Re: ACL to block installation program

Yuri Voinov <yvoinov@xxxxxxxxx> · Sat, 11 Apr 2015 00:40:31 +0600



    -----BEGIN PGP SIGNED MESSAGE----- 

    Hash: SHA256 

     
    Agreed.

    
    10.04.15 23:57, brendan kearney пишет:

    > I am in a policy enforcement
      role, and our policy making / auditing team

      > approached me about why they could download a jar file from a
      site that was

      > not explicitly allowed to provide java content (I.e. not on
      the

      > whitelist).  It was because the mime type not being accurate.

      > On Apr 10, 2015 1:40 PM, "Yuri Voinov"
      <yvoinov@xxxxxxxxx> wrote:

      >

      >>

      > I would never have such an idea had not occurred. The man
      asked - I

      > answered. I know what you're talking about, and I would use
      ACL to URL for

      > this.

      >

      > 10.04.15 23:32, brendan kearney пишет:

      > >>> Be warned...  a web server can be configured to
      send an arbitrary mime

      > type

      > >>> for any file.  You may find .jar files with a
      mime type of html/text.

      > Also

      > >>> zipping a jar circumvents this check.  Some ICAP
      servers have a "true

      > >>> content type" check that does not rely on the
      headers which can be

      > forged,

      > >>> but actually looks at the file that was
      requested.

      > >>> On Apr 10, 2015 5:00 AM, "Yuri Voinov"
      <yvoinov@xxxxxxxxx>

      > <yvoinov@xxxxxxxxx> wrote:

      > >>>

      > >>>>

      > >>>
      http://wiki.squid-cache.org/ConfigExamples/BlockingMimeTypes

      > >>>

      > >>>

      > >>> 10.04.15 14:48, Fiorenza Meini пишет:

      > >>>>>> Hi,

      > >>>>>> is there a way to filter and block
      update programs which come from

      > >>> Internet, for example java update or windows
      update , withouth using the

      > >>> url of the web site, but working with 
      header/mime types ?

      > >>>>>>

      > >>>>>> Thanks and regards

      > >>>>>>

      > >>>>>> Fiorenza Meini

      > >>>

      > >>>>

      > >>>>
      _______________________________________________

      > >>>> squid-users mailing list

      > >>>> squid-users@xxxxxxxxxxxxxxxxxxxxx

      > >>>>
      http://lists.squid-cache.org/listinfo/squid-users

      > >>>>

      > >>>

      >

      >>

      >>

      >

    
    -----BEGIN PGP SIGNATURE-----


    Version: GnuPG v2


    iQEcBAEBCAAGBQJVKBkfAAoJENNXIZxhPexGQD4H/2U2jQtNqkVS1Hk3gxkyWXeq


    nf6ge0Kd+W92WtBWs4Hkf1vbifF9Z/TDckEaAH+SLQaDTr4/O+EeEtQTLLyFNj7Z


    5G/RuuGJ+Y1CFwo8zG3x9qqP1ga3Q9PKKjf64k3zlZrEqgWamMksbSoWIEHaQat9


    aDi+iGOTGeuF6RxRBFjw1G8nxtRGQAPIs2/B0WDDlY/sQuz7na7R5vDSZCD8O+6X


    ywr6Fe3s3CsLrb6F5xxTEzQiofCDerZtszZ9A/OOOTz0XLdPvOqNQAmmhHYk4xQb


    CdRREdz6K0wiecM7NFn+jocnet6ZnYP/Q7C5IB7PfiG2N+S0djueWHrmVqP7IVg=


    =gWJ2


    -----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users