For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Matt_Breedlove_'s avatar
Matt_Breedlove_
Icon for Nimbostratus rankNimbostratus
May 17, 2014

Proc for fully decoding URI's

Hi All   Looking to fully sanitize URI's with a proc. Similar to what the irules codeshare FullyDecodeURI does (https://devcentral.f5.com/wiki/iRules.FullyDecodeUri.ashx) but in a proc   Im not...
nitass_89166's avatar
nitass_89166
Icon for Noctilucent rankNoctilucent
May 18, 2014

not sure if i understand correctly. you want to make FullyDecodeURI proc, don't you?

e.g.

 config

[root@ve11a:Active:In Sync] config  tmsh list ltm rule qux
ltm rule qux {
    proc decode_uri { uri max } {
  set cnt 0
  set tmpuri [URI::decode $uri]

  while { $uri ne $tmpuri && $cnt < $max } {
    set uri $tmpuri
    set tmpuri [URI::decode $uri]
    incr cnt
  }
  return $tmpuri
}
when HTTP_REQUEST {
  set uri [call decode_uri [HTTP::uri] 10]
  log local0. "URI=[HTTP::uri] decoded URI=$uri"
  HTTP::uri $uri
}
}

 /var/log/ltm

[root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
May 17 21:01:51 ve11a info tmm[14715]: Rule /Common/qux : URI=/%20something%20bha%20bha%20bha decoded URI=/ something bha bha bha
Matt_Breedlove_'s avatar
Matt_Breedlove_
Icon for Nimbostratus rankNimbostratus
May 18, 2014
Hi Nitass...So I was thinking that constructs such as the LTM native irule command [URI::decode] were not available inside a proc since a proc does not have an event context requirement and so how could it reference an inflight HTTP request? So I thought that the TCL inside the proc was more stripped down to string level operations and not allowing all the same command availablity from the standard irules context inside a CLIENT_ACCEPT or HTTP_REQUEST event for example. Now that I think of it I am not sure why I assumed the language context inside the proc was more TCL native than outside the proc in the rest of an irule. As a result my plan was to essentially rewrite [URI::decode] natively with plain ole TCL inside the proc and specifically make sure it recursively decodes the inbound URL string fully or at least to my pre-planned iterative backstop with a cnt variable. URLs can be encoded with nesting several times and I want to make sure this is handled in every case to my planned limit. It is unfortunate that [URI::decode] doesn't solve the issue with nested encoded URL's more easily, not now it seems that maybe that command is more TCL than it is F5 in terms of irules and it is by design from the TCL perspective So bottom line, you are saying just move the regular irule portion of FullyDecodeURI from codeshare that uses a backstopped while loop and use the new Procedure functionality to have it declared just once and callable. Unless someone says "Oh, no you cannot use irules connection aware commands suchas [URI::decode] inside the proc you must work on it at the scalar string level with tcl string commands and handle all the exception cases with unicode and URL/Percent encoding that should be expected with some switch's." Then the decode command can just be used. Perhaps this is actually something native to TCL that irules reflects and I am just understanding it backwards? Related: What is the under the hood TCL that [URI::decode] runs on the string level to handle inbound strings? Does it change in terms of the rules followed to decode based on if an HTTP::query or HTTP::uri or HTTP::host is passed in