[squid-users] What squid should do with RFC non-compliant response header?
Alex Rousskov
rousskov at measurement-factory.com
Thu Apr 6 17:44:41 UTC 2017
On 04/06/2017 10:07 AM, Amos Jeffries wrote:
> On 6/04/2017 7:32 a.m., Eliezer Croitoru wrote:
>> Technically I would expect squid to pass it but it's might have the potential for a CVE in some casese.
> There is actually a CVE problem "HTTP request/response smuggling" in all
> cases of the type you described.
> There are exactly two things that can be done by a proxy when this type
> of error is encountered:
> 1) [send an error message]
> 2) truncate the message at the CRLF before the garbage
There are many other reasonable things a proxy can do, with admin
permission, but it is pointless to discuss their details on squid-users
IMO. And yes, pretty much all of them may cause HTTP message smuggling.
They are useful as temporary compatibility workarounds, not universal
default solutions.
Alex.
More information about the squid-users
mailing list