On 04/06/2017 10:07 AM, Amos Jeffries wrote: > On 6/04/2017 7:32 a.m., Eliezer Croitoru wrote: >> Technically I would expect squid to pass it but it's might have the potential for a CVE in some casese. > There is actually a CVE problem "HTTP request/response smuggling" in all > cases of the type you described. > There are exactly two things that can be done by a proxy when this type > of error is encountered: > 1) [send an error message] > 2) truncate the message at the CRLF before the garbage There are many other reasonable things a proxy can do, with admin permission, but it is pointless to discuss their details on squid-users IMO. And yes, pretty much all of them may cause HTTP message smuggling. They are useful as temporary compatibility workarounds, not universal default solutions. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
