<p>New setting for client bandwith limits to determines the
client-side delay pool for the request.
- <tag>client_dst_passthru</tag>
- <p>New setting to disable Host: header security on interception proxies.
- Impacts cache integrity/reliability and client browser security.
-
<tag>cpu_affinity_map</tag>
<p>New setting for SMP support to map Squid processes onto specific CPU cores.
#include "squid.h"
#include "acl/DestinationIp.h"
#include "acl/FilledChecklist.h"
-#include "comm/Connection.h"
#include "HttpRequest.h"
-// for Config.*
-#include "structs.h"
char const *
ACLDestinationIP::typeString() const
ACLDestinationIP::match(ACLChecklist *cl)
{
ACLFilledChecklist *checklist = Filled(cl);
-
- // Bug 3243: CVE 2009-0801
- // Bypass of browser same-origin access control in intercepted communication
- // To resolve this we will force DIRECT and only to the original client destination.
- // In which case, we also need this ACL to accurately match the destination
- if (Config.onoff.client_dst_passthru && checklist->request &&
- (checklist->request->flags.intercepted || checklist->request->flags.spoof_client_ip)) {
- assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
- return ACLIP::match(checklist->conn()->clientConnection->local);
- }
-
const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->GetHost(), IP_LOOKUP_IF_MISS);
if (ia) {
DOC_END
-NAME: client_dst_passthru
-TYPE: onoff
-DEFAULT: on
-LOC: Config.onoff.client_dst_passthru
-DOC_START
- With NAT or TPROXY intercepted traffic Squid may pass the request
- directly to the original client destination IP or seek a faster
- source.
-
- This option (on by default) prevents cache_peer and alternative DNS
- entries being used on intercepted traffic. Both of which lead to
- the security vulnerability outlined below.
-
- SECURITY WARNING:
-
- This directive should only be disabled if cache_peer are required.
-
- As described in CVE-2009-0801 when the Host: header alone is used
- to determine the destination of a request it becomes trivial for
- malicious scripts on remote websites to bypass browser same-origin
- security policy and sandboxing protections.
-
- The cause of this is that such applets are allowed to perform their
- own HTTP stack, in which case the same-origin policy of the browser
- sandbox only verifies that the applet tries to contact the same IP
- as from where it was loaded at the IP level. The Host: header may
- be different from the connected IP and approved origin.
-
-DOC_END
-
COMMENT_START
SSL OPTIONS
-----------------------------------------------------------------------------
// Otherwise we are going to leak our object.
entry->registerAbort(FwdState::abort, this);
-
- // Bug 3243: CVE 2009-0801
- // Bypass of browser same-origin access control in intercepted communication
- // To resolve this we must force DIRECT and only to the original client destination.
- if (Config.onoff.client_dst_passthru && request &&
- (request->flags.intercepted || request->flags.spoof_client_ip)) {
- Comm::ConnectionPointer p = new Comm::Connection();
- p->remote = clientConn->local;
- p->peerType = ORIGINAL_DST;
- getOutgoingAddress(request, p);
- serverDestinations.push_back(p);
-
- // destination "found". continue with the forwarding.
- startConnectionOrFail();
- } else {
- // do full route options selection
- peerSelect(&serverDestinations, request, entry, fwdPeerSelectionCompleteWrapper, this);
- }
+ peerSelect(&serverDestinations, request, entry, fwdPeerSelectionCompleteWrapper, this);
}
void
USERHASH_PARENT,
SOURCEHASH_PARENT,
PINNED,
- ORIGINAL_DST,
HIER_MAX
} hier_code;
int WIN32_IpAddrChangeMonitor;
int memory_cache_first;
int memory_cache_disk;
- int client_dst_passthru;
} onoff;
int forward_max_tries;
projects / thirdparty / squid.git / commitdiff
