From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 23 Jun 2011 08:33:13 +0000 (-0600)
Subject: Reverse revno.11514. Not good enough
X-Git-Tag: take08~55^2~101
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2b597c113ea8d0ae69269597c014abc302d8e6a1;p=thirdparty%2Fsquid.git

Reverse revno.11514. Not good enough
---

diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml
index ec4f222725..9ffdc7fef3 100644
--- a/doc/release-notes/release-3.2.sgml
+++ b/doc/release-notes/release-3.2.sgml
@@ -366,10 +366,6 @@ This section gives a thorough account of those changes in three categories:
 	<p>New setting for client bandwith limits to determines the 
 	  client-side delay pool for the request.
 
-	<tag>client_dst_passthru</tag>
-	<p>New setting to disable Host: header security on interception proxies.
-	   Impacts cache integrity/reliability and client browser security.
-
 	<tag>cpu_affinity_map</tag>
 	<p>New setting for SMP support to map Squid processes onto specific CPU cores.
 
diff --git a/src/acl/DestinationIp.cc b/src/acl/DestinationIp.cc
index 93e8930927..39d3bf9fc6 100644
--- a/src/acl/DestinationIp.cc
+++ b/src/acl/DestinationIp.cc
@@ -36,10 +36,7 @@
 #include "squid.h"
 #include "acl/DestinationIp.h"
 #include "acl/FilledChecklist.h"
-#include "comm/Connection.h"
 #include "HttpRequest.h"
-// for Config.*
-#include "structs.h"
 
 char const *
 ACLDestinationIP::typeString() const
@@ -51,17 +48,6 @@ int
 ACLDestinationIP::match(ACLChecklist *cl)
 {
     ACLFilledChecklist *checklist = Filled(cl);
-
-    // Bug 3243: CVE 2009-0801
-    // Bypass of browser same-origin access control in intercepted communication
-    // To resolve this we will force DIRECT and only to the original client destination.
-    // In which case, we also need this ACL to accurately match the destination
-    if (Config.onoff.client_dst_passthru && checklist->request &&
-            (checklist->request->flags.intercepted || checklist->request->flags.spoof_client_ip)) {
-        assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
-        return ACLIP::match(checklist->conn()->clientConnection->local);
-    }
-
     const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->GetHost(), IP_LOOKUP_IF_MISS);
 
     if (ia) {
diff --git a/src/cf.data.pre b/src/cf.data.pre
index ff3a576944..764c5ca52f 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1775,36 +1775,6 @@ DOC_START
 
 DOC_END
 
-NAME: client_dst_passthru
-TYPE: onoff
-DEFAULT: on
-LOC: Config.onoff.client_dst_passthru
-DOC_START
-	With NAT or TPROXY intercepted traffic Squid may pass the request
-	directly to the original client destination IP or seek a faster
-	source.
-	
-	This option (on by default) prevents cache_peer and alternative DNS
-	entries being used on intercepted traffic. Both of which lead to
-	the security vulnerability outlined below.
-	
-	SECURITY WARNING:
-	
-	This directive should only be disabled if cache_peer are required.
-	
-	As described in CVE-2009-0801 when the Host: header alone is used
-	to determine the destination of a request it becomes trivial for
-	malicious scripts on remote websites to bypass browser same-origin
-	security policy and sandboxing protections.
-	
-	The cause of this is that such applets are allowed to perform their
-	own HTTP stack, in which case the same-origin policy of the browser
-	sandbox only verifies that the applet tries to contact the same IP
-	as from where it was loaded at the IP level. The Host: header may
-	be different from the connected IP and approved origin.
-
-DOC_END
-
 COMMENT_START
  SSL OPTIONS
  -----------------------------------------------------------------------------
diff --git a/src/forward.cc b/src/forward.cc
index 74264a28a9..d043092813 100644
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -116,24 +116,7 @@ void FwdState::start(Pointer aSelf)
     // Otherwise we are going to leak our object.
 
     entry->registerAbort(FwdState::abort, this);
-
-    // Bug 3243: CVE 2009-0801
-    // Bypass of browser same-origin access control in intercepted communication
-    // To resolve this we must force DIRECT and only to the original client destination.
-    if (Config.onoff.client_dst_passthru && request &&
-            (request->flags.intercepted || request->flags.spoof_client_ip)) {
-        Comm::ConnectionPointer p = new Comm::Connection();
-        p->remote = clientConn->local;
-        p->peerType = ORIGINAL_DST;
-        getOutgoingAddress(request, p);
-        serverDestinations.push_back(p);
-
-        // destination "found". continue with the forwarding.
-        startConnectionOrFail();
-    } else {
-        // do full route options selection
-        peerSelect(&serverDestinations, request, entry, fwdPeerSelectionCompleteWrapper, this);
-    }
+    peerSelect(&serverDestinations, request, entry, fwdPeerSelectionCompleteWrapper, this);
 }
 
 void
diff --git a/src/hier_code.h b/src/hier_code.h
index 678cb593fa..23225c3760 100644
--- a/src/hier_code.h
+++ b/src/hier_code.h
@@ -25,7 +25,6 @@ typedef enum {
     USERHASH_PARENT,
     SOURCEHASH_PARENT,
     PINNED,
-    ORIGINAL_DST,
     HIER_MAX
 } hier_code;
 
diff --git a/src/structs.h b/src/structs.h
index c4b72debba..4d1710c5e3 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -436,7 +436,6 @@ struct SquidConfig {
         int WIN32_IpAddrChangeMonitor;
         int memory_cache_first;
         int memory_cache_disk;
-        int client_dst_passthru;
     } onoff;
 
     int forward_max_tries;