I think the worst a malicious user could do is force a reset of their own connection through injection. I tried testing by injecting TCL meta-characters in the Host header with an iRule that checks the host header value against a data group or string. The worst I could do is cause a runtime TCL error. Do you have any specific examples you're concerned about?
when HTTP_REQUEST {
log local0. "\[HTTP::host\]: \|[HTTP::host]\|"
if {[HTTP::host] starts_with "test"}{
pool http_1_pool
log local0. "matched"
} else {
HTTP::respond 200 content "No match"
log local0. "no match"
}
set cmd "\[class match \[HTTP::host\] starts_with string_dg\]"
eval $cmd
log local0. "match? $match"
set match [class match [HTTP::host] starts_with string_dg]
log local0. "match? $match"
}
when LB_SELECTED {
log local0. "selected [LB::server]"
}
curl -v 10.1.0.120 -H "Host: test\"; pool http_2_pool"
curl -v 10.1.0.120 -H "Host: test\"; [class get string_dg]; pool http_2_pool"
curl -v 10.1.0.120 -H "Host: -value abc"
curl -v 10.1.0.120 -H "Host: -value"
curl -v 10.1.0.120 -H "Host: -value \"abc\""
You can protect against accidental interpretation of a string starting with a hyphen using -- to terminate the switch or class options:
switch -glob -- $string { ...
class match -value -- $string equals my_dg
Aaron