Basically: Host header forgery meets interception.What ideas/patches do we have floating around to solve it? I understand it's an old problem.
I'm throwing together a patch to verify the received dst IP is in the rDNS for the Host: domain. But that's only raising the bar of difficulty, not closing the hole.
Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6
