Added to my RSS reader
If like me you have spent most of you IT life working with a Windows environment you have never really had to consider the case that you write scripts in. The odd login script or batch file aside its not the mainstay of the work concentrates on GUI environments.
While working on a particular task recently I spotted this little issue with issuing a 302 redirect with traffic script.
Linux is case sensitive so login.aspx is not the same as lOgin.aspx
To this end its important that you consider case If you are using ZXTMs to terminate SSL and restrict access to resources served from a none Linux based web servers.
e.g.
This script looks for any URL containing login.aspx, signup.aspx, /thismustbessl/userdetailseform.aspx, /admin/ for the website www.website.net.
$url = http.getRawURL();
$host = http.getHeader (“host”);
if (($host == “www.website.net“) && (string.contains($url, “Login.aspx”)) || (string.contains($url, “Signup.aspx”)) ||
(string.contains($url, “/ThisMustBeSSL/userdetailseform.aspx”)) || (string.contains($url, “/admin/”))) {
http.sendResponse( “301 Moved Permanently”, “text/html”, “”, “Location: https://”.$host . $url);
}
So this script does what we need right? Wrong
If you request http://www.website.net/ThisMustBeSSL/userdetailseform.aspx the script matches all conditions and the redirect will be issued to make the site HTTPS.
However if you request http://www.website.net/thismustbessl/userdetailseform.aspx
The traffic script will not match and the page will be served as HTTP. Disaster!
To avoid this occurring a minor but crucial change is required. First do a string conversion on the url, I force the url to be lowercase but you could equally use uppercase if you wish. Then make sure that all of the strings you are comparing are also the same case (lowercase in my example). This will allows match regardless of the case that the original request is submitted as.
$url = http.getRawURL();
$host = http.getHeader (“host”);
$s = string.lowercase($url); # set $s to equal lowercase $url
$url = $s; ~ now set $url to equal
if (($host == “www.website.net“) && (string.contains($url, “login.aspx“)) || (string.contains($url, “signup.aspx“)) ||
(string.contains($url, “/thismustbessl/userdetailseform.aspx“)) || (string.contains($url, “/admin/”))) {
http.sendResponse( “301 Moved Permanently”, “text/html”, “”, “Location: https://”.$host . $url);
}
Now everything is cool 
Happy Days….