On 18/07/11 01:24, Amos Jeffries wrote:
> This patch adds a verify step between header parsing and http_access to
> validate that the Host: header matches the URL for forward-proxied
> traffic or the destination IP:port for intercepted traffic.
>
> This is part 1 of the CVE-2009-0801 protections. The validation step
> required to detect forgery and protect against cache poisoning.
>
> Technically this alone resolves the security breach parts of the overall
> problem.
>
>
> Part 2 with destination IP pinning on the request fetch is an
> optimization to avoid extra DNS load and any side-effects of changing
> the destination mid-way.
>
> Amos
Applied with minor tweaks
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.10Received on Wed Aug 03 2011 - 12:38:08 MDT
This archive was generated by hypermail 2.2.0 : Wed Aug 03 2011 - 12:00:03 MDT