On 18/07/11 01:24, Amos Jeffries wrote:
This patch adds a verify step between header parsing and http_access to
validate that the Host: header matches the URL for forward-proxied
traffic or the destination IP:port for intercepted traffic.
This is part 1 of the CVE-2009-0801 protections. The validation step
required to detect forgery and protect against cache poisoning.
Technically this alone resolves the security breach parts of the overall
problem.
Part 2 with destination IP pinning on the request fetch is an
optimization to avoid extra DNS load and any side-effects of changing
the destination mid-way.
Amos
Applied with minor tweaks
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.10
