Open oceanwalker opened 2 years ago
Yes that change was in relation to that CVE, the new default should address it AFAIK
First, I try to reproduce the attack, add some blank and illegal characters to the URL, then through forward proxy transmit the request, but ATS didn't reject this request.
Second, I just use forward proxy ability, and didn't use reverse proxy, so I wonder if this is impacted by this CVE?
this file is my records.config records.config.txt
@oceanwalker Can you please send an email to security@trafficserver.apache.org on how you are trying to reproduce this issue?
Based on the version 8.1.4 and used Xshell as SSH client, after adding invalid and blank characters shown in the above screenshot, the request is still forwarded, which is contrary to our expectation.
@bryancall Considering it is so important to me and a lot of work would based on your answer, could you please share with me about the latest progress as early as you could. Thank you so much!
This issue has been automatically marked as stale because it has not had recent activity. Marking it stale to flag it for further consideration by the community.
Recently found CVE-2021-44040 vulnerabilities, I wonder if forward proxy check url and involved this vulnerabilities.
I review the commits between 8.1.3 and 8.1.4, I found only this config related to vulnerabilities, so please help me, thks! .. ts:cv:: CONFIG proxy.config.http.strict_uri_parsing INT 0 .. ts:cv:: CONFIG proxy.config.http.strict_uri_parsing INT 2