Bug ID 821133: Wrong wildcard URL matching when none of the configured URLS include QS

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP FPS(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 15.0.0, 15.0.1

Fixed In:
15.1.0, 15.0.1.1, 14.1.2.3, 14.0.1.1

Opened: Sep 04, 2019

Severity: 3-Major

Symptoms

Wildcard URLs has a flag (include_query_string) which indicates if the matching should include traffic URL's QS or not For example, if the traffic URL is '/path?a=b' and configured URL is '/path*b': 1. if include QS enabled, URL is matched 2. otherwise, no match (since matching against '/path' only) if there are no configured URLs with "Include Query String" enabled, matching may be wrong

Impact

URL is incorrectly matched (when it either shouldn't be matched at all or should match another configured URL). Features/signatures might not work as expected.

Conditions

1. Wildcard URL configured in anti-fraud profile (URL name contains an asterisk) 2. None of the configured URLs has "Include Query String" enabled 3. Traffic URL contains a query-string

Workaround

Configure at least one URL with "Include Query String" enabled

Fix Information

FPS should match query string correctly (according to configuration)

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips