commit 8e657e835965c3a011375feaa0359921c5b3e2dd (refs/remotes/origin/v3.5) Author: Amos Jeffries Date: 2019-08-13 13:50:06 +0000 Ignore malformed Host header in intercept and reverse proxy mode (#456) diff --git a/src/client_side.cc b/src/client_side.cc index d374ad1..f14424d 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2050,6 +2050,23 @@ setLogUri(ClientHttpRequest * http, char const *uri, bool cleanUrl) } } +static char * +getHostHeader(const char *req_hdr) +{ + char *host = mime_get_header(req_hdr, "Host"); + if (!host) + return NULL; + + // check the header contents are valid + for(const char *c = host; *c != '\0'; ++c) { + // currently only used for pre-parse Host header, ensure valid domain[:port] or ip[:port] + static const CharacterSet hostChars = CharacterSet("host",":[].-_") + CharacterSet::ALPHA + CharacterSet::DIGIT; + if (hostChars[*c]) + return NULL; // error. line contains character not accepted in Host header + } + return host; +} + static void prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url, const char *req_hdr) { @@ -2092,7 +2109,7 @@ prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url, const bool switchedToHttps = conn->switchedToHttps(); const bool tryHostHeader = vhost || switchedToHttps; - if (tryHostHeader && (host = mime_get_header(req_hdr, "Host")) != NULL) { + if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL) { debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport); char thost[256]; if (vport > 0) { @@ -2151,7 +2168,7 @@ prepareTransparentURL(ConnStateData * conn, ClientHttpRequest *http, char *url, /* BUG: Squid cannot deal with '*' URLs (RFC2616 5.1.2) */ - if ((host = mime_get_header(req_hdr, "Host")) != NULL) { + if ((host = getHostHeader(req_hdr)) != NULL) { int url_sz = strlen(url) + 32 + Config.appendDomainLen + strlen(host); http->uri = (char *)xcalloc(url_sz, 1); commit d29ac78fd203f55bf391bcb24348ed43ea469d21 Author: squidadm Date: 2020-02-02 00:03:24 +1300 Fix request URL generation in reverse proxy configurations (#550) diff --git a/src/client_side.cc b/src/client_side.cc index f14424d..3fecf68 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2109,9 +2109,9 @@ prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url, const bool switchedToHttps = conn->switchedToHttps(); const bool tryHostHeader = vhost || switchedToHttps; - if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL) { + if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL && strlen(host) >= SQUIDHOSTNAMELEN) { debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport); - char thost[256]; + char thost[SQUIDHOSTNAMELEN + 6 /* ':' vport */]; if (vport > 0) { thost[0] = '\0'; char *t = NULL; commit 21d99bdeaed7b2208098d824496da954920ea720 (HEAD, refs/remotes/origin/v3.5, refs/heads/v3.5) Author: Armin Wolfermann Date: 2020-02-04 21:15:00 +0100 fix security patch diff --git a/src/client_side.cc b/src/client_side.cc index 3fecf68..2d58fcb 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2061,7 +2061,7 @@ getHostHeader(const char *req_hdr) for(const char *c = host; *c != '\0'; ++c) { // currently only used for pre-parse Host header, ensure valid domain[:port] or ip[:port] static const CharacterSet hostChars = CharacterSet("host",":[].-_") + CharacterSet::ALPHA + CharacterSet::DIGIT; - if (hostChars[*c]) + if (!hostChars[*c]) return NULL; // error. line contains character not accepted in Host header } return host; @@ -2109,7 +2109,7 @@ prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url, const bool switchedToHttps = conn->switchedToHttps(); const bool tryHostHeader = vhost || switchedToHttps; - if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL && strlen(host) >= SQUIDHOSTNAMELEN) { + if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL && strlen(host) <= SQUIDHOSTNAMELEN) { debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport); char thost[SQUIDHOSTNAMELEN + 6 /* ':' vport */]; if (vport > 0) {