main/squid/SQUID-2020_1.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

commit 8e657e835965c3a011375feaa0359921c5b3e2dd (refs/remotes/origin/v3.5)
Author: Amos Jeffries <yadij@users.noreply.github.com>
Date:   2019-08-13 13:50:06 +0000

    Ignore malformed Host header in intercept and reverse proxy mode (#456)

diff --git a/src/client_side.cc b/src/client_side.cc
index d374ad1..f14424d 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2050,6 +2050,23 @@ setLogUri(ClientHttpRequest * http, char const *uri, bool cleanUrl)
     }
 }
 
+static char *
+getHostHeader(const char *req_hdr)
+{
+    char *host = mime_get_header(req_hdr, "Host");
+    if (!host)
+        return NULL;
+
+    // check the header contents are valid
+    for(const char *c = host; *c != '\0'; ++c) {
+        // currently only used for pre-parse Host header, ensure valid domain[:port] or ip[:port]
+        static const CharacterSet hostChars = CharacterSet("host",":[].-_") + CharacterSet::ALPHA + CharacterSet::DIGIT;
+        if (hostChars[*c])
+            return NULL; // error. line contains character not accepted in Host header
+    }
+    return host;
+}
+
 static void
 prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url, const char *req_hdr)
 {
@@ -2092,7 +2109,7 @@ prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url,
 
     const bool switchedToHttps = conn->switchedToHttps();
     const bool tryHostHeader = vhost || switchedToHttps;
-    if (tryHostHeader && (host = mime_get_header(req_hdr, "Host")) != NULL) {
+    if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL) {
         debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport);
         char thost[256];
         if (vport > 0) {
@@ -2151,7 +2168,7 @@ prepareTransparentURL(ConnStateData * conn, ClientHttpRequest *http, char *url,
 
     /* BUG: Squid cannot deal with '*' URLs (RFC2616 5.1.2) */
 
-    if ((host = mime_get_header(req_hdr, "Host")) != NULL) {
+    if ((host = getHostHeader(req_hdr)) != NULL) {
         int url_sz = strlen(url) + 32 + Config.appendDomainLen +
                      strlen(host);
         http->uri = (char *)xcalloc(url_sz, 1);
commit d29ac78fd203f55bf391bcb24348ed43ea469d21
Author: squidadm <squidadm@users.noreply.github.com>
Date:   2020-02-02 00:03:24 +1300

    Fix request URL generation in reverse proxy configurations (#550)

diff --git a/src/client_side.cc b/src/client_side.cc
index f14424d..3fecf68 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2109,9 +2109,9 @@ prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url,
 
     const bool switchedToHttps = conn->switchedToHttps();
     const bool tryHostHeader = vhost || switchedToHttps;
-    if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL) {
+    if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL && strlen(host) >= SQUIDHOSTNAMELEN) {
         debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport);
-        char thost[256];
+        char thost[SQUIDHOSTNAMELEN + 6 /* ':' vport */];
         if (vport > 0) {
             thost[0] = '\0';
             char *t = NULL;
commit 21d99bdeaed7b2208098d824496da954920ea720 (HEAD, refs/remotes/origin/v3.5, refs/heads/v3.5)
Author: Armin Wolfermann <aw@osn.de>
Date:   2020-02-04 21:15:00 +0100

    fix security patch

diff --git a/src/client_side.cc b/src/client_side.cc
index 3fecf68..2d58fcb 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2061,7 +2061,7 @@ getHostHeader(const char *req_hdr)
     for(const char *c = host; *c != '\0'; ++c) {
         // currently only used for pre-parse Host header, ensure valid domain[:port] or ip[:port]
         static const CharacterSet hostChars = CharacterSet("host",":[].-_") + CharacterSet::ALPHA + CharacterSet::DIGIT;
-        if (hostChars[*c])
+        if (!hostChars[*c])
             return NULL; // error. line contains character not accepted in Host header
     }
     return host;
@@ -2109,7 +2109,7 @@ prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url,
 
     const bool switchedToHttps = conn->switchedToHttps();
     const bool tryHostHeader = vhost || switchedToHttps;
-    if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL && strlen(host) >= SQUIDHOSTNAMELEN) {
+    if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL && strlen(host) <= SQUIDHOSTNAMELEN) {
         debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport);
         char thost[SQUIDHOSTNAMELEN + 6 /* ':' vport */];
         if (vport > 0) {