On Tue, 18 Jan 2005, Henrik Nordstrom wrote:
The HTTP smuggling paper references another paper from the same group
describing interesting ways of cache pollution. I am currently working on
hardening Squid further from the described attack.
Patch now available in bug #1200.
One minor question which arised during this.. should we even attempt to
cache HTTP/0.9 style responses? (only body, no header or status line)
Today caching of such responses can be forced by a refresh pattern with a
min age >0, but I am not sure this is wise to allow to be cached as I
suspect this kind of replies quite likely happens in protocol screwups..
Regards
Henrik
