On Thu, 18 Dec 2003, Eric Geater 12/12/03 wrote:
> I read an article in EWeek that explained how to create a misleading web
> link or link in email by typing the acceptable http address, followed by
> "%01%00@" and the actual destination address. I showed it to my boss,
> who didn't like what she saw.
>
> Is it possible to create an ACL in Squid that specifically stomps out
> misdirected URLs? I don't know if Squid must accept literal characters
> when sniffing out URLs for ACLs, since the %01 and %00 are hex
> representations. Anyone have an idea about this? If so, it'd be a boon
> to add another ACL that stops this simple exploit at the proxy.
>
> According to the W3 consortium, the @ symbol is a reserved character, so
> it's probably not wise to block for it exclusively.
>
> Thanks!
Its not currently possible to block such requests in Squid because
the funny characters are a part of the "login" component of the
URL. Squid doesn't have any ACLs that use or care about the login
data. It should be pretty easy to come up with a patch that does.
DW
