The DisableDotDotRule parameter determines whether or not the Web Agent automatically authorizes a URI that contains two dots separated by a slash (/).
If the DisableDotDotRule is set to yes, the Agent does not apply the double dot rule. For example, if the URI is:
The Web Agent uses the IgnoreExt parameter to determine if the resource should be automatically authorized.
The Agent can ignore this URI because the two dots are not separated by a slash (/). The double-dot rule is not applicable in this case.
If the DisableDotDotRule is set to no, the default, the Web Agent applies the double-dot rule. The Web Agent challenges requests for the following URIs, passing the request to the Policy Server:
This URI falls under the double-dot rule because the two dots are separated by a slash.
The web server may consider /dir1/app.pl as the target resource, and /file1.gif as extra path information, typically viewable in CGI headers as PATH_INFO.
The Agent may ignore this URI because even though the double-dot rule is being enforced, the two dots are not separated by a slash (/), so the rule is not applicable.
Important! Avoid creating the possibility for unauthorized access when you use the IgnoreExt and DisableDotDotRule parameters together. For example, if you want to protect /dir1/app.pl, but you set the DisableDotDotRule parameter to yes, the Agent ignores the URI /dir1/app.pl/file1.gif because you have disabled the double-dot rule and included .gif in the IgnoreExt parameter. Consequently, an unauthorized user may access the protected application /dir1/app.pl.
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |