Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to preserve HTTP headers for HTTP::respond

Vadym_Chepkov
Nimbostratus
Nimbostratus

I need to preserve HTTP headers for HTTP::respond, I tried the following approach

 

when HTTP_RESPONSE { if {[HTTP::has_responded]} {return} catch { unset hdrs } foreach header [HTTP::header names] { lappend hdrs $header "[HTTP::header $header]" } log local0. "Headers: $hdrs" HTTP::respond 301 -version auto $hdrs }

 

Headers appear properly in the log, but I don't receive them in the response, only Connection Content-Length and Server are populated

Don't see errors either. What did I miss?

Thanks,

Vadym

 

3 REPLIES 3

Simon_Blakely
F5 Employee
F5 Employee

Vadym,

 

HTTP::respond does not allow variables to be expanded and evaluated in the context of the command execution.

 

You will need to use eval. However, this introduces the risk of a TCL injection vulnerability.

when HTTP_RESPONSE { if {[HTTP::has_responded]} {return} catch { unset hdrs } foreach header [HTTP::header names] { lappend hdrs $header "[HTTP::header $header]" } log local0. "Headers: $hdrs" eval HTTP::respond 301 -version auto $hdrs }

You may also need to play with quoting the values.

Vadym_Chepkov
Nimbostratus
Nimbostratus

Thank you,  , it helped. Is it enough to put $hdrs in curly braces to avoid TCL injection ?

Or maybe append HTTP::respond statement with an additional header? Article doesn't provide detailed recommendation how to protect from malicious input.

Also, I solved the problems of quoting by converting $hdrs to a list, i.e.

set headers {}   foreach header [HTTP::header names] { lappend headers $header [HTTP::header value $header] }

Thanks,

Vadym

 

 

 

>Is it enough to put $hdrs in curly braces to avoid TCL injection ?

 

No - that just makes {$hrds} a single parameter with spaces in it.

I suspect you need to individually wrap each element (the headers and the values) in curly braces prior to the eval

 

So you end up doing an eval on

HTTP::respond 301 -version auto {header1} {header1_value} {header2} {header2_value} ...

That prevents eval from further expanding the strings in the curly braces.

 

But I don't really get TCL injection either - I know it is possible via unsanitized input, and eval is a common problem, and curly braces help, but I still struggle with it.