Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11673

Policy evaluation response is incorrect if the URL query string sent for evaluation contains the string ://

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 14.0.0, 14.1.0, 14.1.1, 14.5.0
    • 6.0.0, 14.1.2, 5.5.2
    • policy
    • AM Sustaining Sprint 43
    • 2
    • Yes
    • Yes
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      The policy evaluation response is incorrect if the URL query string sent for evaluation contains the unencoded string :// (ie. as in http://example.com/test?http://test )

      If the string is encoded as :%2F%2F then the response is as expected.

      Note that this is a change in behaviour from previous releases - 13.5.x for example does not require such encoding.

      How to reproduce the issue

      1). Configure a policy resource, for example:

      http://example.com:80/*?*

      2). Send the following unencoded :// characters after the ? parameter as a POST body to http://openam.example.com:8080/AM/json/realms/root/policies?_action=evaluate

      {
          "resources": [
              "http://example.com/test?http://test"
          ],
          "application": "iPlanetAMWebAgentService"
      }
      

      This returns (note empty actions):

      [{"ttl":9223372036854775807,"advices":{},"resource":"http://example.com/test?http://test","actions":{},"attributes":{}}]
      

      3). Send the following encoded example:

      {
          "resources": [
              "http://example.com/test?http:%2F%2Ftest"
          ],
          "application": "iPlanetAMWebAgentService"
      }
      

      This is successful:

      [{"ttl":9223372036854775807,"advices":{},"resource":"http://example.com/test?http:%2F%2Ftest","actions":{"GET":true},"attributes":{}}]
      
      Expected behaviour

      Sending the a URL parameter containing unencoded :// should evaluate as expected.

      Current behaviour

      Policy evaluation is not as previous releases.

      Work around

      Encode the :// as :%2F%2F

        Attachments

          Issue Links

            Activity

              People

              chee-weng.chea C-Weng C
              andy.itter Andy Itter
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 16h
                  16h
                  Remaining:
                  Remaining Estimate - 16h
                  16h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified