Forum Discussion

David_Sherman_2's avatar
David_Sherman_2
Icon for Nimbostratus rankNimbostratus
Oct 31, 2006

Header sanitize

The following IRule was working.

 

 

when HTTP_REQUEST {

 

set OrgAdr [IP::remote_addr]:[TCP::remote_port]

 

set DestServer [IP::local_addr]

 

HTTP::header sanitize Host + Content-Type + Content-Length + Authorization

 

HTTP::header insert Server $DestServer

 

HTTP::header insert OriginalClientAddress $OrgAdr

 

}

 

 

After modifying a different IRule it stopped working and I get the error listed below

 

 

TCL error: Rule Tandem_Filter_URI_Header - Operation not supported (line 4) invoked from within "HTTP::header sanitize Host + Content-Type + Content-Length + Authorization"

 

 

Is it the - (dash) in the Content-Type header that is the problem?
application delivery
dev
devops
iRules

3 Replies

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Nov 02, 2006
    All you should need is a single string argument to the sanitize command.

    Such as:

    
when HTTP_REQUEST {
  set OrgAdr [IP::remote_addr]:[TCP::remote_port]
  set DestServer [IP::local_addr]
  HTTP::header sanitize "Host Content-Type Content-Length Authorization"
  HTTP::header insert Server $DestServer
  HTTP::header insert OriginalClientAddress $OrgAdr
}

    HTH,

    Colin
  • Chris_Hallenbec's avatar
    Chris_Hallenbec
    Icon for Nimbostratus rankNimbostratus
    Nov 15, 2006
    Along the lines of this question, I have a problem I am trying to solve. "HTTP::header remove" and "HTTP::header replace" appear to only be designed to remove the last occurrence of a given header, but a malicious person could pass multiple of the same header to thwart the removal/replacement.

     

     

    Does header sanitize dutifully remove ALL headers except those explicitly listed?

     

     

     

     

     

    An example:

     

     

    Assuming you have an iRule that plucks data from the session (SSL data?) and places it into a header to pass to the backend (iRule is configured to affect the "server instance"), what happens if the end-user/client sends the same intended header with a falsified value -- use a legit client SSL cert to terminate the connection on the F5, then spoof the header containing the SSL session data to perform an action as another user?

     

     

    Asnwer: Bad things. The end-user/client could overwrite or spoof other data. The solution would *seem* to be to use "HTTP::header replace []", but it only replaces the last occurrence of that header not ALL occurrences!

     

     

    I'm sure I'm missing something simple on how to wipe out all client-supplied occurences with an appropriate iRule applied to the "client instance."

     

     

     

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Nov 15, 2006
    One of my customers is using code like this to remove /replace inbound headers (not tested by me personally, but I believe they have verified that it removes multiple instances of the same header):
       when HTTP_REQUEST {
       strip all instances of existing headers
      foreach header {Header1 Header2 Header3} {
         while { [HTTP::header exists $header] } {
            HTTP::header remove $header
         }
      }
      HTTP::header insert Header1 Value
   }
    HTH

     

    /deb