Search squid archive

R: Re: TCP_DENIED/411

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think the request is http/1.1 because I captured it and it shows in the 
'Hypertext Transfer Protocol' in the POST section, the field 'Request version' 
is HTTP/1.1
I understand Squid 2.7 is not able to understand http/1.1, but I 
ask myself if 'content-length' field was missing in the http/1.1 request and 
Squid was compliant to http/1.1( squid 3.x version ) , what Squid would return 
'DENIED/411' again?



>----Messaggio originale----
>Da: squid3@xxxxxxxxxxxxx

>Data: 8-nov-2014 12.38
>A: 
>Ogg: Re:  TCP_DENIED/411
>
>-----
BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 8/11/2014 9:05 p.m., Riccardo 
Castellani wrote:
>> Squid (we are using 2.7 version) checks inside http 
request to
>> verify message is compliant to rfc but I ask myself if there is 
way
>> to stop this check for specific site/client, al least temporarily…
>> to 
exclude firewall problems too.
>> 
>
>Don't, just don't. Seriously.
>
>The 
proxy gets screwed over:
>https://www.owasp.org/index.php/Improper_Data_Validation>
>Then the origin 
server risks getting screwed over:
>https://www.owasp.org/index.php/Cross-User_Defacement>https://www.owasp.org/index.php/Improper_Data_Validation
>
>Being a POST the application itself riks getting screwed over with

>infinite-length input:
>https://www.owasp.org/index.php/Improper_Data_Validation>https://www.owasp.org/index.php/Process_Control
>https://www.owasp.org/index.php/Unsafe_Reflection>
>And then side effects can 
echo right back out to the proxy to trigger
>further rounds of nastiness at 
random times in the future:
>https://www.owasp.org/index.php/HTTP_Response_Splitting>https://www.owasp.org/index.php/Cross-User_Defacement
>https://www.owasp.org/index.php/Cache_Poisoning>
>
>The 411 respone is 
telling you that the client sending the proxy a
>request message is broken. 
Many of the above attack side effects could
>be happening in other software 
already as a result of this client
>Squid caught out. It really, really needs 
to be fixed ASAP.
>
>
>Now, there is a small posibility that the client is 
using HTTP/1.1
>Transfer-Encoding Squid-2.7 does not understand. The first fix 
for
>that is to upgrade to a HTTP/1.1 compliant Squid (which 2.7 is *not*).
>

>Amos
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2.0.22 (MingW32)
>

>iQEcBAEBAgAGBQJUXgDAAAoJELJo5wb/XPRjNZ0IANsinW8QFF8ssHA9SeepEBf3

>4T/219SAC7GvpTJsBkVC3pQiMxNvngwC6gS3ssTpzcFjWJUi0LI25BAvV7KjuyHk

>rpdQN0U2jAblAFthzFtX9xZHbkBF6pwbMNTLH+zB0imWMnZ8TdGpvjYU4onrh/DD

>pYxgZOqF8ThRIqaB5kjowCC+VO1wmAOa2TsUfTGDRks29wK8yAva2bmhpQrFOEFN

>En1iXuxcCSAhPkBMNM6a4a+h+zgPJkhKL4c0IXJ9I6BnAuJ0VxD8PA6eJTiTcIkK

>V2Lzp2acOLINoMw2HpYiKfn0+HuWRLNedOST4rFqP0YEENkYIqbCgQ/+4fTIZZU=
>=+k8q
>-----
END PGP SIGNATURE-----
>_______________________________________________
>squid-
users mailing list
>squid-users@xxxxxxxxxxxxxxxxxxxxx
>http://lists.squid-cache.org/listinfo/squid-users>


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux