Hopefully this finalises our list of PRE4 bugs
On 9 May 2006, at 08:43, Henrik Nordstrom wrote:
mån 2006-05-08 klockan 10:32 +1200 skrev Doug Dixon:
1200 (HTTP Response Splitting attack) - patched in 2.5 - is this an
easy port?
It's a bit of work, and not very important for the PRE4 release. It's
sufficient to have it documented as a known weakness, and thereby
discouraging people from running PRE4 in production as a Internet
proxy
on "innocent" users who likes to visit "bad" sites..
OK, won't add to PRE4, we'll append a suitable warning to the PRE4
release notes
1265 (httpReadReply: Excess data from ... can be silenced in many
cases) - patched in 2.5 - is this an easy port?
Yes, but definitely not a blocker. It's about making Squid shut up
about
non-compliant HTTP servers. A PRE release should be noisy about things
it doesn't like as these cases triggers code paths seldom exercised on
the normal traffic which means there is a high risk of bugs in related
areas..
If worried you can always chain with a 2.5.STABLE14 parent to fix this
class of HTTP pollution malware (both 1200 and 1265).
OK, won't add to PRE4, it's an enhancement. But please forward port
when you can :)
First, I think we should probably push the ESI bugs forward to PRE5.
Sounds reasonable. Well, if 1088 (segfault in string handling) is
easily
diagnosed it's probably beneficial to fix this, but 975 (long
documents)
defenitely can be kicked forward if you ask me.
* 1125 (although, is this really 1028 which is already in there?)
Looks the same to me to me.
Marked as duplicate. 1125 is now the PRE4 bug (not 1028 any more)
Bugs to potentially remove from the list:
* 942 (squid-3.0-PRE3-20040309 uncached 304's broken)
defenitely. Should perhaps be kicked forward to 3.1 even.. unless I
have
completely misunderstood the bug report.
Removed from PRE4
* 897 (Extra CRLF Added After Headers)
no problem to kick this forward to next PRE release for me, but it
might
be a bit annoying to the users who get bitten by it (random images
broken etc.. usually but not always fixed by a forced reload)
Removed from PRE4
* 951 (Assert failure in ESIInclude.cc:563: "parent.getRaw()")
Natural per the above decision..
Removed from PRE4
Are we happy to defer ESI stuff (951, 975, 1088) to PRE5?
I am.
Done
Are we happy to defer 801
Yes.
and 1494 to PRE5?
Not sufficient info in this report. Missing stack trace. So yes.
Are we happy to remove 942 and 897 from PRE4?
What you mean by remove?
I mean remove them from the PRE4 critical path - which I have done
(above)
See above for my comments on these bugs.
Regards
Henrik
I have also added these to PRE4 as agreed:
* 1089 (PATCH25)
* 1465
* 1468
As if by magic, our list is still nine bugs long, but they're
probably now the right ones to concentrate on.
Cheers
Doug
