rpms / squid

Clone
Source Code
GIT

Blame SOURCES/squid-3.5.20-CVE-2020-8449-and-8450.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-4 c8-stream-4 c8s-stream-4 c9 c9-beta
  1.   76e17699899d32c09dad754a6e47ab99e7fb0d62
  2.   SOURCES
  3.   squid-3.5.20-CVE-2020-8449-and-8450.patch
Blob History Raw
07d5a6 
diff --git a/src/client_side.cc b/src/client_side.cc
07d5a6 
index 01760f3..261abdf 100644
07d5a6 
--- a/src/client_side.cc
07d5a6 
+++ b/src/client_side.cc
07d5a6 
@@ -2018,6 +2018,23 @@ setLogUri(ClientHttpRequest * http, char const *uri, bool cleanUrl)
07d5a6 
     }
07d5a6 
 }
07d5a6
07d5a6 
+static char *
07d5a6 
+getHostHeader(const char *req_hdr)
07d5a6 
+{
07d5a6 
+    char *host = mime_get_header(req_hdr, "Host");
07d5a6 
+    if (!host)
07d5a6 
+        return NULL;
07d5a6 
+
07d5a6 
+    // check the header contents are valid
07d5a6 
+    for(const char *c = host; *c != '\0'; ++c) {
07d5a6 
+        // currently only used for pre-parse Host header, ensure valid domain[:port] or ip[:port]
07d5a6 
+        static const CharacterSet hostChars = CharacterSet("host",":[].-_") + CharacterSet::ALPHA + CharacterSet::DIGIT;
07d5a6 
+        if (!hostChars[*c])
07d5a6 
+            return NULL; // error. line contains character not accepted in Host header
07d5a6 
+    }
07d5a6 
+    return host;
07d5a6 
+}
07d5a6 
+
07d5a6 
 static void
07d5a6 
 prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url, const char *req_hdr)
07d5a6 
 {
07d5a6 
@@ -2060,9 +2077,9 @@ prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url,
07d5a6
07d5a6 
     const bool switchedToHttps = conn->switchedToHttps();
07d5a6 
     const bool tryHostHeader = vhost || switchedToHttps;
07d5a6 
-    if (tryHostHeader && (host = mime_get_header(req_hdr, "Host")) != NULL) {
07d5a6 
+    if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL && strlen(host) <= SQUIDHOSTNAMELEN) {
07d5a6 
         debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport);
07d5a6 
-        char thost[256];
07d5a6 
+        char thost[SQUIDHOSTNAMELEN + 6 /* ':' vport */];
07d5a6 
         if (vport > 0) {
07d5a6 
             thost[0] = '\0';
07d5a6 
             char *t = NULL;
07d5a6 
@@ -2119,7 +2136,7 @@ prepareTransparentURL(ConnStateData * conn, ClientHttpRequest *http, char *url,
07d5a6
07d5a6 
     /* BUG: Squid cannot deal with '*' URLs (RFC2616 5.1.2) */
07d5a6
07d5a6 
-    if ((host = mime_get_header(req_hdr, "Host")) != NULL) {
07d5a6 
+    if ((host = getHostHeader(req_hdr)) != NULL) {
07d5a6 
         int url_sz = strlen(url) + 32 + Config.appendDomainLen +
07d5a6 
                      strlen(host);
07d5a6 
         http->uri = (char *)xcalloc(url_sz, 1);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation