Thanks Amos and Alex, I have seen a scenario like that but while working with haproxy. I believe that there is a difference between a "security" proxy appliance to some other kinds. The enforcement of the RFC for headers computability seems like the right way to go for any general http proxy. The issue may arise when some developer might do some mistake in php or another customisd service. Php doesn't enforce the header syntax and it is possible that a developer will run broken code. For the case with haproxy it returned a 500 wrong response. To test the issue I had to compare two\three cases such as: - plain text file - plain html file - simple phpinfo() php script When testing these the conclusion was that there is something wrong with the php code that the developer wrote. At least I can say that I have not seen such an error in any open source web application that is based on php. So I believe that they have some hidden quality to do things the right way. Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Alex Rousskov Sent: Thursday, April 6, 2017 8:45 PM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: What squid should do with RFC non-compliant response header? On 04/06/2017 10:07 AM, Amos Jeffries wrote: > On 6/04/2017 7:32 a.m., Eliezer Croitoru wrote: >> Technically I would expect squid to pass it but it's might have the potential for a CVE in some casese. > There is actually a CVE problem "HTTP request/response smuggling" in > all cases of the type you described. > There are exactly two things that can be done by a proxy when this > type of error is encountered: > 1) [send an error message] > 2) truncate the message at the CRLF before the garbage There are many other reasonable things a proxy can do, with admin permission, but it is pointless to discuss their details on squid-users IMO. And yes, pretty much all of them may cause HTTP message smuggling. They are useful as temporary compatibility workarounds, not universal default solutions. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
