Re: [PATCH] Bug 3234: CVE-2009-0801 resolution

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 23 Jun 2011 20:18:14 +1200

On 23/06/11 18:21, Henrik Nordström wrote:
> mån 2011-06-20 klockan 22:50 +1200 skrev Amos Jeffries:
>
>> * Persistent connections and cache HIT are not affected in any way.
>> NP: pconn opened for these links are safe for use by any other requests
>> due to the destination IP:port in the pconn key.
>
> What is used as cache key?
>
> We do not want trivial cache poisoning from this by clients
> intentionally connecting to evil IP and with a Host header of
> www.squid-cache.org.
>

Sigh. Point taken. 'tis broke right now.

>
> What we discussed for this many years ago was to perform a DNS lookup of
> the requested host. If the connected IP were included in the DNS
> response then consider the request normal and forward it as usual. If
> the connected IP is not in the DNS response then tunnel the request or
> change cache key to include IP.

Altering the cache key would make it not very re-usable though right?
would it not be better to simply not store locally if the verify failed?

The verify step can still be done. As the first step of context
doCallouts would now be possible.

>
> Regarding parent peering then this is still possible by wrapping the
> request in a CONNECT.
>

Nice.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.9 and 3.1.12.3
Received on Thu Jun 23 2011 - 08:18:26 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 23 2011 - 12:00:04 MDT