Re: [PATCH] Bug 3234: CVE-2009-0801 resolution

From: Henrik Nordström <henrik_at_henriknordstrom.net>
Date: Thu, 23 Jun 2011 08:21:57 +0200

mån 2011-06-20 klockan 22:50 +1200 skrev Amos Jeffries:

> * Persistent connections and cache HIT are not affected in any way.
> NP: pconn opened for these links are safe for use by any other requests
> due to the destination IP:port in the pconn key.

What is used as cache key?

We do not want trivial cache poisoning from this by clients
intentionally connecting to evil IP and with a Host header of
www.squid-cache.org.

What we discussed for this many years ago was to perform a DNS lookup of
the requested host. If the connected IP were included in the DNS
response then consider the request normal and forward it as usual. If
the connected IP is not in the DNS response then tunnel the request or
change cache key to include IP.

Regarding parent peering then this is still possible by wrapping the
request in a CONNECT.

Regards
Henrik
Received on Thu Jun 23 2011 - 06:22:03 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 23 2011 - 12:00:04 MDT