This patch fixes the following bug:
1) A user sends a CONNECT request with valid credentials
2) Squid checks the credentials and adds the user to the user cache
3) The same user sends a CONNECT request with invalid credentials
4) Squid overwrites the entry in the user cache and denies the second
CONNECT request
5) The user sends a GET request on the first SSL connection which is
established by now
6) Squid knows that it does not need to check the credentials on the
bumped connection but still somehow checks again whether the user is
successfully authenticated
7) Due to the second CONNECT request the user is regarded as not
successfully authenticated
8) Squid denies the GET request of the first SSL connection with 403
ERR_CACHE_ACCESS_DENIED
On proxies with Basic authentication and SSL bumping, this can be used
to prevent a legitimate user from making any HTTPS requests
This is a Measurement Factory project
ACLProxyAuth::matchProxyAuth(ACLChecklist *cl)
{
ACLFilledChecklist *checklist = Filled(cl);
+ if (checklist->request->flags.sslBumped)
+ return 1; // AuthenticateAcl() already handled this bumped request
if (!authenticateUserAuthenticated(Filled(checklist)->auth_user_request)) {
return 0;
}
projects / thirdparty / squid.git / commitdiff
