[PATCH] Host header forgery detected even with appendDomain

Jeff Chua <jeff.chua.linux@xxxxxxxxx> · Tue, 13 Sep 2011 14:54:00 +0800 (SGT)

Amos,

Latest squid is prevent connection to my known servers without local
domain name. The version prior to June 15 allow connecting to URLs
without the fully qualified domain names as in "moose" instead of
"moose.xxx.com"

The latest squid is throw the follwing error:

2011/09/13 09:17:53.420 kid1| SECURITY ALERT: Host header forgery detected
on local=192.168.243.1:8080 remote=192.168.243.1:59291 FD 11 flags=1
(moose does not match moose.xxx.com)


Here's a patch to get around the problem. By specifying "append_domain
.xxx.com", squid should allows host that matches the domain part. This is
useful for get back the old behavior so I don't need to type the full
URLs for many sites at work I'm dealing with.

Thanks,
Jeff

--- trunk/src/client_side_request.cc	2011-09-02 23:48:56.000000000 +0800
+++ truck/src/client_side_request.cc	2011-09-13 10:31:33.000000000 +0800
@@ -620,6 +620,8 @@
             port = xatoi(portStr);
     }

+    int appendDomainOK = strcmp(strchr(http->request->GetHost(), '.'), Config.appendDomain);
+
     debugs(85, 3, HERE << "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL"));
     if (http->request->flags.intercepted || http->request->flags.spoof_client_ip) {
         // verify the Host: port (if any) matches the apparent destination
@@ -633,11 +635,11 @@
             // verify the destination DNS is one of the Host: headers IPs
             ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this);
         }
-    } else if (strlen(host) != strlen(http->request->GetHost())) {
+    } else if (strlen(host) != strlen(http->request->GetHost()) && appendDomainOK) {
         // Verify forward-proxy requested URL domain matches the Host: header
         debugs(85, 3, HERE << "FAIL on validate URL domain length " << http->request->GetHost() << " matches Host: " << host);
         hostHeaderVerifyFailed(host, http->request->GetHost());
-    } else if (matchDomainName(host, http->request->GetHost()) != 0) {
+    } else if (matchDomainName(host, http->request->GetHost()) != 0 && appendDomainOK) {
         // Verify forward-proxy requested URL domain matches the Host: header
         debugs(85, 3, HERE << "FAIL on validate URL domain " << http->request->GetHost() << " matches Host: " << host);
         hostHeaderVerifyFailed(host, http->request->GetHost());





