Improve CVE-2009-0801 detection warning

author Amos Jeffries <squid3@treenet.co.nz>

Sun, 14 Aug 2011 23:34:26 +0000 (11:34 +1200)

committer Amos Jeffries <squid3@treenet.co.nz>

Sun, 14 Aug 2011 23:34:26 +0000 (11:34 +1200)
author Amos Jeffries <squid3@treenet.co.nz>
Sun, 14 Aug 2011 23:34:26 +0000 (11:34 +1200)
committer Amos Jeffries <squid3@treenet.co.nz>
Sun, 14 Aug 2011 23:34:26 +0000 (11:34 +1200)
diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h

index 45377051e510420708ac1b8fdb235327844ad971..c6b9e9d5bb6afef84fbcc0be6a4521724a3067c7 100644 (file)
--- a/src/ClientRequestContext.h
+++ b/src/ClientRequestContext.h
@@ -27,7 +27,7 @@ public:
      bool httpStateIsValid();
      void hostHeaderVerify();
      void hostHeaderIpVerify(const ipcache_addrs* ia, const DnsLookupDetails &dns);
-    void hostHeaderVerifyFailed();
+    void hostHeaderVerifyFailed(const char *A, const char *B);
      void clientAccessCheck();
      void clientAccessCheck2();
      void clientAccessCheckDone(const allow_t &answer);
diff --git a/src/client_side_request.cc b/src/client_side_request.cc

index 28a7dab325be6f676e3464fcf84aadb09c427c66..b297fa97ba2efc12ebb50cfb58e137943a0f4d76 100644 (file)
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -546,13 +546,14 @@ ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const DnsLooku
          }
      }
      debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " possible from Host:");
-    hostHeaderVerifyFailed();
+    hostHeaderVerifyFailed("local IP", "any domain IP");
  }
  
  void
-ClientRequestContext::hostHeaderVerifyFailed()
+ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B)
  {
-    debugs(85, 1, "SECURITY ALERT: Host: header forgery detected from " << http->getConn()->clientConnection);
+    debugs(85, 1, "SECURITY ALERT: Host: header forgery detected from " << http->getConn()->clientConnection <<
+           " (" << A << " does not match " << B << ")");
  
      // IP address validation for Host: failed. reject the connection.
      clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data;
@@ -620,8 +621,9 @@ ClientRequestContext::hostHeaderVerify()
      if (http->request->flags.intercepted || http->request->flags.spoof_client_ip) {
          // verify the port (if any) matches the apparent destination
          if (portStr && port != http->getConn()->clientConnection->local.GetPort()) {
-            debugs(85, 3, HERE << "FAIL on validate port " << http->getConn()->clientConnection->local.GetPort() << " matches Host: port " << port << "((" << portStr);
-            hostHeaderVerifyFailed();
+            debugs(85, 3, HERE << "FAIL on validate port " << http->getConn()->clientConnection->local.GetPort() <<
+                   " matches Host: port " << port << " (" << portStr << ")");
+            hostHeaderVerifyFailed("intercepted port", portStr);
              safe_free(hostB);
              return;
          }
@@ -638,7 +640,7 @@ ClientRequestContext::hostHeaderVerify()
      host = http->request->header.getStr(HDR_HOST);
      if (strcmp(host, http->request->GetHost()) != 0) {
          debugs(85, 3, HERE << "FAIL on validate URL domain " << http->request->GetHost() << " matches Host: " << host);
-        hostHeaderVerifyFailed();
+        hostHeaderVerifyFailed(host, http->request->GetHost());
          return;
      }
author	Amos Jeffries <squid3@treenet.co.nz>
	Sun, 14 Aug 2011 23:34:26 +0000 (11:34 +1200)
committer	Amos Jeffries <squid3@treenet.co.nz>
	Sun, 14 Aug 2011 23:34:26 +0000 (11:34 +1200)
src/ClientRequestContext.h		patch \| blob \| blame \| history
src/client_side_request.cc		patch \| blob \| blame \| history