Agent Guides › SAML Affiliate Agent Guide › Configure Global Settings › Handle Security Issues in Request URLs › Designate Bad URL Characters

Designate Bad URL Characters

In the Agent’s configuration you can list a set of character sequences that cannot be part of a URL request. These are treated by the Agent as bad URL characters. The SAML Affiliate Agent will refuse URL requests that contain any of the characters or strings of characters that you include in this list. The checking is done on the URL before the "?" character.

By default, the SAML Affiliate Agent rejects URL requests that include these characters:

• a backward slash (\)
• two forward slashes (//)
• period and a forward slash (./)
• forward slash and a period (/.)
• forward slash and an asterisk (/*)
• an asterisk and a period (*.)
• a tilde (~)
• a comma (,)
• a dash (-)
• a percent sign (%)
• %00-%1f
• %7f-%ff
• %25
• %25u
• %25U

These default characters block URLs that might allow a malicious Web client to evade SiteMinder rules.

To specify bad URL characters, add to the list to meet the needs of your applications. Separate the bad URL characters by a comma; do not use spaces.

For example, set BadURLChars to the following:

//,./,/.,/*,*.,~,\,-,%,space,%00-%1f,%7f-%ff,%25,%25u,%25U

You can use the bad URL characters in CGI parameters if the question mark (?) precedes the bad URL characters.