Bug ID 685888: OAuth client stores incorrectly escaped JSON values in session variables

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4

Fixed In:
14.0.0, 13.1.4.1

Opened: Sep 27, 2017
Severity: 4-Minor

Symptoms

1) The slash (/) is double escaped (\\/). The slash is common in URLs. 2) Unicode escaped characters (\uXXXX) are not correctly un-escaped into UTF-8 characters, ends up unrecognizable.

Impact

APM applications who read JSON node session variables may not get the correct values.

Conditions

Occurs in 13.1 and earlier releases when OAuth servers response in JSON, such as the OIDC User Info.

Workaround

1) For double escaped slash, workaround is like, session.oauth.client.last.UserInfo.picture = return [string map {{\\/} /} [ mcget {session.oauth.client.last.UserInfo.picture} ]] 2) For incorrect UTF-8 characters, there is no workaround.

Fix Information

Unicode escaped characters are now correctly handled.

Behavior Change