git.ipfire.org Git - thirdparty/squid.git/commit

Limit the number of allowed X-Forwarded-For hops (#1589)

Squid will ignore all X-Forwarded-For elements listed after the first 64
addresses allowed by the follow_x_forwarded_for directive. A different
limit can be specified by defining a C++ SQUID_X_FORWARDED_FOR_HOP_MAX
macro, but that macro is not a supported Squid configuration interface
and may change or disappear at any time.

Squid will log a cache.log ERROR if the hop limit has been reached.

This change works around problematic ACLChecklist and/or slow ACLs
implementation that results in immediate nonBlockingCheck() callbacks.
Such callbacks have caused many bugs and development complications. In
clientFollowXForwardedForCheck() context, they lead to indirect
recursion that was bound only by the number of allowed XFF entries,
which could reach thousands and exhaust Squid process call stack.

This recursion bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/xff-stackoverflow.html
where it was filed as "X-Forwarded-For Stack Overflow".

author	Thomas Leroy <32497783+p4zuu@users.noreply.github.com>
	Tue, 28 Nov 2023 07:35:46 +0000 (07:35 +0000)
committer	Amos Jeffries <yadij@users.noreply.github.com>
	Sat, 2 Dec 2023 17:27:32 +0000 (06:27 +1300)
commit	9f7136105bff920413042a8806cc5de3f6086d6d
tree	05643845009005a7a836ced72dd7adb78fdbbe0a	tree
parent	a0a9e6dc69d0c7b9ba237702b4c5020abc7ad1f8	commit \| diff

src/ClientRequestContext.h		diff \| blob \| blame \| history
src/client_side_request.cc		diff \| blob \| blame \| history