Re: *** GMX Spamverdacht *** Re: #550 handling mismatches between socket connection and host header field from Amos Jeffries on 2014-01-16 (ietf-http-wg@w3.org from January to March 2014)

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 17 Jan 2014 12:06:03 +1300
To: ietf-http-wg@w3.org
Message-ID: <c06a5ffcb2fd620abc8cc01035d9e109@treenet.co.nz>

On 2014-01-17 11:14, Julian Reschke wrote:
> On 2014-01-16 23:00, Bjoern Hoehrmann wrote:
>> * Julian Reschke wrote:
>>> During IESG review, Ted Lemon came up with this interesting DISCUSS
>>> (<http://tools.ietf.org/wg/httpbis/trac/ticket/550>):
>> 
>>> I (telnet-)tested this with various servers, and they don't seem to
>>> bother checking the port number.
>>> 
>>> So we could clarify that this request is invalid, but I'm not sure we
>>> can add a normative requirement to fail the request.
>> 
>> It seems it would also be possible to say the actual port connected to
>> takes precedence (where applicable). Would that cause any problems?
> 
> "takes precedence" implies that the port portion of the host header
> field value always is ignored, right? Not sure whether we want to say
> that.
> 
> Best regards, Julian

This sort of falls into the previous discussion about CVE-2009-0801 
where the Host domain/raw-IP content does not resolve to the IP address 
of the underlying connection. We have identified quite a bit of bad 
behaving services with this in Squid.

It is only relevant to middleware relaying the request elsewhere. Origin 
servers have other means to determine whether the header is used or 
needs validating validated.

The current behaviour we use in Squid with a lot of success is to open 
the outgoing connection to the same IP:port the client TCP connection 
used and otherwise treat the request as if it arrived with absolute-URL 
containing the raw-IP:port. This has the side effect of causing the Host 
header to be converted to raw-IP:port details on outgoing but this has 
rarely led to trouble, and more often leads to upstream proxies 
contacting the "right" server despite being vulnerable themselves, so 
has been well worth it.

We have had to take unreasonable care NOT to validate received Host 
header on messages containing absolute-URL. An unfortunately large 
amount of regular proxy traffic contains mismatches. However it is also 
worth noting that for several decades at least Squid has been 
unconditionally replacing the Host header with the absolute-URL 
host:port details with no known complaints.

Amos

Received on Thursday, 16 January 2014 23:06:35 UTC