For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mahnsc's avatar
mahnsc
Icon for Nimbostratus rankNimbostratus
Mar 22, 2013

switch -glob (or -regexp) for multiple directories

I have some URLs that I want to match in a switch statement and I'm having trouble matching those cases where multple slashes appear before the uri name. For example:

 

  1. /uri
  2. //uri
  3. ////uri
  4. /completely/valid/uri

My existing switch -glob used a pattern like this: */uri*

 

This turned out to be way too liberal in that even though it matched the first three entries in my list, it would also match the fourth, which I do not want. The fourth item is a completely valid application path that just so happens to have a directory name that is the same as the entry I want to restrict at a higher level.

 

I'm wondering if there is a glob I should be using that will match what I am looking to match or if I need to consider using switch -regexp instead. I've read that there are cpu concerns using -regexp, so it would be nice to not have to go there if I don't need to. If I do go the -regexp route, should an expression like "\B/+uri" work?

 

 

application delivery
dev
devops
iRules

2 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 22, 2013
    sorry i may be lost but can't we just check double slash (//) or more?

    e.g. 

    [root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
        switch -glob [HTTP::path] {
                "/uri" -
                "//*" { log local0. "[HTTP::path] is rejected"; reject }
                default { log local0. "[HTTP::path] is allowed" }
        }
}
}

[root@ve10:Active] config  cat /var/log/ltm
Mar 23 07:06:24 local/tmm info tmm[4950]: Rule myrule : / is allowed
Mar 23 07:06:27 local/tmm info tmm[4950]: Rule myrule : /uri is rejected
Mar 23 07:06:29 local/tmm info tmm[4950]: Rule myrule : //uri is rejected
Mar 23 07:06:33 local/tmm info tmm[4950]: Rule myrule : ///uri is rejected
Mar 23 07:06:47 local/tmm info tmm[4950]: Rule myrule : /completely/valid/uri is allowed
  • mahnsc's avatar
    mahnsc
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2013

    Thanks for responding! This is helpful and looks like it would account for all cases except where some developers may inadvertently utilize double paths in their code, although I do recognize that it wasn't listed as one of the four items in the original post. I do have some sites I support where automatically generated URLs from the app server have double slashes in their paths. (i.e. //completely//valid//uri// would fail using a pattern of " //* ") As I said though, this is helpful...I just do not know if I can use it globally across all my sites.

     

    Does anyone happen to have more experience on the cpu issues with switch -regexp? How bad is it? The regular expression " ^/+uri " seems to cover all my bases, although I have not yet tested all combinations.