Bug 168376 - squid "pipeline_prefetch on" instability
squid "pipeline_prefetch on" instability
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: squid (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Martin Stransky
impact=moderate,reported=20050915,pub...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-15 10:56 EDT by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-15 04:08:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-09-15 10:56:14 EDT
This issue comes from upstream:

http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-pipeline-CONNECT

It seems that it is possible for the server to enter an unknown state when
"pipeline_prefetch on" is set in the configuration file.  We do not turn this on
by default.  I'm not completely sure what the result of this issue is.
Comment 1 Josh Bressers 2005-09-15 10:57:14 EDT
This issue may also affect RHEL2.1 and RHEL3
Comment 2 Josh Bressers 2005-09-15 16:08:00 EDT
Martin,

Can you take a look at this issue?  I'm not sure if it really is a security
issue or not.  MITRE is holding off on a CVE name until more is known about it.
Comment 3 Martin Stransky 2005-09-16 11:00:10 EDT
I spent this day with it but I'm not completely sure what's wrong, I'm going to
work on it.
Comment 4 Josh Bressers 2005-09-26 09:04:12 EDT
Any new news on this?
Comment 5 Martin Stransky 2005-09-26 09:33:24 EDT
I'm going to sort it out today or tomorrow. But it doesn't look like
high-priority-mustfix-now bug.
Comment 6 Josh Bressers 2005-11-02 15:31:09 EST
Ping on this issue.

Do we know if it's a security issue yet?
Comment 7 Martin Stransky 2005-11-03 03:00:52 EST
I sent you it via mail, it may have lost...

-------- Original Message --------
Subject: Bugzilla Bug 168376 – squid "pipeline_prefetch on" instability
Date: Tue, 27 Sep 2005 12:15:24 +0200
From: Martin Stransky <stransky@redhat.com>
To: bressers@redhat.com

Hello Josh,

I went through squid sources, I made some tests and I think it 
isn't a security issue. If squid isn't patched, you can connect to squid 
by telnet and try to bother it. The problem is when you use a proxy 
command like this:

GET http://people.redhat.com/stransky/squid/squid-2.5.STABLE10-2.src.rpm 
HTTP/1.1
Host: people.redhat.com
Keep-Alive: 3000
Proxy-Connection: keep-alive

CONNECT c154wm.psisco.com:443 HTTP/1.1
Host: c154wm.psisco.com
Proxy-Connection: keep-alive

The first one will start downloading file through http connection. But 
if you have configured squid to prefetch next command (and connection is 
keep-alive), squid will process next command "CONNECT". And there is the 
problem - squid routes all data to SSL conection. (SSL conections go 
always through proxy w/o any change). And data from GET request are 
still alive and they are mixed with SSL channel. So client gets data 
from SSL and GET method by single channel.

If the GET method is finished (all data have been send to client), squid 
will get next command from client. But it uses the same channel like 
SSL, so squid gets data from SSL as a next HTTP request and result is 
like this line from log:

2005/09/27 10:33:33| parseHttpRequest: Unsupported method 'xxxxxx'

But user who wants to confuse squid with bad requests don't have to do 
that. He can simply send a malformed request to squid directly, there 
isn't any diference between keep-alive requests and new opened requests. 
So it's the reason why I think it isn't a security issue.

I have to simulate this situation by telnet because web-clients don't 
use pipelined CONNECT (they always open a new socket for it), so I think 
it can't appear in regular traffic.

Regards,

Martin
Comment 8 Martin Stransky 2005-11-03 03:01:49 EST
btw. patches are in CVS...
Comment 9 Josh Bressers 2005-11-09 14:52:37 EST
I'm going to downgrade this issue to a non security bug.  This is not a security
issue.
Comment 10 Martin Stransky 2005-11-15 04:08:23 EST
I'm not going to fix it in current RHEL3/4. The fix isn't necessary becase we
have the "pipelined" options disabled and browsers don't concatenate the CONNECT
method with other ones. (You have to use some tool like netcat or telnet)

Consig as NEXTRELEASE. (It's fixed in current FC3/4 and devel).

Note You need to log in before you can comment on or make changes to this bug.