For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

BenT's avatar
BenT
Icon for Altocumulus rankAltocumulus
Nov 12, 2013

ProxyPass V10 bug

I've noticed a bug in the way some stream rewrites are being done. If the replacement content is within a uri, this function will cut off the part before the matching string as described in the debug snippet below. I don't know enough to fix it, but it has to do with searching the entire URI for $host_serverside then assuming that must be at the beginning during the header replace function.

Checking Location=https://other.xx.xxx/?wtrealm=https%3a%2f%2fserverside.xx.xxx&wctx=rm, $protocol=https Changing response header Location: https://other.xx.xxx/?wtrealm=https%3a%2f%2fserverside.xx.xxx&wctx=rm with https://clientside.xx.xxx&wctx=rm

 Fix Location, Content-Location, and URI headers
foreach header { "Location" "Content-Location" "URI"} {
    set protocol [URI::protocol [HTTP::header $header]]
    if { $static::ProxyPassDebug > 1 } {
        log local0. "$log_prefix: Checking $header=[HTTP::header $header], \$protocol=$protocol"
    }
    if {$protocol ne ""} {
        set server_path [findstr [HTTP::header $header] $host_serverside [string length $host_serverside]]
        if {$server_path starts_with $path_serverside} {
            if { $static::ProxyPassDebug } {
                log local0. "$log_prefix: Changing response header $header: [HTTP::header $header] with $protocol://$host_clientside$path_clientside[substr $server_path [string length $path_serverside]]"
            }
            HTTP::header replace $header $protocol://$host_clientside$path_clientside[substr $server_path [string length $path_serverside]]
        }
    }
}
application delivery
devops
iRules

3 Replies

  • BenT's avatar
    BenT
    Icon for Altocumulus rankAltocumulus
    Nov 12, 2013

    Sure. clientside.xx.xxx:=serverside.xx.xxx

     

  • Simon_Kowallik1's avatar
    Simon_Kowallik1
    Historic F5 Account
    Nov 12, 2013

    try with this code block:

     

      Fix Location, Content-Location, and URI headers
foreach header { "Location" "Content-Location" "URI"} {
    set protocol [URI::protocol [HTTP::header $header]]
    if { $static::ProxyPassDebug > 1 } {
        log local0. "$log_prefix: Checking $header=[HTTP::header $header], \$protocol=$protocol"
    }
    if {$protocol ne ""} {
        set server_path [findstr [HTTP::header $header] $host_serverside [string length $host_serverside]]
        if {$server_path starts_with $path_serverside} {
            if {[HTTP::header $header] starts_with "$protocol://$host_serverside"} {
                if { $static::ProxyPassDebug } {
                    log local0. "$log_prefix: Changing response header $header: [HTTP::header $header] with $protocol://$host_clientside$path_clientside[substr $server_path [string length $path_serverside]]"
                }
                HTTP::header replace $header $protocol://$host_clientside$path_clientside[substr $server_path [string length $path_serverside]]
            } else {
                if { $static::ProxyPassDebug } {
                    set hdr_rplc [string map "$host_serverside $host_clientside $path_serverside $path_clientside" [HTTP::header $header]]
                    log local0. "$log_prefix: Changing response header $header: [HTTP::header $header] with $hdr_rplc"
                    unset hdr_rplc
                }
                HTTP::header replace $header [string map "$host_serverside $host_clientside $path_serverside $path_clientside" [HTTP::header $header]]
            }
        }
    }
}