Package: squid3 / 3.4.8-6+deb8u2~bpo70+1

33-squid-3.4-13211.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
From: Luigi Gangitano <luigi@debian.org>
Date: Wed, 28 Jan 2015 12:30:04 +0100
Subject: squid-3.4-13211.patch Fixes minor security issue in digest
 authentication nonce indefinite rollover

---
 src/auth/digest/UserRequest.cc | 12 ++++++++----
 src/auth/digest/auth_digest.cc |  7 +------
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/auth/digest/UserRequest.cc b/src/auth/digest/UserRequest.cc
index 9107d73..011f109 100644
--- a/src/auth/digest/UserRequest.cc
+++ b/src/auth/digest/UserRequest.cc
@@ -152,10 +152,14 @@ Auth::Digest::UserRequest::authenticate(HttpRequest * request, ConnStateData * c
     }
 
     /* check for stale nonce */
-    if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
-        debugs(29, 3, "user '" << auth_user->username() << "' validated OK but nonce stale");
-        auth_user->credentials(Auth::Handshake);
-        digest_request->setDenyMessage("Stale nonce");
+    /* check Auth::Pending to avoid loop */
+
+    if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) && user()->credentials() != Auth::Pending) {
+        debugs(29, 3, auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64);
+        /* Pending prevent banner and makes a ldap control */
+        auth_user->credentials(Auth::Pending);
+        nonce->flags.valid = false;
+        authDigestNoncePurge(nonce);
         return;
     }
 
diff --git a/src/auth/digest/auth_digest.cc b/src/auth/digest/auth_digest.cc
index 7cc3276..610f547 100644
--- a/src/auth/digest/auth_digest.cc
+++ b/src/auth/digest/auth_digest.cc
@@ -1038,12 +1038,7 @@ Auth::Digest::Config::decode(char const *proxy_auth)
         debugs(29, 2, "Username for the nonce does not equal the username for the request");
         nonce = NULL;
     }
-    /* check for stale nonce */
-    if (authDigestNonceIsStale(nonce)) {
-        debugs(29, 3, "The received nonce is stale from " << username);
-        digest_request->setDenyMessage("Stale nonce");
-        nonce = NULL;
-    }
+
     if (!nonce) {
         /* we couldn't find a matching nonce! */
         debugs(29, 2, "Unexpected or invalid nonce received from " << username);