Are Black-List Paths Supposed to be Case Sensitive?


#1

I have
“path”: “/System/Maintenance”,
In a black_list specification. It is further configured to “reply” and return “code” 403

via Curl …/System/Maintenance causes 403 to be returned. (perfect)

BUT any case deviation like

Curl …/system/maintenance OR even /System/MainTenance fly right through returning 200

Surely the path aren’t supposed to be case sensitive. What am I missing?


#2

HTTP paths are case sensitive, though less so nowadays:

http://www.w3.org/TR/WD-html40-970708/htmlweb.html

URLs in general are case-sensitive (with the exception of machine names). There may be URLs, or parts of URLs, where case doesn’t matter, but identifying these may not be easy. Users should always consider that URLs are case-sensitive.


#3

@Martin try typing https://www.w3.org/tr/wd-html40-970708/HTMLWEb.html into your browser (see how I have changed the case of much of the path. When I do it I do NOT get a 404 because my case is wrong. Regardless of what the W3 says case has little or no effect on my ability to path to a web resource.
How do I get Tyk to match all permutations of the case of a path. Does Tyk path specs support regular expressions or something?


#4

If I black-list /System/Maintenance
Tyk will let the following fly right on through:
/system/maintenance
/System/maintenance
/SYstem/mAintenance
etc.
etc.

This is a real problem! A security problem!


#5

Hmmm, I see… Have you tried a white list? It inverts this issue.


#6

In the mean time, I’ve put a patch into our dev branch to make lists explicitly match on lowercase versions of the URL. Will be built into the nightlies if you want to pick it up there.


#7

Thank you!!! I will try to get our dev ops to install it and I’ll check it out. Thanks again!


#8

You should be able to just grab the tarball and replace the binary, no other changes needed. :slight_smile:


#9

Might I suggest lower-casing both the in-coming URL and the black_list path? That way the user won’t have to be careful to enter all their paths in lower-case.
Thanks again for all your support!


#10

Thanks for the tip on grabbing the tarball and dropping in the binary, should be very helpful.


#11

Thought about doing that, but we convert all paths into regex expressions so I’m reticent about changing data, also saving users from themselves is a slippery slope :slight_smile: