On 22/10/2025 22:04, Dmitry Melekhov wrote:
22.10.2025 12:55, Stuart Henderson пишет:
On 2025-10-22, Dmitry Melekhov wrote:
22.10.2025 08:17, Amos Jeffries пишет:
Any server could easily respond with HTTPS on port 80 - especially
since the domain "http" is rare and likely crafted to exist by an
attacker.
Sorry, I don't see any real problem here, otherwise all squids before 7
are affected.
"all squids before 7 are affected" - surely that's exactly why this was
tightened up?
I didn't see any CVE about this.
Two reasons for that.
* the bug is bad helper output. Which means the CVE would be issued
against the specific helper being used.
- that requires finding the broken ones, and hence the error messages.
* using a URL-rewrite helper for access control/permissions is a Squid
misconfiguration on the admins part.
- thus my encouragement to use ACLs better.
Unfortunately we did find another Squid bug when fixing your config.
Making this change to Rejik will let it accept "%>a %>A" instead of
needing "%>a/%>A" in the external_acl_type line.
--- parse_input.c 2013-11-15 23:28:02.000000000 +1300
+++ parse_input.c 2025-10-23 15:42:35.016801899 +1300
@@ -86,7 +86,7 @@
// Digit 4
k=tmp;
c=0;
- while(*str!='/')
+ while(*str!='/' && *str!=' ')
{
if (*str==0 || c>2) return (-1);
*k++=*str++;
HTH
Amos
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
