Mark Nottingham wrote:
Sorry to be blunt, but shouldn't these sites be securing themselves?
Having Squid strip this header hardly closes any significant attack
vectors off... and doing so creates yet another special case for people
to work around.
-1 on Translate (default strip; registering it, I suppose, although it's
a vendor-specific extension header that they haven't bothered to
register; I'd rather the focus be on those headers that people have
actually tried to do the right thing for -- especially when they have
*not* said they'll license patents for this specification).
Well, thats 2:1 against any special treatment.
WRT Unless-Modified-Since -- IIRC this is a very old, pre-2068 version
of If-Range. /me looks around...
see:
http://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15847a-s96/web/draft-luotonen-http-url-byterange-02.txt
Range? yeesh, truly mixed bag of garbage there then.
What's the issue with it? Amusingly, MSFT thinks it's a response header:
http://msdn.microsoft.com/en-us/library/aa917918.aspx
:)
The 'issue' with them is that at least one brand of commercial box views
them as a security hazard and rejects requests from clients using them
outright.
Fair enough IMO. but ... something involved with PDF somehow still
insists on sending them.
http://www.mail-archive.com/squid-us...@squid-cache.org/msg63980.html
Amos
On 18/05/2009, at 9:05 PM, Amos Jeffries wrote:
Both of these are non-standard headers created by microsoft.
These are both weird ones. We seem to need them, but only because they
need to be stripped away in certain circumstances.
The Translate: header is the trickiest. After reading the docs it
appears we should be always stripping it away for security. It's
entire purpose is to perform code disclosure 'attacks' on targeted
dynamic sites. With perhapse a fast-ACL to allow admins to use it and
control the requests using it when they really need to.
Pending any objections I'll add as registered headers in 3.0 and the
above handling for Translate in 3.1.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
Current Beta Squid 3.1.0.7
--
Mark Nottingham m...@yahoo-inc.com
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
Current Beta Squid 3.1.0.7