tcl error, when modifying http response

Question

Hi guys,
We need a custom response for a dedicated validation (XML violation).
For this case I did expand the irule with the following lines:
    when ASM_REQUEST_BLOCKING {

set x [ASM::violation_data]
            log local0. "blocked XML request with violation: [lindex $x 0]"
            if { [lindex $x 0] == "VIOLATION_XML_WSDL" } {
                    HTTP::header remove Content-Length
                    set response "mycustom response..."

ASM::payload replace 0 [ASM::payload length] ""
                    ASM::payload replace 0 0 $response

}

If I test this, everything is ok, but sometimes I can see the following line in the log:
TCL error: /Common/ContManIrule  - Illegal argument. Can't execute in the current context. (line 4) invoked from within "HTTP::header remove Content-Length" invoked from within "if { [lindex $x 0] == "VIOLATION_XML_WSDL" } { HTTP::header remove Content-Length set response "..."
The log entry return: "Rule /Common/ContManIrule : blocked XML request with violation: VIOLATION_XML_WSDL"
Has anyone an idea whats wrong?
Thx

uni_87886 · Answer

It looks to me like it is saying that the HTTP::header command is not allowed within the ASM_REQUEST_BLOCKING event. Kind of strange, given that the example on the ASM_REQUEST_BLOCKING page does just this.&nbsp;
Perhaps enclose some of the code in try/catch, and do some extra logging of the payload when it fails. &nbsp;

uni · Answer

It looks to me like it is saying that the HTTP::header command is not allowed within the ASM_REQUEST_BLOCKING event. Kind of strange, given that the example on the ASM_REQUEST_BLOCKING page does just this.&nbsp;
Perhaps enclose some of the code in try/catch, and do some extra logging of the payload when it fails. &nbsp;

uni_87886 · Answer

Unrelated, but you should use 'contains' not '==' to test for the violation, as [lindex $x 0] is a comma separated list of violations

uni · Answer

Unrelated, but you should use 'contains' not '==' to test for the violation, as [lindex $x 0] is a comma separated list of violations

torti · Answer

The problem is, that I cannot reproduce the error. I did add some extra log and changed to 'contains'. The 'contains' is a little bit strange, because in the wiki is the violation filed described as String. And I did never see a comma seperated list in the log, here.
But it really looks like the system has some trouble with the HTTP::header command within the ASM_REQUEST_BLOCKING event.
I tried "if { [HTTP::header exists Content-Length] } {}" before removing the header, but then I SOMETIMES get the TCL error: Illegal argument. Can't execute in the current context. (line 1) invoked from within "HTTP::header exists Content-Length"

Forum Discussion

tcl error, when modifying http response

7 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

About AWAF "Redirect URLs" in "Responses and Blocks"

ISP Bandwidth Utilization

F5 Rseries HA

Related Content

irule replace and modify uri and response

Introduction of Incident Response

iRule: modify uri and response

custom response page for api

iRule to modify a content-security-policy header