[squid-dev] checklist->conn assertion in DestinationIp.cc
Alex Rousskov
rousskov at measurement-factory.com
Fri Jul 17 18:09:41 UTC 2015
Hello,
Intercepting Squids sometimes fail with the following assertion in
ACLDestinationIP::match():
> // Bug 3243: CVE 2009-0801
> // Bypass of browser same-origin access control in intercepted communication
> // To resolve this we will force DIRECT and only to the original client destination.
> // In which case, we also need this ACL to accurately match the destination
> if (Config.onoff.client_dst_passthru && ... intercepted ...) {
> assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
> return ACLIP::match(checklist->conn()->clientConnection->local);
> }
There are several reports about these failures on squid-users, including
http://lists.squid-cache.org/pipermail/squid-users/2015-May/003562.html
The assertion makes no sense to me -- why would an ACL assert that a
connection is valid? A lot of things can happen between the time the ACL
checklist was formed and the time the ACL got evaluated. This is true
for all ACLs, but should be especially obvious for slow/asynchronous
ACLs such as "dst".
Is suggest replacing the assert with an if-statement to return -1
(matching failure) when the connection is gone. Rationale: With the
connection gone, the matching result probably does not matter anymore so
there is little incentive for us to use alternative (and insecure!)
sources of destination information.
Any better ideas?
Thank you,
Alex.
More information about the squid-dev
mailing list