Re: [RFC] Translate and Unless-Modified-Since headers

Mon, 18 May 2009 07:37:50 -0700 

Mark Nottingham wrote:
Sorry to be blunt, but shouldn't these sites be securing themselves? Having Squid strip this header hardly closes any significant attack vectors off... and doing so creates yet another special case for people to work around. 


-1 on Translate (default strip; registering it, I suppose, although it's 
a vendor-specific extension header that they haven't bothered to 
register; I'd rather the focus be on those headers that people have 
actually tried to do the right thing for -- especially when they have 
*not* said they'll license patents for this specification).


Well, thats 2:1 against any special treatment.




WRT Unless-Modified-Since -- IIRC this is a very old, pre-2068 version 
of If-Range. /me looks around...
see: 
http://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15847a-s96/web/draft-luotonen-http-url-byterange-02.txt 



Range? yeesh, truly mixed bag of garbage there then.



What's the issue with it? Amusingly, MSFT thinks it's a response header:
  http://msdn.microsoft.com/en-us/library/aa917918.aspx


:)


The 'issue' with them is that at least one brand of commercial box views 
them as a security hazard and rejects requests from clients using them 
outright.
Fair enough IMO. but ... something involved with PDF somehow still 
insists on sending them.


http://www.mail-archive.com/squid-us...@squid-cache.org/msg63980.html

Amos





On 18/05/2009, at 9:05 PM, Amos Jeffries wrote:


Both of these are non-standard headers created by microsoft.


These are both weird ones. We seem to need them, but only because they 
need to be stripped away in certain circumstances.



The Translate: header is the trickiest. After reading the docs it 
appears we should be always stripping it away for security. It's 
entire purpose is to perform code disclosure 'attacks' on targeted 
dynamic sites. With perhapse a fast-ACL to allow admins to use it and 
control the requests using it when they really need to.



Pending any objections I'll add as registered headers in 3.0 and the 
above handling for Translate in 3.1.


Amos
--
Please be using
 Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
 Current Beta Squid 3.1.0.7


--
Mark Nottingham       m...@yahoo-inc.com





--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
  Current Beta Squid 3.1.0.7






















					Reply via email to