For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sam_Hall's avatar
Sam_Hall
Icon for Nimbostratus rankNimbostratus
Dec 04, 2013

Serving any iFiles: sanitising user input

Here I'm developing a global iRule to be applied to all my websites. During an outage, the iRule will serve up an outage page along with any additional resources that may have been included and store...
application delivery
devops
iRules
uni's avatar
uni
Icon for Altocumulus rankAltocumulus
Dec 04, 2013

Maybe check the file name represents an ifile early. Then, as long as your ifile names are "sane", you'll have no issues.

if { [lsearch -exact [ifile listall] "$qrystr"] }
   ...
  • Sam_Hall's avatar
    Sam_Hall
    Icon for Nimbostratus rankNimbostratus
    Dec 04, 2013
    Thanks, certainly looks safer and it's a cleaner option than using the catch command. I'm happy with this solution since we have full control over the ifile names, and I assume there's not much risk of TCL interpreting them as anything other than strings anyway. I'm relatively new to TCL and started to worry that TCL injection might be a possibility. A quick search turned up only a couple options for sanity checking, either using regex (which is apparently inefficient) or using scan (which seemed pretty limited).