aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch')
-rw-r--r--meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch51
1 files changed, 51 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
new file mode 100644
index 000000000..497ace444
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
@@ -0,0 +1,51 @@
+From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001
+From: Catalin Enache <catalin.enache@windriver.com>
+Date: Mon, 23 May 2016 12:47:39 +0300
+Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header
+
+Upstream-Status: Backport
+CVE: CVE-2016-4553
+
+When absolute-URI is provided Host header should be ignored. However some
+code still uses Host directly so normalize it using the URL authority
+value before doing any further request processing.
+
+For now preserve the case where Host is completely absent. That matters
+to the CVE-2009-0801 protection.
+
+This also has the desirable side effect of removing multiple or duplicate
+Host header entries, and invalid port values.
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/client_side.cc | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/client_side.cc b/src/client_side.cc
+index 8c41c21..36a27de 100644
+--- a/src/client_side.cc
++++ b/src/client_side.cc
+@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
+ clientProcessRequestFinished(conn, request);
+ return;
+ }
++
++ // when absolute-URI is provided Host header should be ignored. However
++ // some code still uses Host directly so normalize it.
++ // For now preserve the case where Host is completely absent. That matters.
++ if (request->header.has(HDR_HOST)) {
++ const char *host = request->header.getStr(HDR_HOST);
++ SBuf authority(request->GetHost());
++ if (request->port != urlDefaultPort(request->url.getScheme()))
++ authority.appendf(":%d", request->port);
++ debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
++ // URL authority overrides Host header
++ request->header.delById(HDR_HOST);
++ request->header.putStr(HDR_HOST, authority.c_str());
++ }
+ }
+
+ // Some blobs below are still HTTP-specific, but we would have to rewrite
+--
+2.7.4
+