[squid-users] [PATCH] Host header forgery detected even with appendDomain

From: Jeff Chua <jeff.chua.linux_at_gmail.com>
Date: Tue, 13 Sep 2011 14:54:00 +0800 (SGT)

Amos,

Latest squid is prevent connection to my known servers without local
domain name. The version prior to June 15 allow connecting to URLs
without the fully qualified domain names as in "moose" instead of
"moose.xxx.com"

The latest squid is throw the follwing error:

2011/09/13 09:17:53.420 kid1| SECURITY ALERT: Host header forgery detected
on local=192.168.243.1:8080 remote=192.168.243.1:59291 FD 11 flags=1
(moose does not match moose.xxx.com)

Here's a patch to get around the problem. By specifying "append_domain
.xxx.com", squid should allows host that matches the domain part. This is
useful for get back the old behavior so I don't need to type the full
URLs for many sites at work I'm dealing with.

Thanks,
Jeff

--- trunk/src/client_side_request.cc 2011-09-02 23:48:56.000000000 +0800
+++ truck/src/client_side_request.cc 2011-09-13 10:31:33.000000000 +0800
@@ -620,6 +620,8 @@
              port = xatoi(portStr);
      }

+ int appendDomainOK = strcmp(strchr(http->request->GetHost(), '.'), Config.appendDomain);
+
      debugs(85, 3, HERE << "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL"));
      if (http->request->flags.intercepted || http->request->flags.spoof_client_ip) {
          // verify the Host: port (if any) matches the apparent destination
@@ -633,11 +635,11 @@
              // verify the destination DNS is one of the Host: headers IPs
              ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this);
          }
- } else if (strlen(host) != strlen(http->request->GetHost())) {
+ } else if (strlen(host) != strlen(http->request->GetHost()) && appendDomainOK) {
          // Verify forward-proxy requested URL domain matches the Host: header
          debugs(85, 3, HERE << "FAIL on validate URL domain length " << http->request->GetHost() << " matches Host: " << host);
          hostHeaderVerifyFailed(host, http->request->GetHost());
- } else if (matchDomainName(host, http->request->GetHost()) != 0) {
+ } else if (matchDomainName(host, http->request->GetHost()) != 0 && appendDomainOK) {
          // Verify forward-proxy requested URL domain matches the Host: header
          debugs(85, 3, HERE << "FAIL on validate URL domain " << http->request->GetHost() << " matches Host: " << host);
          hostHeaderVerifyFailed(host, http->request->GetHost());
Received on Tue Sep 13 2011 - 06:54:09 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 13 2011 - 12:00:02 MDT