Bug ID 1036057: Add support for line folding in multipart parser.

Last Modified: Jun 08, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6

Opened: Jul 25, 2021
Severity: 3-Major

Symptoms

RFC 2616 allowed HTTP header field values to be extended over multiple lines by preceding each extra line with at least one space or horizontal tab. This was then deprecated by RFC 7230. The multipart parser of ASM does not support the multiple line header, so these requests cause false positives.

Impact

False positives.

Conditions

Multiline header in multipart request

Workaround

None

Fix Information

None

Behavior Change

Introduced a new ASM internal parameter: multipart_allow_multiline_header Note: default value is 0 (disabled) Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online. - Enable multiline header support # /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1 # bigstart restart asm - Disable multiline header support # /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0 # bigstart restart asm