... in intercepted communications.
<p>New setting for client bandwith limits to determines the
client-side delay pool for the request.
+ <tag>client_dst_passthru</tag>
+ <p>New setting to disable Host: header security on interception proxies.
+ Impacts cache integrity/reliability and client browser security.
+
<tag>cpu_affinity_map</tag>
<p>New setting for SMP support to map Squid processes onto specific CPU cores.
#include "squid.h"
#include "acl/DestinationIp.h"
#include "acl/FilledChecklist.h"
+#include "comm/Connection.h"
#include "HttpRequest.h"
+// for Config.*
+#include "structs.h"
char const *
ACLDestinationIP::typeString() const
ACLDestinationIP::match(ACLChecklist *cl)
{
ACLFilledChecklist *checklist = Filled(cl);
+
+ // Bug 3243: CVE 2009-0801
+ // Bypass of browser same-origin access control in intercepted communication
+ // To resolve this we will force DIRECT and only to the original client destination.
+ // In which case, we also need this ACL to accurately match the destination
+ if (Config.onoff.client_dst_passthru && checklist->request &&
+ (checklist->request->flags.intercepted || checklist->request->flags.spoof_client_ip)) {
+ assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
+ return ACLIP::match(checklist->conn()->clientConnection->local);
+ }
+
const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->GetHost(), IP_LOOKUP_IF_MISS);
if (ia) {
DOC_END
+NAME: client_dst_passthru
+TYPE: onoff
+DEFAULT: on
+LOC: Config.onoff.client_dst_passthru
+DOC_START
+ With NAT or TPROXY intercepted traffic Squid may pass the request
+ directly to the original client destination IP or seek a faster
+ source.
+
+ This option (on by default) prevents cache_peer and alternative DNS
+ entries being used on intercepted traffic. Both of which lead to
+ the security vulnerability outlined below.
+
+ SECURITY WARNING:
+
+ This directive should only be disabled if cache_peer are required.
+
+ As described in CVE-2009-0801 when the Host: header alone is used
+ to determine the destination of a request it becomes trivial for
+ malicious scripts on remote websites to bypass browser same-origin
+ security policy and sandboxing protections.
+
+ The cause of this is that such applets are allowed to perform their
+ own HTTP stack, in which case the same-origin policy of the browser
+ sandbox only verifies that the applet tries to contact the same IP
+ as from where it was loaded at the IP level. The Host: header may
+ be different from the connected IP and approved origin.
+
+DOC_END
+
COMMENT_START
SSL OPTIONS
-----------------------------------------------------------------------------
// Otherwise we are going to leak our object.
entry->registerAbort(FwdState::abort, this);
- peerSelect(&serverDestinations, request, entry, fwdPeerSelectionCompleteWrapper, this);
+
+ // Bug 3243: CVE 2009-0801
+ // Bypass of browser same-origin access control in intercepted communication
+ // To resolve this we must force DIRECT and only to the original client destination.
+ if (Config.onoff.client_dst_passthru && request &&
+ (request->flags.intercepted || request->flags.spoof_client_ip)) {
+ Comm::ConnectionPointer p = new Comm::Connection();
+ p->remote = clientConn->local;
+ p->peerType = ORIGINAL_DST;
+ getOutgoingAddress(request, p);
+ serverDestinations.push_back(p);
+
+ // destination "found". continue with the forwarding.
+ startConnectionOrFail();
+ } else {
+ // do full route options selection
+ peerSelect(&serverDestinations, request, entry, fwdPeerSelectionCompleteWrapper, this);
+ }
}
void
USERHASH_PARENT,
SOURCEHASH_PARENT,
PINNED,
+ ORIGINAL_DST,
HIER_MAX
} hier_code;
int WIN32_IpAddrChangeMonitor;
int memory_cache_first;
int memory_cache_disk;
+ int client_dst_passthru;
} onoff;
int forward_max_tries;
projects / thirdparty / squid.git / commitdiff
