Re: [RFC] Translate and Unless-Modified-Since headers from Amos Jeffries on 2009-05-18 (squid-dev)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 19 May 2009 02:36:03 +1200

Mark Nottingham wrote:
> Sorry to be blunt, but shouldn't these sites be securing themselves?
> Having Squid strip this header hardly closes any significant attack
> vectors off... and doing so creates yet another special case for people
> to work around.
>
> -1 on Translate (default strip; registering it, I suppose, although it's
> a vendor-specific extension header that they haven't bothered to
> register; I'd rather the focus be on those headers that people have
> actually tried to do the right thing for -- especially when they have
> *not* said they'll license patents for this specification).

Well, thats 2:1 against any special treatment.

>
> WRT Unless-Modified-Since -- IIRC this is a very old, pre-2068 version
> of If-Range. /me looks around...
> see:
> http://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15847a-s96/web/draft-luotonen-http-url-byterange-02.txt
>

Range? yeesh, truly mixed bag of garbage there then.

>
> What's the issue with it? Amusingly, MSFT thinks it's a response header:
> http://msdn.microsoft.com/en-us/library/aa917918.aspx

The 'issue' with them is that at least one brand of commercial box views
them as a security hazard and rejects requests from clients using them
outright.
Fair enough IMO. but ... something involved with PDF somehow still
insists on sending them.

http://www.mail-archive.com/squid-users@squid-cache.org/msg63980.html

Amos

>
>
>
> On 18/05/2009, at 9:05 PM, Amos Jeffries wrote:
>
>> Both of these are non-standard headers created by microsoft.
>>
>> These are both weird ones. We seem to need them, but only because they
>> need to be stripped away in certain circumstances.
>>
>> The Translate: header is the trickiest. After reading the docs it
>> appears we should be always stripping it away for security. It's
>> entire purpose is to perform code disclosure 'attacks' on targeted
>> dynamic sites. With perhapse a fast-ACL to allow admins to use it and
>> control the requests using it when they really need to.
>>
>> Pending any objections I'll add as registered headers in 3.0 and the
>> above handling for Translate in 3.1.
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
>> Current Beta Squid 3.1.0.7
>
> --
> Mark Nottingham mnot_at_yahoo-inc.com
>
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.7

Received on Mon May 18 2009 - 14:36:12 MDT

This archive was generated by hypermail 2.2.0 : Tue May 19 2009 - 12:00:02 MDT