Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11673

Policy evaluation response is incorrect if the URL query string sent for evaluation contains the string ://

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 14.0.0, 14.1.0, 14.1.1, 14.5.0
    • Fix Version/s: 6.0.0, 14.1.2, 5.5.2
    • Component/s: policy
    • Labels:
    • Sprint:
      AM Sustaining Sprint 43
    • Story Points:
      2
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      The policy evaluation response is incorrect if the URL query string sent for evaluation contains the unencoded string :// (ie. as in http://example.com/test?http://test )

      If the string is encoded as :%2F%2F then the response is as expected.

      Note that this is a change in behaviour from previous releases - 13.5.x for example does not require such encoding.

      How to reproduce the issue

      1). Configure a policy resource, for example:

      http://example.com:80/*?*

      2). Send the following unencoded :// characters after the ? parameter as a POST body to http://openam.example.com:8080/AM/json/realms/root/policies?_action=evaluate

      {
          "resources": [
              "http://example.com/test?http://test"
          ],
          "application": "iPlanetAMWebAgentService"
      }
      

      This returns (note empty actions):

      [{"ttl":9223372036854775807,"advices":{},"resource":"http://example.com/test?http://test","actions":{},"attributes":{}}]
      

      3). Send the following encoded example:

      {
          "resources": [
              "http://example.com/test?http:%2F%2Ftest"
          ],
          "application": "iPlanetAMWebAgentService"
      }
      

      This is successful:

      [{"ttl":9223372036854775807,"advices":{},"resource":"http://example.com/test?http:%2F%2Ftest","actions":{"GET":true},"attributes":{}}]
      
      Expected behaviour

      Sending the a URL parameter containing unencoded :// should evaluate as expected.

      Current behaviour

      Policy evaluation is not as previous releases.

      Work around

      Encode the :// as :%2F%2F

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                andy.itter Andy Itter
              • Votes:
                1 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 16h
                  16h
                  Remaining:
                  Remaining Estimate - 16h
                  16h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified