On Tue, 18 Jan 2005, Henrik Nordstrom wrote:
The HTTP smuggling paper references another paper from the same group describing interesting ways of cache pollution. I am currently working on hardening Squid further from the described attack.
Patch now available in bug #1200.
One minor question which arised during this.. should we even attempt to cache HTTP/0.9 style responses? (only body, no header or status line)
Today caching of such responses can be forced by a refresh pattern with a min age >0, but I am not sure this is wise to allow to be cached as I suspect this kind of replies quite likely happens in protocol screwups..
Regards Henrik
