On 2/04/24 16:03, root wrote:
Hi Team,
after an upgrade from squid 5.4.1 to squid 5.9, unable to parse HTTP
chunked response containing whitespace after chunk size. >
I think the following bugs were fixed and worked fine in squid 5.9 and
earlier.
https://bugs.squid-cache.org/show_bug.cgi?id=4492
<https://bugs.squid-cache.org/show_bug.cgi?id=4492>
There was no bug. We caved to user pressure and relaxed the protocol
validation to tolerate and "fix" known-bad syntax. That change is what
opened the security issue...
However, after the fix for SQUID2023:1 in 5.9, it seems that it does not
work properly.
<https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh>
Indeed. That particular broken syntax is being intentionally rejected as
a security attack.
I could be wrong, but Can you please advise me know if there is a way or
patch to fix this issue.
You need to fix or stop using the software which is adding BWS (bad
whitespace) to the protocol syntax fixed.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
