Forum Discussion
boneyard
May 07, 2012MVP
iRule code injection / input validation
im wondering about code injection within irules. if the rule uses input which the user can determine there is some risk usually, but how well or bad do iRules / TCL handle this? could i for example escape an match class command and run code somehow or always pass an if statement if i don't do input validation (check if "bad characters" are used)?
does anyone protect their code against this, if so how?
- hooleylistCirrostratusI think the worst a malicious user could do is force a reset of their own connection through injection. I tried testing by injecting TCL meta-characters in the Host header with an iRule that checks the host header value against a data group or string. The worst I could do is cause a runtime TCL error. Do you have any specific examples you're concerned about?
when HTTP_REQUEST { log local0. "\[HTTP::host\]: \|[HTTP::host]\|" if {[HTTP::host] starts_with "test"}{ pool http_1_pool log local0. "matched" } else { HTTP::respond 200 content "No match" log local0. "no match" } set cmd "\[class match \[HTTP::host\] starts_with string_dg\]" eval $cmd log local0. "match? $match" set match [class match [HTTP::host] starts_with string_dg] log local0. "match? $match" } when LB_SELECTED { log local0. "selected [LB::server]" }
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects