Bug ID 704587: Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules

Last Modified: May 07, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM, DNS, GTM, LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4

Fixed In:
14.1.0, 13.1.1.5

Opened: Feb 01, 2018
Severity: 2-Critical
Related AskF5 Article:
K15450552

Symptoms

This issue can have a number of observable effects, including: 1. APM end users cannot login to the server. The log contains a message similar to the following: iRule err 'bad IP address format'. 2. When using the HTTP::header insert command, an iRule produces the following error: bad IP address format. 3. An iRule may produce other 'bad format' errors when processing inputs containing UTF-8 characters or other objects that are handled as byte arrays.

Impact

For the above-described symptoms, the corresponding impacts include: 1. APM authentication service is unavailable. 2. An iRule fails when using the HTTP::header insert command. 3. Other iRules may fail when using other APIs that process IP addresses (such as 'IP::addr') or strings containing UTF-8 characters or other objects that are handled as byte arrays.

Conditions

The corresponding conditions under which the above-described symptoms may occur include: 1. APM end users who have UTF-8 characters in their password. 2. An iRule uses the 'HTTP::header insert' command to insert the '[HTTP::header True-Client-IP]' object. 3. An iRule processes other input containing IP addresses (such as 'IP::addr') or UTF-8 characters or other objects that are handled as byte arrays. These symptoms may occur when low-level Tcl functions servicing iRule APIs parse UTF-8 characters into strings. The Tcl marshaling routines used by some iRule functions (including HTTP::header insert) coerce some arguments into the bytearray type, which receives special treatment when coerced into other objects (such as IP addresses). Under certain conditions, when a string is coerced into a bytearray, the coercion fails and the error noted in the logs is produced. Because APM user authentication is implemented via iRules, the handling of UTF-8 characters in iRules affects APM user authentication when the user password contains UTF-8 characters. These symptoms may occur on affected versions of BIG-IP software due to underlying changes in the low-level Tcl implementation.

Workaround

1. To work around the APM authentication symptom, add a Variable Assign agent after the Logon Page with following assignment: (check the secure checkbox) session.logon.last.password = set pass [mcget -secure session.logon.last.password]; binary scan $pass c* chars; set newpass ""; foreach {ch} $chars { append newpass [format %c [expr $ch & 0xFF]] }; return $newpass 2. To work around errors processing 'HTTP::header insert' commands, avoid processing string variables with the 'HTTP::header insert' command. You can first convert the string to an IP address with IP::addr. For example: Change HTTP::header insert X-Forwarded-For $myip1 To HTTP::header insert X-Forwarded-For [IP::addr $myip1 mask "255.255.255.255"] where $myip1 could be a string representation of an ip address defined earlier with "set myip1 "78.210.81.133" 3. It may be possible to work around other iRule errors related to processing IP addresses (such as 'IP::addr') or UTF-8 characters or other objects that are handled as byte arrays by troubleshooting the iRule to determine the source of the error, and assigning the value to another string variable before further processing.

Fix Information

Special UTF-8 characters (including in user passwords authenticated using APM), IP addresses, and other objects that are handled as byte arrays in iRules are now handled properly.

Behavior Change