aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
blob: 497ace444baa281f431a45be67a8bde6914b5642 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001
From: Catalin Enache <catalin.enache@windriver.com>
Date: Mon, 23 May 2016 12:47:39 +0300
Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header

Upstream-Status: Backport
CVE: CVE-2016-4553

When absolute-URI is provided Host header should be ignored. However some
code still uses Host directly so normalize it using the URL authority
value before doing any further request processing.

For now preserve the case where Host is completely absent. That matters
to the CVE-2009-0801 protection.

This also has the desirable side effect of removing multiple or duplicate
Host header entries, and invalid port values.

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
---
 src/client_side.cc | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/client_side.cc b/src/client_side.cc
index 8c41c21..36a27de 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
             clientProcessRequestFinished(conn, request);
             return;
         }
+
+        // when absolute-URI is provided Host header should be ignored. However
+        // some code still uses Host directly so normalize it.
+        // For now preserve the case where Host is completely absent. That matters.
+        if (request->header.has(HDR_HOST)) {
+            const char *host = request->header.getStr(HDR_HOST);
+            SBuf authority(request->GetHost());
+            if (request->port != urlDefaultPort(request->url.getScheme()))
+                authority.appendf(":%d", request->port);
+            debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
+            // URL authority overrides Host header
+            request->header.delById(HDR_HOST);
+            request->header.putStr(HDR_HOST, authority.c_str());
+        }
     }
 
     // Some blobs below are still HTTP-specific, but we would have to rewrite
-- 
2.7.4