Re: [PATCH] CVE-2009-0801: Host header validation

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 04 Aug 2011 00:38:02 +1200

On 18/07/11 01:24, Amos Jeffries wrote:
> This patch adds a verify step between header parsing and http_access to
> validate that the Host: header matches the URL for forward-proxied
> traffic or the destination IP:port for intercepted traffic.
>
> This is part 1 of the CVE-2009-0801 protections. The validation step
> required to detect forgery and protect against cache poisoning.
>
> Technically this alone resolves the security breach parts of the overall
> problem.
>
>
> Part 2 with destination IP pinning on the request fetch is an
> optimization to avoid extra DNS load and any side-effects of changing
> the destination mid-way.
>
> Amos

Applied with minor tweaks

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.10
Received on Wed Aug 03 2011 - 12:38:08 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 03 2011 - 12:00:03 MDT