Bypassing ACLs

From: <>
Date: Wed, 1 Oct 1997 04:04:03 +0530 (IST)

        we use squid-1.1.10/Linux 2.0.30 as our campus-wide proxy
server. Since our bandwidth is quite low, we rely a lot on ACLs to keep
non-essential traffic from choking the link.
        Our ACL list looks something like this :
acl pictures url_regex "/usr/local/squid/etc/policy/pictures_deny.list"
acl pornsites dstdomain "/usr/local/squid/etc/policy/pornosites_deny.list"
http_access deny pictures
http_access deny pornsites
.... etc.
pictures_deny.list consists of a bunch of lines like
\.jpg$ .... etc.
while pornsites_deny.list has the usual etc.

Now, some bright guy figured out that the first one can be bypassed by
giving the URL rather than

This can be remedied by changing the deny lines to
\.jpg\?*$ (or just \.jpg though this might restrict some legitimate URLs)
Any other such magic characters ? I suspect not.

Also, if itself is the pornsites list, it can by overcome by
This works because gethostbyname and co. treat ba\ and as
identical. Try nslookup '\' - it works !

Although I haven't tried later versions, a cursory look through the Changelogs
didn't reveal anything that would have fixed the second problem. Searching
through the mailing list archive didnt yield anything related.

Could someone please post a patch for this problem ? Thanks in advance.

                                                        -- ganesh
Received on Tue Sep 30 1997 - 15:34:01 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:12 MST