Use of <Query> in RequestMap causes POST data to be lost

Description

When using a <Query> element in the RequestMap as described in https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapQuery it seems that any HTTP POST (and maybe also PUT) data is lost even though the user already has a Shibboleth session. I could reproduce this problem on two different systems. HTTP GET is working just fine.

When the <Query> element is removed again from RequestMap, HTTP POST data is accepted and available again.

Environment

None

Activity

Scott Cantor September 29, 2011 at 4:11 AM

An extended fix for this is checked in for 2.5 that re-enables query string support on all request methods.

Scott Cantor January 12, 2011 at 12:08 PM

Fix for now:
http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=3391

Since it's breaking most uses of POST anyway and won't process query string data included with one now, not processing those rules on a POST seems relatively risk free.

I'll open a RFE to fix up the CGI parser and API to get this working more cleanly.

Lukas Hämmerle January 12, 2011 at 10:25 AM
Edited

Exactly, the POST data is not available anymore in the PHP application although I see that it's being transmitted by the browser and Apache also logs:

localhost - https://aai-logon.switch.ch/idp/shibboleth!https://maclh.switch.ch/shibboleth!26662bf3-f15e-418e-89f4-467788ff650b [12/Jan/2011:16:17:51 +0100] "POST /aai/?pi=papo HTTP/1.1" 200 20320

Using Firefox HTTP Live Headers the request and response looks like:

POST /aai/?pi=papo HTTP/1.1
Host: maclh.switch.ch
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 19
Cookie: _saml_sp=aHR0cHM6Ly9tYWNsaC5zd2l0Y2guY2gvc2hpYmJvbGV0aA%3D%3D; _saml_idp=aHR0cHM6Ly9hYWktbG9nb24uc3dpdGNoLmNoL2lkcC9zaGliYm9sZXRo; _shibsession_64656661756c7468747470733a2f2f6d61636c682e7377697463682e63682f73686962626f6c657468=_8ba479ea86ee719289bb02c59f98267b
X-Behavioral-Ad-Opt-Out: 1
X-Do-Not-Track: 1
Pragma: no-cache
Cache-Control: no-cache

foo=bar&action=test

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 15:22:03 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8l DAV/2 PHP/5.3.3
X-Powered-By: PHP/5.3.3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

As you suspected, the request seems chunked.

Scott Cantor January 12, 2011 at 9:53 AM

When you say lost, you mean it's not available once the application gets control? That fits, I don't have any way to distinguish GET vs POST parameters, so when it parses the "query" it consumes the post data as a side effect. Might depend on whether posts are chunked or buffered based on the content size.

Fixed

Details

Assignee

Reporter

Fix versions

Affects versions

Created January 12, 2011 at 3:09 AM
Updated June 24, 2021 at 3:04 PM
Resolved January 12, 2011 at 12:08 PM