Cisco 7940 HTTP File Error, Cookies and Laravel

The legacy 7940’s have not had SCCP firmware released in a good number of years, and recently I’ve come across a bug in latest version.

When running a custom XML service hosted on an external webserver, such as a weather script or similar, the phone will display HTTP File Error if you push any cookie to it.

In my specific scenario my Laravel 5.3 was returning both a laravel_session and a XSRF-TOKEN cookie for every HTTP GET. Every time the phone would request the service with these cookies would be returned and the phone would display the error. Interestingly, newer model phones like the 8945 and 9951’s don’t have an issue at all.

These cookies are very much needed for modern web security, however for a simple XML page, these are definitely not needed. There are provisions built into Laravel 5 for disabling CSRF protection in the VerifyCsrfToken middleware, however, these only stop the verification of CSRF tokens, not the setting of the XSRF token – as can be seen here: https://laracasts.com/discuss/channels/laravel/excluding-uri-from-csfr-protection-not-working?page=1

After a lot of trial and error manipulating different parts of the middlewear kernel, routegroups, drivers etc, I’ve settled on this modification to the VerifyCsrfToken middlewear. This modification now means that any request that matches the URI defined in the $except array is excepted from CSRF checks, does not set the laravel_session cookie nor the XSRF-TOKEN cookie. Anything that does not match the URI gets the XSRF-TOKEN generated and continues with the default driver, meaning that the laravel_sesison cookie gets built. The only thing that I do not like about this method is that I had to copy the Cookie() functionality from addCookieToResponse from the original VerifyCsrfToken in vendor/laravel/framework/scr/Illuminate/Foundation/Http/Middlewear. This carries the possibility that the logic behind creating the cookie will be changed in the future and that my function won’t be up to date – but for now it works well. Below is my VerifyCsrfToken code.


<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
use Illuminate\Support\Str;
use Symfony\Component\HttpFoundation\Cookie;
use Carbon\Carbon;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'services/phone/ip'
    ];

    protected function addCookieToResponse($request, $response)
    {
        $config = config('session');

        foreach ($this->except as $except) {
            if (Str::is($except, $request->path())) {
                \Config::set('session.driver', 'array');
                return $response;
            } else {
                $response->headers->setCookie(
                    new Cookie(
                        'XSRF-TOKEN', $request->session()->token(), Carbon::now()->getTimestamp() + 60 * $config['lifetime'],
                        $config['path'], $config['domain'], $config['secure'], false
                    )
                );
                return $response;
            }
        }
    }
}


If anyone knows of a better way to include the cookie generation inside of the middlewear hit me up! For reference these links provided lots of insight.

https://laracasts.com/discuss/channels/laravel/excluding-uri-from-csfr-protection-not-working?page=1

https://laracasts.com/discuss/channels/laravel/verifycsrftoken-except-subdomain?page=1

https://laracasts.com/discuss/channels/general-discussion/l5-disable-csrf-middleware-on-certain-routes?page=1

https://laracasts.com/discuss/channels/general-discussion/l5-avoiding-csrf-middleware-on-api-post-routes?page=2

https://stackoverflow.com/questions/28624807/disable-cookie-header-when-responding-json

 

Leave a Reply

Your email address will not be published. Required fields are marked *