tracker issue : CF-3044007

select a category, or use search below
(searches all categories and all time range)
Title:

Bug 87082:(Watson Migration Closure)CSRF hotfix in 9

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Charlie Arehart / Charlie Arehart (Charlie Arehart)

Created: 08/27/2011

Components: Administrator, Administrator Console

Versions: 9.0.1

Failure Type: Unspecified

Found In Build/Fixed In Build: 0000 / 280447

Priority/Frequency: Trivial / Most users will encounter

Locale/System: English / Win All

Vote Count: 0

Problem:

CSRF hotfix in 9.01 breaks Admin panel feature for browsing web services.After applying the CSRF hotfix for 9.01 (http://kb2.adobe.com/cps/907/cpsid_90784.html#main_ColdFusion 9.0.1), it causes a feature of the CF Admin to break. Well, "break" is a strong word. It leads to an unexpected and confusing result. Let me explain, in "steps to reproduce" below.
Method:

If you go to the web services panel, and click the provided link to browse the URL for a web service, it should go to show the WSDL for it (assuming it’s a valid URL to a valid web service). Since the hotfix, though, it instead takes one unexpectedly to the CF component browser.It took a bit to sort it out, but the hotfix causes this form to add the ?csrftoken to the URL, so instead of somepath?wsdl it becomes somepath?wsdl&csrftoken=xxxx. And the problem is that THAT unexpectedly causes the display of the component browser. In fact, even without the fix you can see this, if you go to http://localhost/CFIDE/adminapi/base.cfc?wsdl&csrftoken (or even http://localhost/CFIDE/adminapi/base.cfc?wsdl&xxx). So there’s really two issues: is it expected behavior after the hotfix for this &csrftoken to be added to the URL on this page? And can it be removed? (I don’t understand the whole CSRF thing well enough to know if post the fix there’s a reason we WOULD want that token added.)But that leads to the second question: why does the addition of another querystring value on a CFC URL intended to browse the WSDL cause CF instead to make the request jump to the component explorer?Even if you don’t know the answer, if you maybe interested in this, please do reply if you can confirm seeing the behavior (assuming you’ve applied that hf901-00002.jar that came with the updated security hot fix “APSB11-15”.)  
Result:

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3044007

Deployment Phase:	Release Candidate

External Customer Info:
External Company:  
External Customer Name: Charlie Arehart
External Customer Email: 03D0090C44723473992015D5
External Test Config: 08/27/2011

Attachments:

Comments: