git.ipfire.org Git - thirdparty/squid.git/commit

Relay peer CONNECT error status line and headers to users (#80)

Automated agents and human users (or their support staff!) often benefit
from knowing what went wrong. Dropping such details is a bad default.
For example, automation may rely on receiving the original status code.

Our CVE-2015-5400 fix (74f35ca) was too aggressive -- it hid all peer
errors behind a generic 502 (Bad Gateway) response. Pass-through peer
authentication errors were later (971003b) exposed again, but our CVE
fix intent was _not_ to hide _any_ peer errors in the first place! The
intent was to close the connection after delivering the error response.
Hiding peer errors was an (unfortunate) implementation choice.

It could be argued that some peer errors should not be relayed, but
since Squid successfully relayed all peer errors prior to 74f35ca and
continues to relay all non-CONNECT peer errors today, discriminating
peer errors is a separate (and possibly unnecessary) feature.

Ideally, Squid should mangle and relay the whole error message (instead
of sending small original headers). Squid should also relay 1xx control
messages while waiting for the final response. Unfortunately, doing so
properly, without reopening CVE-2015-5400 or duplicating a lot of
complex code, is a huge project. This small change fixes the most acute
manifestation of the "hiding errors from users" problem. The rest is a
long-term TODO.

author	Alex Rousskov <rousskov@measurement-factory.com>
	Fri, 17 Nov 2017 16:30:09 +0000 (09:30 -0700)
committer	Amos Jeffries <yadij@users.noreply.github.com>
	Thu, 30 Nov 2017 08:14:04 +0000 (21:14 +1300)
commit	4d607337f620eef0f687b9b76c40b8a2a80a5596
tree	202be3c7f8692e139549ad6b1d361ef3d0dd151d	tree \| snapshot
parent	a726dfd866897022ccdac968ee4426d50b0ca61b	commit \| diff