tracker issue : CF-4201602

select a category, or use search below
(searches all categories and all time range)
Title:

CF11/2016 strip %0A ouf of http.addParam (type="cookie")

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/AsDesigned

Reporter/Name(from Bugbase): Martin Baur / Martin Baur ()

Created: 03/19/2018

Components: Net Protocols, HTTP

Versions: 2016,11.0,2018

Failure Type: Data Corruption

Found In Build/Fixed In Build: ColdFusion 2016 Update 5. /

Priority/Frequency: Normal / All users will encounter

Locale/System: / Win 2012 Server x64

Vote Count: 0

Hi there

I have found an annoying bug in CF11/CF2016, both versions, both updated to latest Hotfixes.

It is in the http() object. Setting a header strips out %0A …. Absolutely weird.


To repro, do this (shortened):

---
GET https://nova-test-ws.sbb.ch/login HTTP/1.1
Authorization: Basic bm92YV9tZ2JfYXBwX3Rlc3Q6NzB4WTBIRE9nSkFYakl2dzgzdHk=
Host: nova-test-ws.sbb.ch
Accept-Encoding: gzip,deflate

---

 

You will get a large cookie, like this (only start is shown):

 

---
Set-Cookie: SAML-Ticket=%3Csaml2%3AAssertion+Version%3D%222.0%22+ID%3D%22SAML-afb7ce33-11c0-40fa-8ed6 -acfb070f5b01%22+IssueInstant%3D%222018-03-19T13%3A19%3A14Z%22+xmlns%3Asaml2%3D%22urn%3Aoa sis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%3Csaml2%3AIssuer%3ESBB-WSG-TEST%3C%2Fsaml2 %3AIssuer%3E%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E %0A%3CSignedInfo%3E%0A++%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c 14n-20010315%22%2F%3E%0A++%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sh a1%22%2F%3E%0A++%3CReference+URI%3D%22%23SAML-afb7ce33-11c0-40fa-8ed6-acfb070f5b01%22%3E%0A++++%3CTransforms%3E%0A++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23envelope d-signature%22%2F%3E%0A++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c14n-20010 315%22%2F%3E%0A++++%3C%2FTransforms%3E%0A++++%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22 %2F%3E%0A++++%3CDigestValue%3Ermc17n90iP74fIMgugaysiRgedc%3D%3C%2FDigestValue%3E%0A++%3C%2FReferenc e%3E%0A%3C%2FSignedInfo%3E%0A++++%3CSignatureValue%3EZo%
---

 

I store it to a variable because I have to use it on another call ….

 

My code is

---
saml_cookie = login.ResponseHeader["Set-Cookie"];



h = new http ( Charset = "utf-8", Method  = "POST", URL     = "https://nova-test-ws.sbb.ch/kontrolle/1.6/sicherheitselementservice");
h.addParam (type="header", name="Content-Type", value="text/xml;charset=utf-8");
h.addParam (type="header", name="Cookie", value=saml_cookie);
h.addParam (type="body", value='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sic="http://nova.voev.ch/kontrolle/1.6.0/sicherheitselemente"> <soapenv:Header/> <soapenv:Body> <sic:sicherheitselementPingRequest/> </soapenv:Body> </soapenv:Envelope>');

result = h.send().getPrefix();

---

When you use a tool like Fiddler to intercept SSL and to see what is going on, you inspect that cookie and see this difference (red parts show that %0A is no longer there):

---

SAML-Ticket=%3Csaml2%3AAssertion+Version%3D%222.0%22+ID%3D%22SAML-afb7ce33-11c0-40fa-8ed6- acfb070f5b01%22+IssueInstant%3D%222018-03-19T13%3A19%3A14Z%22+xmlns%3Asaml2%3D%22urn%3Aoas is%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%3Csaml2%3AIssuer%3ESBB-WSG-TEST%3C%2Fsaml2% 3AIssuer%3E%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E% 3CSignedInfo%3E++%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2FTR%2F2001%2FREC-xml-c1 4n-20010315%22%2F%3E++%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F0 9%2Fxmldsig%23rsa-sha1%22%2F%3E++%3CReference+URI%3D%22%23SAML-afb7ce33-11c0-40fa-8ed6-acf b070f5b01%22%3E++++%3CTransforms%3E++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2 Fxmldsig%23enveloped-signature%22%2F%3E++++++%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww. w3.org%2FTR%2F2001%2FREC-xml-c14n-20010315%22%2F%3E++++%3C%2FTransforms%3E++++%3CDigestMet hod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22%2F%3E++++%3CDig estValue%3Ermc17n90iP74fIMgugaysiRgedc%3D%3C%2FDige
---


As you see, the %0A are stripped out … there is ABSOLUTELY NO REASON why CF does this.

