On Thu, 28 Jul 2005, Andrey Shorin wrote:
Hello Squid,
In case somebody didn't read it yet...
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
Russian translation available:
http://apachedev.ru/modules.php?name=Pages&go=page&pid=19
As some of you know and as can be seen on page 21 it's the trigger which
started the noticeable HTTP hardening in the recent 2.5 versions.. I'll
update the advisory with a link to the published paper in the credits
section.
It's a quite manageabe problem and to my best knowledge we and any parents
to us are fully safe from this after the patches, but child caches may be
at risk..
A more interesting problem to ponder about is the response splitting
problem.. (see the first reference for details). Squid does go to a great
extent for detecting this when possible, but if you have a vulnerable
parent quite bad things may result with server-side persistent
connections is enabled..
Regards
Henrik
