diff options
Diffstat (limited to 'meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch')
-rw-r--r-- | meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch new file mode 100644 index 0000000000..51c895e0ef --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch @@ -0,0 +1,62 @@ +From: Markus Koschany <apo@debian.org> +Date: Tue, 26 Dec 2023 19:58:12 +0100 +Subject: CVE-2023-50269 + +Bug-Debian: https://bugs.debian.org/1058721 +Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-50269.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d] +CVE: CVE-2023-50269 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/ClientRequestContext.h | 4 ++++ + src/client_side_request.cc | 17 +++++++++++++++-- + 2 files changed, 19 insertions(+), 2 deletions(-) + +--- a/src/ClientRequestContext.h ++++ b/src/ClientRequestContext.h +@@ -81,6 +81,10 @@ + #endif + ErrorState *error; ///< saved error page for centralized/delayed processing + bool readNextRequest; ///< whether Squid should read after error handling ++ ++#if FOLLOW_X_FORWARDED_FOR ++ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far ++#endif + }; + + #endif /* SQUID_CLIENTREQUESTCONTEXT_H */ +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -78,6 +78,11 @@ + static const char *const crlf = "\r\n"; + + #if FOLLOW_X_FORWARDED_FOR ++ ++#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX) ++#define SQUID_X_FORWARDED_FOR_HOP_MAX 64 ++#endif ++ + static void clientFollowXForwardedForCheck(allow_t answer, void *data); + #endif /* FOLLOW_X_FORWARDED_FOR */ + +@@ -485,8 +490,16 @@ + /* override the default src_addr tested if we have to go deeper than one level into XFF */ + Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; + } +- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); +- return; ++ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) { ++ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); ++ return; ++ } ++ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name; ++ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses"); ++ debugs(28, DBG_CRITICAL, "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber); ++ debugs(28, DBG_CRITICAL, "last/accepted address: " << request->indirect_client_addr); ++ debugs(28, DBG_CRITICAL, "ignored trailing addresses: " << request->x_forwarded_for_iterator); ++ // fall through to resume clientAccessCheck() processing + } + } + |