-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/11/2014 9:05 p.m., Riccardo Castellani wrote: > Squid (we are using 2.7 version) checks inside http request to > verify message is compliant to rfc but I ask myself if there is way > to stop this check for specific site/client, al least temporarily… > to exclude firewall problems too. > Don't, just don't. Seriously. The proxy gets screwed over: https://www.owasp.org/index.php/Improper_Data_Validation Then the origin server risks getting screwed over: https://www.owasp.org/index.php/Cross-User_Defacement https://www.owasp.org/index.php/Improper_Data_Validation Being a POST the application itself riks getting screwed over with infinite-length input: https://www.owasp.org/index.php/Improper_Data_Validation https://www.owasp.org/index.php/Process_Control https://www.owasp.org/index.php/Unsafe_Reflection And then side effects can echo right back out to the proxy to trigger further rounds of nastiness at random times in the future: https://www.owasp.org/index.php/HTTP_Response_Splitting https://www.owasp.org/index.php/Cross-User_Defacement https://www.owasp.org/index.php/Cache_Poisoning The 411 respone is telling you that the client sending the proxy a request message is broken. Many of the above attack side effects could be happening in other software already as a result of this client Squid caught out. It really, really needs to be fixed ASAP. Now, there is a small posibility that the client is using HTTP/1.1 Transfer-Encoding Squid-2.7 does not understand. The first fix for that is to upgrade to a HTTP/1.1 compliant Squid (which 2.7 is *not*). Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUXgDAAAoJELJo5wb/XPRjNZ0IANsinW8QFF8ssHA9SeepEBf3 4T/219SAC7GvpTJsBkVC3pQiMxNvngwC6gS3ssTpzcFjWJUi0LI25BAvV7KjuyHk rpdQN0U2jAblAFthzFtX9xZHbkBF6pwbMNTLH+zB0imWMnZ8TdGpvjYU4onrh/DD pYxgZOqF8ThRIqaB5kjowCC+VO1wmAOa2TsUfTGDRks29wK8yAva2bmhpQrFOEFN En1iXuxcCSAhPkBMNM6a4a+h+zgPJkhKL4c0IXJ9I6BnAuJ0VxD8PA6eJTiTcIkK V2Lzp2acOLINoMw2HpYiKfn0+HuWRLNedOST4rFqP0YEENkYIqbCgQ/+4fTIZZU= =+k8q -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
