[PATCH] Compliance: Allow valid requests with benign CRs

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Thu, 29 Jul 2010 14:13:40 -0600

Hello,

     The attached patch improves request smuggling attack detection and
makes Squid more tolerable to valid HTTP headers with benign CR+
sequences. This change may be useful in general (I believe I have seen
benign requests rejected by Squid exposed to a large variety of client
software) and also removes several Co-Advisor-detected HTTP/1.1 test
case failures and violations.

Lower-level details are quoted below. Please review.

Thank you,

Alex.

Removed "double CR" check from parseHttpRequest() for several reasons:

1) The check was most likely introduced as a short-term defense
    against "HTTP request smuggling" attacks identified in an
    influential 2004 paper. The paper documented certain
    vulnerabilities related to requests with "double CR" sequences, and
    Squid was quickly hacked to prohibit such requests as
    malformed. However, a more careful reading of the paper indicates
    that only LF CR CR LF (a.k.a. "CR header") sequences were
    identified as dangerous (note the leading LF). The quick fix was
    too aggressive and blocked _all_ requests with CR CR LF sequences,
    including benign requests.

2) The check duplicated a HttpHeader::parse() check.

3) The check was slower than the code it duplicated.

Improved "double CR" handling in HttpHeader::parse() to detect
potentially dangerous "empty headers", that is header fields that
contain nothing but CR character(s). Requests with such headers are
rejected as malformed. We used to reject similar requests (and more)
in parseHttpRequest() as described above.

After the change, potentially malicious requests with CR+ headers are
still denied. Other, benign headers ending with CRs are now allowed.

If the HTTP header parser is not "relaxed", benign and valid requests
with extra CR characters are blocked as before.

Received on Thu Jul 29 2010 - 20:13:47 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 30 2010 - 12:00:11 MDT