[squid-users] What squid should do with RFC non-compliant response header?

Eliezer Croitoru eliezer at ngtech.co.il
Fri Apr 7 13:21:27 UTC 2017


Thanks Amos and Alex,

I have seen a scenario like that but while working with haproxy.
I believe that there is a difference between a "security" proxy appliance to some other kinds.
The enforcement of the RFC for headers computability seems like the right way to go for any general http proxy.
The issue may arise when some developer might do some mistake in php or another customisd service. Php doesn't enforce the header syntax and it is possible that a developer will run broken code.

For the case with haproxy it returned a 500 wrong response.
To test the issue I had to compare two\three cases such as:
- plain text file
- plain html file
- simple phpinfo() php script

When testing these the conclusion was that there is something wrong with the php code that the developer wrote.
At least I can say that I have not seen such an error in any open source web application that is based on php. So I believe that they have some hidden quality to do things the right way.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Alex Rousskov
Sent: Thursday, April 6, 2017 8:45 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] What squid should do with RFC non-compliant response header?

On 04/06/2017 10:07 AM, Amos Jeffries wrote:
> On 6/04/2017 7:32 a.m., Eliezer  Croitoru wrote:
>> Technically I would expect squid to pass it but it's might have the potential for a CVE in some casese.


> There is actually a CVE problem "HTTP request/response smuggling" in 
> all cases of the type you described.


> There are exactly two things that can be done by a proxy when this 
> type of error is encountered:

>  1) [send an error message]
>  2) truncate the message at the CRLF before the garbage

There are many other reasonable things a proxy can do, with admin permission, but it is pointless to discuss their details on squid-users IMO. And yes, pretty much all of them may cause HTTP message smuggling.
They are useful as temporary compatibility workarounds, not universal default solutions.

Alex.

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list