Udo Rader wrote:
> Hi,
>
> one of our customers has an issue with a Debian Lenny based squid 3.x in
> connection with an IBM Proventia security appliance.
>
> The setup is like this:
>
> internet <-> proventia <-> squid
>
> Now proventia comes with a transparent web content filter, removing
> dangerous things (viruses, ...) from HTTP traffic.
>
> Unfortunately this transparent filter rewrites the HTTP headers and
> sometimes it even corrupts them in a way that squid cannot deal with it
> and refuses to further process the content. The cache.log then contains
> a message like this one:
>
> -------CUT-------
> 2009/04/22 11:09:23| WARNING: HTTP header contains NULL characters
> {Date: Wed, 22 Apr 2009 09:09:23 GMT
> Server: Apache/2.0.53 (Linux/SUSE)
> X-Powered-By: PHP/4.3.10
> Content-Disposition: inline; filename="Lady.jpg
> -------CUT-------
>
> The problem probably is the missing trailing double quote at the end of
> the filename.
>
> I've verified the problem using telnet:
>
> on the proxy server itself, connecting through proventia:
> --------CUT--------
> Proxy2:~# telnet www.example.com 80
> Trying 192.168.1.0...
> Connected to www.example.com
> Escape character is '^]'.
> GET
> /main.php?g2_view=core.DownloadItem&g2_itemId=20129&g2_serialNumber=2
> HTTP/1.0
>
> HTTP/1.1 200 OK
> Date: Wed, 22 Apr 2009 09:02:40 GMT
> Server: Apache/2.0.53 (Linux/SUSE)
> X-Powered-By: PHP/4.3.10
> Content-Disposition: inline; filename="Lady.jpg
> Last-Modified: Sat, 04 Apr 2009 11:46:36 GMT
> Expires: Thu, 22 Apr 2010 09:02:40 GMT
> Connection: close
> Content-Length: 8234
> Content-Type: image/jpeg
> --------CUT--------
>
> on the proxy server itself, connecting directly to the server (using a
> ssh tunnel at port 8088)
> --------CUT--------
> Proxy2:~# telnet localhost 8088
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET
> /main.php?g2_view=core.DownloadItem&g2_itemId=20129&g2_serialNumber=2
> HTTP/1.0
>
> HTTP/1.1 200 OK
> Date: Wed, 22 Apr 2009 09:03:03 GMT
> Server: Apache/2.0.53 (Linux/SUSE)
> X-Powered-By: PHP/4.3.10
> Content-Disposition: inline; filename="Lady.jpg"
> Last-Modified: Sat, 04 Apr 2009 11:46:36 GMT
> Content-length: 8234
> Expires: Thu, 22 Apr 2010 09:03:03 GMT
> Connection: close
> Content-Type: image/jpeg
> --------CUT--------
>
> So of course the problem is proventia corrupting the HTTP headers and we
> will raise an issue about that with IBM.
>
> But for the time being: is there a chance to make squid more "tolerant"
> about those kind of problems? Without surprize I did not find any
> fitting config options :-)
>
Not nearly as easy as it will be for IBM to issue a fix for it. Or even
to replace the box with free software that works well.
Not also without opening some potential data-injection and cache
poisoning flaws into Squid.
Consider what happens with:
HTTP/1.1 200 OK
Bwahaha: "
Cache-Control: private
...something you really did not want public...
.
vs:
HTTP/1.1 200 OK
Content-Type: "fu
bar: tender: and: wine"
Cache-Control: private
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7Received on Wed Apr 22 2009 - 14:35:03 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 22 2009 - 12:00:02 MDT