We have found a situation with our combination of web filter and squid
that allows users to bypass the web filter by specifying a url such as
http://www.sex..com. This was tested with squid 2.5-stable1-20021115.
Our web filter is an external device with two network connections. On the
network, it sits between the users and the proxy, filtering requests as
they are sent to the proxy. In our case, our proxy also has two network
connections, one connecting to the filter and the other is connected to
the internet. This results in all requests from the users being filtered,
while the requests from the proxy to the internet are not.
The problem is that when a user requests the url http://www.sex..com, the
filter does not recognize the domain as a blocked domain and passes it to
the proxy. Squid removes the extra dot and forwards the request as
http://www.sex.com and the page is returned to the user.
In March, this was reported in bugzilla as bug #318, but it was closed
because it was a "feature" and there were no known side effects. I plan
make a new entry in bugzilla with this email attached.
Hack/Fix:
The URL is rewritten before ACLs are processed, therefore an ACL can not
fix the problem. I worked around it by a combination of modifying the
source code and an ACL. To fix the source code, edit src/url.c and search
for "duplicate dots" and comment out the two lines following the comment:
/* remove duplicate dots */
while ((t = strstr(host, "..")))
xmemmove(t, t + 1, strlen(t));
Recompile and install.
The following ACL is also needed to actually block the request:
acl doubledot dstdom_regex \.\.
http_access deny doubledot
Without the code change, the ACL will have no effect.
I consider this to be a bug because it can't be blocked with an ACL and
the access.log entry shows the corrected URL instead of the original URL.
Thanks,
Erik
Received on Fri Jan 17 2003 - 17:49:01 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:42 MST