git.ipfire.org Git - thirdparty/squid.git/commit

author	Amos Jeffries <yadij@users.noreply.github.com>
	Sat, 11 Oct 2025 03:33:02 +0000 (16:33 +1300)
committer	GitHub <noreply@github.com>
	Sat, 11 Oct 2025 03:33:02 +0000 (16:33 +1300)
commit	e7e9073a2435cc93b913553d147b497fda77c1ab
tree	677f1485f81e35612dbc04e1c128bfb907912ce2	tree \| snapshot
parent	bbc23aada0cde2712e0a8fdc35598650007638df	commit \| diff

Bug 3390: Proxy auth data visible to scripts (#2249)

Original changes to redact credentials from error page %R code
expansion output was incomplete. It missed the parse failure
case where ErrorState::request_hdrs raw buffer contained
sensitive information.

Also missed was the %W case where full request message headers
were generated in a mailto link. This case is especially
problematic as it may be delivered over insecure SMTP even if
the error was secured with HTTPS.

After this change:
* The HttpRequest message packing code for error pages is de-duplicated
and elides authentication headers for both %R and %W code outputs.
* The %R code output includes the CRLF request message terminator.
* The email_err_data directive causing advanced details to be added to
%W mailto links is disabled by default.

Also redact credentials from generated TRACE responses.

---------

Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>

doc/release-notes/release-7.sgml.in		diff \| blob \| blame \| history
src/HttpRequest.cc		diff \| blob \| blame \| history
src/HttpRequest.h		diff \| blob \| blame \| history
src/cf.data.pre		diff \| blob \| blame \| history
src/client_side_reply.cc		diff \| blob \| blame \| history
src/errorpage.cc		diff \| blob \| blame \| history
src/errorpage.h		diff \| blob \| blame \| history
src/tests/stub_HttpRequest.cc		diff \| blob \| blame \| history