From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 14 Aug 2011 23:34:26 +0000 (+1200)
Subject: Improve CVE-2009-0801 detection warning
X-Git-Tag: take08~43^2~25
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=05b28f84cd373ade0b42f2678aeefbb000761232;p=thirdparty%2Fsquid.git

Improve CVE-2009-0801 detection warning
---

diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
index 45377051e5..c6b9e9d5bb 100644
--- a/src/ClientRequestContext.h
+++ b/src/ClientRequestContext.h
@@ -27,7 +27,7 @@ public:
     bool httpStateIsValid();
     void hostHeaderVerify();
     void hostHeaderIpVerify(const ipcache_addrs* ia, const DnsLookupDetails &dns);
-    void hostHeaderVerifyFailed();
+    void hostHeaderVerifyFailed(const char *A, const char *B);
     void clientAccessCheck();
     void clientAccessCheck2();
     void clientAccessCheckDone(const allow_t &answer);
diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index 28a7dab325..b297fa97ba 100644
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -546,13 +546,14 @@ ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const DnsLooku
         }
     }
     debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " possible from Host:");
-    hostHeaderVerifyFailed();
+    hostHeaderVerifyFailed("local IP", "any domain IP");
 }
 
 void
-ClientRequestContext::hostHeaderVerifyFailed()
+ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B)
 {
-    debugs(85, 1, "SECURITY ALERT: Host: header forgery detected from " << http->getConn()->clientConnection);
+    debugs(85, 1, "SECURITY ALERT: Host: header forgery detected from " << http->getConn()->clientConnection <<
+           " (" << A << " does not match " << B << ")");
 
     // IP address validation for Host: failed. reject the connection.
     clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data;
@@ -620,8 +621,9 @@ ClientRequestContext::hostHeaderVerify()
     if (http->request->flags.intercepted || http->request->flags.spoof_client_ip) {
         // verify the port (if any) matches the apparent destination
         if (portStr && port != http->getConn()->clientConnection->local.GetPort()) {
-            debugs(85, 3, HERE << "FAIL on validate port " << http->getConn()->clientConnection->local.GetPort() << " matches Host: port " << port << "((" << portStr);
-            hostHeaderVerifyFailed();
+            debugs(85, 3, HERE << "FAIL on validate port " << http->getConn()->clientConnection->local.GetPort() <<
+                   " matches Host: port " << port << " (" << portStr << ")");
+            hostHeaderVerifyFailed("intercepted port", portStr);
             safe_free(hostB);
             return;
         }
@@ -638,7 +640,7 @@ ClientRequestContext::hostHeaderVerify()
     host = http->request->header.getStr(HDR_HOST);
     if (strcmp(host, http->request->GetHost()) != 0) {
         debugs(85, 3, HERE << "FAIL on validate URL domain " << http->request->GetHost() << " matches Host: " << host);
-        hostHeaderVerifyFailed();
+        hostHeaderVerifyFailed(host, http->request->GetHost());
         return;
     }