Since the whole cookie is digitally signed I cannot use this cookie to authenticate cause it is broken ... the ping soap request therefore gets a 403 forbidden.

I have tried tons of variants to preserve the cookie value. It is not the value itself, it is definitively the assignment.



---
h.addParam (type="header", name="Cookie", value=saml_cookie);
---


I assume that is does that do all headers because in http header section, there should be no LF ... but here it is escaped! Looks as if there is a bug in a validation code.

By April, I need to have a solution to this.

Please confirm receipt of this bug report and advise.

PS: Just to let you know: it IS CF's fault …. Since SOAP-UI, also based on Java, does not show this silly behavior.

Any hints and work-arounds greatly welcome ...

Attachments:

Comments:

As I use FW/1 ... use this to repro it. Feed any empty structure to ping_SBB() below. --- public struct function SBB_Login ( rc ) { var l = {}; l.h = new http ( Charset = "utf-8", Method = "GET", URL = "https://nova-test-ws.sbb.ch/login"); l.h.addParam (type="header", name="Authorization", value="Basic bm92YV9tZ2JfYXBwX3Rlc3Q6NzB4WTBIRE9nSkFYakl2dzgzdHk="); l.result = l.h.send().getPrefix(); return l.result; } public struct function SBB_Ping (rc ) { var l = {}; l.soap = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sic="http://nova.voev.ch/kontrolle/1.6.0/sicherheitselemente"> <soapenv:Header/> <soapenv:Body> <sic:sicherheitselementPingRequest/> </soapenv:Body> </soapenv:Envelope>'; l.h = new http ( Charset = "utf-8", Method = "POST", URL = "https://nova-test-ws.sbb.ch/kontrolle/1.6/sicherheitselementservice"); l.h.addParam (type="header", name="Content-Type", value="text/xml;charset=utf-8"); l.h.addParam (type="header", name="Cookie", value=rc.sbb.saml_cookie); l.h.addParam (type="body", value=l.soap); l.result = l.h.send().getPrefix(); return l.result; } public boolean function ping_SBB ( rc ) { var l = { res = false }; l.login = SBB_Login (rc); if (l.login.StatusCode contains "200") { rc.sbb.saml_cookie = l.login.ResponseHeader["Set-Cookie"]; l.ping = SBB_Ping (rc); } return l.res; } ---
Comment by Martin B.
47 | March 23, 2018 11:50:54 AM GMT
Sorry, I cannot delete my previous comment ... I show a complete standalone code ... please note that the http code of 403 for SBB_Ping --- <cfscript> rc = {}; public struct function SBB_Login ( rc ) { var l = {}; l.h = new http ( Charset = "utf-8", Method = "GET", URL = "https://nova-test-ws.sbb.ch/login" //, ProxyPort = 8888, // ProxyServer = "127.0.0.1" ); l.h.addParam (type="header", name="Authorization", value="Basic bm92YV9tZ2JfYXBwX3Rlc3Q6NzB4WTBIRE9nSkFYakl2dzgzdHk="); l.result = l.h.send().getPrefix(); return l.result; } public struct function SBB_Ping (rc ) { var l = {}; l.soap = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sic="http://nova.voev.ch/kontrolle/1.6.0/sicherheitselemente"> <soapenv:Header/> <soapenv:Body> <sic:sicherheitselementPingRequest/> </soapenv:Body> </soapenv:Envelope>'; l.h = new http ( Charset = "utf-8", Method = "POST", URL = "https://nova-test-ws.sbb.ch/kontrolle/1.6/sicherheitselementservice" //, ProxyPort = 8888, // ProxyServer = "127.0.0.1" ); l.h.addParam (type="header", name="Content-Type", value="text/xml;charset=utf-8"); l.h.addParam (type="header", name="Cookie", value=rc.sbb.saml_cookie); l.h.addParam (type="body", value=l.soap); l.result = l.h.send().getPrefix(); return l.result; } public boolean function ping_SBB ( rc ) { var l = { res = false }; l.login = SBB_Login (rc); if (l.login.StatusCode contains "200") { rc.sbb.saml_cookie = l.login.ResponseHeader["Set-Cookie"]; l.ping = SBB_Ping (rc); } return l.res; } ping_SBB (rc); writedump (var=#rc.sbb#); </cfscript> ---
Comment by Martin B.
48 | March 23, 2018 02:51:09 PM GMT
Bug was confirmed in https://forums.adobe.com/message/10264980#10264980
Comment by Martin B.
49 | March 24, 2018 03:29:42 PM GMT
The fix for this will introduce security vulnerability. %0A and %0D are removed to protect against CRLF attack. This is asDesgined.
Comment by Poonam J.
29437 | August 07, 2018 04:00:05 AM GMT