[PATCH] Bug 3234: CVE-2009-0801 resolution

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 20 Jun 2011 22:50:13 +1200

Thanks to Henriks reminder with the bug creation I'm revisiting this.

For an outline of the vulnerability situation see the patch squid.conf
additions or:
  http://bugs.squid-cache.org/show_bug.cgi?id=3243

Now that in 3.2 we can expect IP information on the client link to be
consistent in NAT and TPROXY modes. Also that the forwarding choice is
now linked to destination IP instead of a domain. We can avoid the
tricky and work intensive approach previously planned and attempted for
validating the Host header.

Instead we can begin forwarding by immediately selecting the clients
original destination IP as the only possible destination choice.

  * Persistent connections and cache HIT are not affected in any way.
NP: pconn opened for these links are safe for use by any other requests
due to the destination IP:port in the pconn key.

  * adaptation, redirection are not affected. Except those which do
background requests based on the Host: header. There is nothing we can
do to protect those.

  * cache_peer selection is prohibited when this is done.

  * "dst" type ACL is altered to test the client connection local IP for
these cases. Other ACLs are not affected AFAIK.

In order to allow users the choice of continuing with the old broken
security situation I've added the config directive client_dst_passthru.

I'm bringing this through public audit to get opinions on the default
for this directive before things change.

IMO enabling it by default protects users who don't care and forces all
other users to become aware of and consider the security implications of
disabling it before they do so.

Absent any objections this will be merged and behaviour come into affect
later this week.

(patch is still build testing so there may be minor changes in the final
version)

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.9 and 3.1.12.3

Received on Mon Jun 20 2011 - 10:50:28 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 23 2011 - 12:00:04 MDT