Are Black-List Paths Supposed to be Case Sensitive?

cwilcox-fl · May 10, 2016, 8:19pm

I have
“path”: “/System/Maintenance”,
In a black_list specification. It is further configured to “reply” and return “code” 403

via Curl …/System/Maintenance causes 403 to be returned. (perfect)

BUT any case deviation like

Curl …/system/maintenance OR even /System/MainTenance fly right through returning 200

Surely the path aren’t supposed to be case sensitive. What am I missing?

Martin · May 11, 2016, 8:07am

HTTP paths are case sensitive, though less so nowadays:

http://www.w3.org/TR/WD-html40-970708/htmlweb.html

URLs in general are case-sensitive (with the exception of machine names). There may be URLs, or parts of URLs, where case doesn’t matter, but identifying these may not be easy. Users should always consider that URLs are case-sensitive.

cwilcox-fl · May 11, 2016, 2:25pm

@Martin try typing HTML and URLs into your browser (see how I have changed the case of much of the path. When I do it I do NOT get a 404 because my case is wrong. Regardless of what the W3 says case has little or no effect on my ability to path to a web resource.
How do I get Tyk to match all permutations of the case of a path. Does Tyk path specs support regular expressions or something?

cwilcox-fl · May 11, 2016, 2:30pm

If I black-list /System/Maintenance
Tyk will let the following fly right on through:
/system/maintenance
/System/maintenance
/SYstem/mAintenance
etc.
etc.

This is a real problem! A security problem!

Martin · May 11, 2016, 3:25pm

Hmmm, I see… Have you tried a white list? It inverts this issue.

Martin · May 11, 2016, 3:37pm

In the mean time, I’ve put a patch into our dev branch to make lists explicitly match on lowercase versions of the URL. Will be built into the nightlies if you want to pick it up there.

cwilcox-fl · May 11, 2016, 6:03pm

Thank you!!! I will try to get our dev ops to install it and I’ll check it out. Thanks again!

Martin · May 12, 2016, 7:58am

You should be able to just grab the tarball and replace the binary, no other changes needed.

cwilcox-fl · May 12, 2016, 2:34pm

Might I suggest lower-casing both the in-coming URL and the black_list path? That way the user won’t have to be careful to enter all their paths in lower-case.
Thanks again for all your support!

cwilcox-fl · May 12, 2016, 2:36pm

Thanks for the tip on grabbing the tarball and dropping in the binary, should be very helpful.

Martin · May 12, 2016, 4:53pm

Thought about doing that, but we convert all paths into regex expressions so I’m reticent about changing data, also saving users from themselves is a slippery slope