Forum Discussion

Vadym_Chepkov's avatar
Vadym_Chepkov
Icon for Nimbostratus rankNimbostratus
Mar 05, 2021

How to preserve HTTP headers for HTTP::respond

I need to preserve HTTP headers for HTTP::respond, I tried the following approach when HTTP_RESPONSE { if {[HTTP::has_responded]} {return} catch { unset hdrs } foreach header [HTTP::header ...
application delivery
iRules
Vadym_Chepkov's avatar
Vadym_Chepkov
Icon for Nimbostratus rankNimbostratus
Mar 08, 2021

Thank you,  , it helped. Is it enough to put $hdrs in curly braces to avoid TCL injection ?

Or maybe append HTTP::respond statement with an additional header? Article doesn't provide detailed recommendation how to protect from malicious input.

Also, I solved the problems of quoting by converting $hdrs to a list, i.e.

    set headers {}
 
    foreach header [HTTP::header names] {
        lappend headers $header [HTTP::header value $header]
    }

Thanks,

Vadym

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Mar 08, 2021

    >Is it enough to put $hdrs in curly braces to avoid TCL injection ?

    No - that just makes {$hrds} a single parameter with spaces in it.

    I suspect you need to individually wrap each element (the headers and the values) in curly braces prior to the eval

    So you end up doing an eval on

    HTTP::respond 301 -version auto {header1} {header1_value} {header2} {header2_value} ...

    That prevents eval from further expanding the strings in the curly braces.

    But I don't really get TCL injection either - I know it is possible via unsanitized input, and eval is a common problem, and curly braces help, but I still struggle with it.