ezelkow1
commented
2 years ago Yes that change was in relation to that CVE, the new default should address it AFAIK
Open oceanwalker opened 2 years ago
ezelkow1
commented
2 years ago Yes that change was in relation to that CVE, the new default should address it AFAIK
oceanwalker
commented
2 years ago First, I try to reproduce the attack, add some blank and illegal characters to the URL, then through forward proxy transmit the request, but ATS didn't reject this request.
Second, I just use forward proxy ability, and didn't use reverse proxy, so I wonder if this is impacted by this CVE?
this file is my records.config records.config.txt
bryancall
commented
2 years ago @oceanwalker Can you please send an email to security@trafficserver.apache.org on how you are trying to reproduce this issue?
oceanwalker
commented
2 years ago 
Based on the version 8.1.4 and used Xshell as SSH client, after adding invalid and blank characters shown in the above screenshot, the request is still forwarded, which is contrary to our expectation.
oceanwalker
commented
2 years ago @bryancall Considering it is so important to me and a lot of work would based on your answer, could you please share with me about the latest progress as early as you could. Thank you so much!
github-actions[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. Marking it stale to flag it for further consideration by the community.
Recently found CVE-2021-44040 vulnerabilities, I wonder if forward proxy check url and involved this vulnerabilities.
I review the commits between 8.1.3 and 8.1.4, I found only this config related to vulnerabilities, so please help me, thks! .. ts:cv:: CONFIG proxy.config.http.strict_uri_parsing INT 0 .. ts:cv:: CONFIG proxy.config.http.strict_uri_parsing INT 2