Package: squid3 / 3.4.8-6+deb8u5

40-squid-3.4-13240-CVE-2016-4553.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Origin: upstream, http://bazaar.launchpad.net/~squid/squid/3.4/revision/13240

=== modified file 'src/client_side.cc'
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2740,6 +2740,23 @@
         goto finish;
     }
 
+    // when absolute-URI is provided Host header should be ignored. However
+    // some code still uses Host directly so normalize it.
+    // For now preserve the case where Host is completely absent.
+    if (request->header.has(HDR_HOST)) {
+        const char *host = request->header.getStr(HDR_HOST);
+        MemBuf authority;
+        authority.init();
+        if (request->port != urlDefaultPort(request->protocol))
+            authority.Printf("%s:%d", request->GetHost(), request->port);
+        else
+            authority.Printf("%s", request->GetHost());
+        debugs(33, 5, "URL domain " << authority.buf << " overrides header Host: " << host);
+        // URL authority overrides Host header
+        request->header.delById(HDR_HOST);
+        request->header.putStr(HDR_HOST, authority.buf);
+    }
+
     request->clientConnectionManager = conn;
 
     request->flags.accelerated = http->flags.accel;