On 19/07/2014 2:55 a.m., Alex Rousskov wrote:
> On 07/18/2014 01:32 AM, Amos Jeffries wrote:
>> Some of the statisticas being brought up in the IETF HTTP/2 discussions
>> is highlighting certain garbage headers which are unfortunately quite
>> common.
> 
> I join Eliezer in begging for pointers to relevant posts or pages.
> 
> 
>> I have wondered about creating a registry of known garbage and simply
>> dropping those headers on arrival in the parser. This would be in
>> addition to the header registry lookup and masking process we have for
>> hop-by-hop headers.
>>
>> Any other thoughts on this?
> 
> We already have squid.conf options to drop headers. Folks that want to
> focus on saving bandwidth may use them. We can publish the corresponding
> configuration excerpts on the wiki.
> 
> If those options are not enough, let's add more. If those options slow
> Squid down too much, let's discuss optimizations (keeping in mind that
> much better optimizations can probably be obtained by preserving header
> blobs during forwarding).
> 
> However, please do not hard-code policing of messages Squid can grok,
> especially in the parser.


See my post in reply to Eliezer. the general garbage ones we could leave
to admin. But the connection: and content-length header mangling, and
some of the other security bypasses have deeper implications and special
processing may be needed to cleanup properly. ie drop a cneonction:
header and also drop any it lists just to be safe, or reject requests
with cteonnt-length: header in self defense.

Amos

Reply via email to