Last Modified: Nov 07, 2022
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 12.1.4, 22.214.171.124, 12.1.5, 126.96.36.199, 188.8.131.52, 184.108.40.206, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Opened: Dec 25, 2014 Severity: 4-Minor
URL may contain a character sequence, &# (ampersand, pound) that is not a part of HTML entity, for instance: http://example.com/some/path?query&#fragment In this example, &# is not a beginning of a valid HTML entity and should be left untouched at rewriting.
URL with &# inside may not be rewritten.
URL containing a &# character sequence that is not a part of HTML entity.
Use an iRule with two steps: - Modifies the original URL to let it be rewritten. - Modifies the rewritten URL to revert changes made by 1st step, as shown in the following example: a) Original URL: http://example.com/path?aa=bb&#fragment. b) URL after 1st step of iRule: http://example.com/path?aa=bb&@F5_@#fragment. c) Rewritten URL before 2nd step of iRule: https://bigip.system.name.com/f5-w-687474703a2f2f6578616d706c652e636f6d$$/path?aa=bb&F5CH=I@F5_@#fragment. d) URI corrected by 2nd step of iRule: https://bigip.system.name.com/f5-w-687474703a2f2f6578616d706c652e636f6d$$/path?aa=bb&F5CH=I#fragment. In other words, the second step removes insertions made by the first step.
Now, a URL containing &# character sequences are rewritten correctly, even if the &# fragment does not belong to a valid HTML entity.