Handle Complex URIs

The DisableDotDotRule parameter determines whether or not the Web Agent automatically authorizes a URI that contains two dots separated by a slash (/).
sm1252sp1
The DisableDotDotRule parameter determines whether or not the Web Agent automatically authorizes a URI that contains two dots separated by a slash (/).
Default:
No
If the DisableDotDotRule is set to yes, the Agent
does not
apply the double dot rule. For example, if the URI is:
  • /dir1/app.pl/file1.gif
    The Web Agent uses the IgnoreExt parameter to determine if the resource should be automatically authorized.
  • /dir1/okay.button.gif
    The Agent can ignore this URI because the two dots are not separated by a slash (/). The double-dot rule is not applicable in this case.
If the DisableDotDotRule is set to no, the default, the Web Agent
applies
the double-dot rule. The Web Agent challenges requests for the following URIs, passing the request to the Policy Server:
  • /dir1/app.pl/file1.gif
    This URI falls under the double-dot rule because the two dots are separated by a slash.
    The web server may consider /dir1/app.pl as the target resource, and /file1.gif as extra path information, typically viewable in CGI headers as PATH_INFO.
  • /dir1/okay.button.gif
    The Agent may ignore this URI because even though the double-dot rule is being enforced, the two dots are not separated by a slash (/), so the rule is not applicable.
Avoid creating the possibility for unauthorized access when you use the IgnoreExt and DisableDotDotRule parameters together. For example, if you want to protect /dir1/app.pl, but you set the DisableDotDotRule parameter to yes, the Agent ignores the URI /dir1/app.pl/file1.gif because you have disabled the double-dot rule and included .gif in the IgnoreExt parameter. Consequently, an unauthorized user may access the protected application /dir1/app.pl.