[squid-users] BWS after chunk-size
Amos Jeffries
squid3 at treenet.co.nz
Wed Apr 3 08:28:32 UTC 2024
On 2/04/24 16:03, root wrote:
> Hi Team,
>
> after an upgrade from squid 5.4.1 to squid 5.9, unable to parse HTTP
> chunked response containing whitespace after chunk size. >
> I think the following bugs were fixed and worked fine in squid 5.9 and
> earlier.
> https://bugs.squid-cache.org/show_bug.cgi?id=4492
> <https://bugs.squid-cache.org/show_bug.cgi?id=4492>
>
There was no bug. We caved to user pressure and relaxed the protocol
validation to tolerate and "fix" known-bad syntax. That change is what
opened the security issue...
> However, after the fix for SQUID2023:1 in 5.9, it seems that it does not
> work properly.
> <https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh>
>
Indeed. That particular broken syntax is being intentionally rejected as
a security attack.
> I could be wrong, but Can you please advise me know if there is a way or
> patch to fix this issue.
>
You need to fix or stop using the software which is adding BWS (bad
whitespace) to the protocol syntax fixed.
Amos
More information about the squid-users
mailing list