Re: OPTIONS/TRACE denial patch condition is wrong

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Thu, 02 Sep 2010 14:50:23 -0600

> (08:28:14 AM) amosjeffries: rousskov: two priority things for you.
> please review the OPTIONS/TRACE denial patch against your intentions.
> the new return condition is wrong. false==emit 400, true == continue
> processing/passthru the request. (sorry)

Hi Amos,

     The code looks correct to me. The outcome is also correct:

> Max-Forwards URL Action
> 0 nonstar 501
> 0 * 501
> 1+ nonstar forwarded
> 1+ * 501
> none nonstar forwarded
> none * 501

You may be confused because the first two 501s mean "here is our
compliant response to your OPTIONS request directed at Squid" while the
other two 501s mean "we do not support forwarding of OPTIONS requests
with a * URI". These two cases might become different if we start
providing some useful information in the OPTIONS responses directed at us.

FWIW, if we let *-URIs through the urlCheckRequest() check, the user
will get a misleading ERR_DNS_FAIL when Squid tries to forward the
request. Fixing *-URI forwarding is outside the scope of the committed
patch.

Hope this clarifies,

Alex.
P.S. I added a comment to urlCheckRequest(), reflecting the above.
Received on Thu Sep 02 2010 - 20:50:35 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 03 2010 - 12:00:08 MDT