Martin,

I do believe you. Report a bug. In your report, refer to this discussion.

You don't have to do much to reproduce the bug. Here's an example

<cfsavecontent variable="urlEncodedString">%3Csaml2%3AAssertion+Version%3D%222.0%22+ID%3D%22SAML-afb7ce33-11c0-40fa-8ed6 -acfb070f5b01%22+IssueInstant%3D%222018-03-19T13%3A19%3A14Z%22+xmlns%3Asaml2%3D%22urn%3Aoa sis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%3Csaml2%3AIssuer%3ESBB-WSG-TEST%3C%2Fsaml2 %3AIssuer%3E%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E %0A%3CSignedInfo%3E%0A++%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c 14n-20010315%22%2F%3E%0A++%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sh a1%22%2F%3E%0A++%3CReference+URI%3D%22%23SAML-afb7ce33-11c0-40fa-8ed6-acfb070f5b01%22%3E%0A++++%3CTransforms%3E%0A++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23envelope d-signature%22%2F%3E%0A++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010 315%22%2F%3E%0A++++%3C%2FTransforms%3E%0A++++%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22 %2F%3E%0A++++%3CDigestValue%3Ermc17n90iP74fIMgugaysiRgedc%3D%3C%2FDigestValue%3E%0A++%3C%2FReferenc e%3E%0A%3C%2FSignedInfo%3E%0A++++%3CSignatureValue%3EZo%</cfsavecontent>

<cfcookie name="testCookie" value="#urlEncodedString#">

<cfoutput>#cookie.testCookie#</cfoutput>

The output omits all occurrences of %0A. That's buggy.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 24, 2018 0