This patch adds a verify step between header parsing and http_access to
validate that the Host: header matches the URL for forward-proxied
traffic or the destination IP:port for intercepted traffic.
This is part 1 of the CVE-2009-0801 protections. The validation step
required to detect forgery and protect against cache poisoning.
Technically this alone resolves the security breach parts of the overall
problem.
Part 2 with destination IP pinning on the request fetch is an
optimization to avoid extra DNS load and any side-effects of changing
the destination mid-way.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.9
This archive was generated by hypermail 2.2.0 : Mon Jul 18 2011 - 12:00:03 MDT