mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
5800571ad7
import patches from ubuntu to fix CVE-2023-49286 CVE-2023-50269 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa Upstream commit https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264 & https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
63 lines
2.7 KiB
Diff
63 lines
2.7 KiB
Diff
From: Markus Koschany <apo@debian.org>
|
|
Date: Tue, 26 Dec 2023 19:58:12 +0100
|
|
Subject: CVE-2023-50269
|
|
|
|
Bug-Debian: https://bugs.debian.org/1058721
|
|
Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch
|
|
|
|
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-50269.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa
|
|
Upstream commit https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d]
|
|
CVE: CVE-2023-50269
|
|
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
|
---
|
|
src/ClientRequestContext.h | 4 ++++
|
|
src/client_side_request.cc | 17 +++++++++++++++--
|
|
2 files changed, 19 insertions(+), 2 deletions(-)
|
|
|
|
--- a/src/ClientRequestContext.h
|
|
+++ b/src/ClientRequestContext.h
|
|
@@ -81,6 +81,10 @@
|
|
#endif
|
|
ErrorState *error; ///< saved error page for centralized/delayed processing
|
|
bool readNextRequest; ///< whether Squid should read after error handling
|
|
+
|
|
+#if FOLLOW_X_FORWARDED_FOR
|
|
+ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
|
|
+#endif
|
|
};
|
|
|
|
#endif /* SQUID_CLIENTREQUESTCONTEXT_H */
|
|
--- a/src/client_side_request.cc
|
|
+++ b/src/client_side_request.cc
|
|
@@ -78,6 +78,11 @@
|
|
static const char *const crlf = "\r\n";
|
|
|
|
#if FOLLOW_X_FORWARDED_FOR
|
|
+
|
|
+#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
|
|
+#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
|
|
+#endif
|
|
+
|
|
static void clientFollowXForwardedForCheck(allow_t answer, void *data);
|
|
#endif /* FOLLOW_X_FORWARDED_FOR */
|
|
|
|
@@ -485,8 +490,16 @@
|
|
/* override the default src_addr tested if we have to go deeper than one level into XFF */
|
|
Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
|
|
}
|
|
- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
|
|
- return;
|
|
+ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
|
|
+ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
|
|
+ return;
|
|
+ }
|
|
+ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
|
|
+ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses");
|
|
+ debugs(28, DBG_CRITICAL, "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber);
|
|
+ debugs(28, DBG_CRITICAL, "last/accepted address: " << request->indirect_client_addr);
|
|
+ debugs(28, DBG_CRITICAL, "ignored trailing addresses: " << request->x_forwarded_for_iterator);
|
|
+ // fall through to resume clientAccessCheck() processing
|
|
}
|
|
}
|
|
|