[squid-dev] Possible mistake in src/peer_digest.cc
Amos Jeffries
squid3 at treenet.co.nz
Thu Oct 22 15:08:46 UTC 2015
On 23/10/2015 2:55 a.m., aymericvincent wrote:
>
> Hi again,
>
> while grepping around to understand the potential implications of my previous patch, I stumbled upon a piece of code in src/peer_digest.cc which seems incorrect to me.
>
> login=NEGOTIATE can have an additional parameter specified, like login=NEGOTIATE:xxx
>
> One test does not take this case into account and it will probably send a garbage "login:password" (== "NEGOTIATE:xxx") to its peer when requesting a digest. The following patch fixes this but it is untested and requires a review from someone who understands the precise consequences of that piece of code.
>
The code is attempting to fill out the userinfo URL segment.
squid.conf like so:
cache_peer example.com ... login=user:info
resulting in:
GET http://user:info@example.com/squid-internal-digest/...
There are two problems here.
The main one is that the userinfo URL segment is now outright forbidden
in http:// scheme URL. So Squid should be sending actual Proxy-auth or
WWW-auth headers instead same as it does for any client requests.
The second one is what you mention. The "NEGOTIATE:principal" string
being broadcast over the network.
Please do check if that is actually happening when a principal is
configured. And then if your patch prevents it. I will accept if it
tests as actually needed and working.
Amos
More information about the squid-dev
mailing list