For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Yozzer's avatar
Yozzer
Icon for Nimbostratus rankNimbostratus
Jun 27, 2012

Spaces in the machine

Hi

 

 

I have the following command that searches for "id" in the url and then performs an action if the id value is contained in the data group list:

 

 

if {[matchclass [string tolower [URI::query [HTTP::uri] id]] contains $::Portlet_ref]} {

 

 

 

However if i add a space (%20) before, in the middle or after the id value (%20id, i%20d and id%20) then it can be bypassed. This also happens if i add a space in the value (%20hello, He%20llo and hello%20)

 

 

How can i trim spaces from both the id parameter name and its value so that it wont be bypassed?

 

 

Thanks

 

 

application delivery
dev
devops
iRules

4 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 27, 2012
    is this applicable?

    by the way, do you know starting from 9.4.4 $:: prefix is no longer required to reference class object and it is cmp compatible?

    CMP Compatibility

    https://devcentral.f5.com/wiki/iRules.cmpcompatibility.ashx 

    [root@ve1024:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve1024:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   log local0. "[HTTP::uri]"
   log local0. "[string map {%20 ""} [HTTP::uri]]"
   log local0. "[string tolower [URI::query [string map {%20 ""} [HTTP::uri]] id]]"
   if {[matchclass [string tolower [URI::query [string map {%20 ""} [HTTP::uri]] id]] contains $::Portlet_ref]} {
      log local0. "gotcha"
   } else {
      log local0. "not match"
   }
}
}
[root@ve1024:Active] config  b class Portlet_ref list
class Portlet_ref {
   "hello"
}

/var/log/ltm
Jun 26 22:58:29 local/tmm info tmm[4861]: Rule myrule : /test?id=%20he%20llo%20&temp=1234
Jun 26 22:58:29 local/tmm info tmm[4861]: Rule myrule : /test?id=hello&temp=1234
Jun 26 22:58:29 local/tmm info tmm[4861]: Rule myrule : hello
Jun 26 22:58:29 local/tmm info tmm[4861]: Rule myrule : gotcha
  • Yozzer's avatar
    Yozzer
    Icon for Nimbostratus rankNimbostratus
    Jun 27, 2012
    Thanks

     

     

    What needs to be done to also prevent spaces in the I'd name? (I%20d)
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 27, 2012
    What needs to be done to also prevent spaces in the I'd name? (I%20d)it already does since we use string map against HTTP::uri, all space (%20) will be removed.