git.ipfire.org Git - thirdparty/squid.git/commit

author	Amos Jeffries <squid3@treenet.co.nz>
	Thu, 21 Jan 2010 10:01:16 +0000 (23:01 +1300)
committer	Amos Jeffries <squid3@treenet.co.nz>
	Thu, 21 Jan 2010 10:01:16 +0000 (23:01 +1300)
commit	d096ace1eed73208e7f2b375959153738ea6a02b
tree	d389c75e5335afa261d80d4bd900fb8c30f25029	tree
parent	9761b0bdbb6655d42fa54e583a20a62d97786768	commit \| diff

Author: Wolfgang Nothdurft <wolfgang@linogate.de>
Bug 2730: Regressions in follow_x_forwarded_for since Squid-2

Two Major Regressions:

* Omitted testing for trust of the directly connecting client.
  this is critical is trusting the header content itself.
  The absence permitted remote clients to forge X-Forwarded-For
  and gain access to resources through Squid.
  (mitigated by the following)

* Bad logic in implementing the trust model resulted in any XFF
  headers containing untrusted IPs to be dropped in their entirety.
  This resulted in clients transiting more than one proxy heirarchy to
  be incorrectly logged and reported in the second.

Some polish alterations to the existing logics:

* Testing the direct client address for trust means the testing must be
  fully async 'slow'. Thus avoiding the memory leaks found on occasion.

* acl_uses_indirect_client is not strictly needed to test multiple levels
  of X-Forwarded-For properly. The entire list of IPs are now always
  tested until on untrusted is found or an ACL failure occurs.