File CVE-2025-62168.patch of Package squid.41487
Backport from the v7.2 upstream patch for SLE15-SP4 (resolve bsc#1252281).
From 0951a0681011dfca3d78c84fd7f1e19c78a4443f Mon Sep 17 00:00:00 2001
From: Amos Jeffries <yadij@users.noreply.github.com>
Date: Sat, 11 Oct 2025 16:33:02 +1300
Subject: [PATCH] Bug 3390: Proxy auth data visible to scripts (#2249)
Original changes to redact credentials from error page %R code
expansion output was incomplete. It missed the parse failure
case where ErrorState::request_hdrs raw buffer contained
sensitive information.
Also missed was the %W case where full request message headers
were generated in a mailto link. This case is especially
problematic as it may be delivered over insecure SMTP even if
the error was secured with HTTPS.
After this change:
* The HttpRequest message packing code for error pages is de-duplicated
and elides authentication headers for both %R and %W code outputs.
* The %R code output includes the CRLF request message terminator.
* The email_err_data directive causing advanced details to be added to
%W mailto links is disabled by default.
Also redact credentials from generated TRACE responses.
---------
Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
---
doc/release-notes/release-7.sgml.in | 3 +++
src/HttpRequest.cc | 6 +++---
src/HttpRequest.h | 2 +-
src/cf.data.pre | 8 +++++++-
src/client_side_reply.cc | 14 +++++++-------
src/errorpage.cc | 17 ++++-------------
src/errorpage.h | 1 -
src/tests/stub_HttpRequest.cc | 2 +-
8 files changed, 26 insertions(+), 27 deletions(-)
Index: squid-4.17/src/HttpRequest.cc
===================================================================
--- squid-4.17.orig/src/HttpRequest.cc
+++ squid-4.17/src/HttpRequest.cc
@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e)
/* packs request-line and headers, appends <crlf> terminator */
void
-HttpRequest::pack(Packable * p) const
+HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const
{
assert(p);
/* pack request-line */
@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const
SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()),
http_ver.major, http_ver.minor);
/* headers */
- header.packInto(p);
- /* trailer */
+ header.packInto(p, maskSensitiveInfo);
+ /* indicate the end of the header section */
p->append("\r\n", 2);
}
Index: squid-4.17/src/HttpRequest.h
===================================================================
--- squid-4.17.orig/src/HttpRequest.h
+++ squid-4.17/src/HttpRequest.h
@@ -201,7 +201,7 @@ public:
void swapOut(StoreEntry * e);
- void pack(Packable * p) const;
+ void pack(Packable * p, bool maskSensitiveInfo = false) const;
static void httpRequestPack(void *obj, Packable *p);
Index: squid-4.17/src/cf.data.pre
===================================================================
--- squid-4.17.orig/src/cf.data.pre
+++ squid-4.17/src/cf.data.pre
@@ -8319,12 +8319,18 @@ NAME: email_err_data
COMMENT: on|off
TYPE: onoff
LOC: Config.onoff.emailErrData
-DEFAULT: on
+DEFAULT: off
DOC_START
If enabled, information about the occurred error will be
included in the mailto links of the ERR pages (if %W is set)
so that the email body contains the data.
Syntax is <A HREF="mailto:%w%W">%w</A>
+
+ SECURITY WARNING:
+ Request headers and other included facts may contain
+ sensitive information about transaction history, the
+ Squid instance, and its environment which would be
+ unavailable to error recipients otherwise.
DOC_END
NAME: deny_info
Index: squid-4.17/src/client_side_reply.cc
===================================================================
--- squid-4.17.orig/src/client_side_reply.cc
+++ squid-4.17/src/client_side_reply.cc
@@ -103,7 +103,7 @@ clientReplyContext::clientReplyContext(C
void
clientReplyContext::setReplyToError(
err_type err, Http::StatusCode status, const HttpRequestMethod& method, char const *uri,
- Ip::Address &addr, HttpRequest * failedrequest, const char *unparsedrequest,
+ Ip::Address &addr, HttpRequest * failedrequest, const char *,
#if USE_AUTH
Auth::UserRequest::Pointer auth_user_request
#else
@@ -113,9 +113,6 @@ clientReplyContext::setReplyToError(
{
ErrorState *errstate = clientBuildError(err, status, uri, addr, failedrequest);
- if (unparsedrequest)
- errstate->request_hdrs = xstrdup(unparsedrequest);
-
#if USE_AUTH
errstate->auth_user_request = auth_user_request;
#endif
@@ -1123,11 +1120,14 @@ clientReplyContext::traceReply(clientStr
localTempBuffer, SendMoreData, this);
http->storeEntry()->releaseRequest();
http->storeEntry()->buffer();
+ MemBuf *content = new MemBuf;
+ content->init();
+ http->request->pack(content, true /* hide authorization data */);
HttpReply *rep = new HttpReply;
- rep->setHeaders(Http::scOkay, NULL, "text/plain", http->request->prefixLen(), 0, squid_curtime);
+ rep->setHeaders(Http::scOkay, NULL, "message/http", content->contentSize(), 0, squid_curtime);
+ rep->body.setMb(content);
http->storeEntry()->replaceHttpReply(rep);
- http->request->swapOut(http->storeEntry());
- http->storeEntry()->complete();
+ http->storeEntry()->complete(); // completeSuccessfully("traceReply() stored the entire response");
}
#define SENDING_BODY 0
Index: squid-4.17/src/errorpage.cc
===================================================================
--- squid-4.17.orig/src/errorpage.cc
+++ squid-4.17/src/errorpage.cc
@@ -575,7 +575,6 @@ ErrorState::ErrorState(err_type t, Http:
redirect_url(NULL),
callback(NULL),
callback_data(NULL),
- request_hdrs(NULL),
err_msg(NULL),
#if USE_OPENSSL
detail(NULL),
@@ -678,7 +677,6 @@ ErrorState::~ErrorState()
HTTPMSGUNLOCK(request);
safe_free(redirect_url);
safe_free(url);
- safe_free(request_hdrs);
wordlistDestroy(&ftp.server_msg);
safe_free(ftp.request);
safe_free(ftp.reply);
@@ -742,7 +740,7 @@ ErrorState::Dump(MemBuf * mb)
SQUIDSBUFPRINT(request->url.path()),
AnyP::ProtocolType_str[request->http_ver.protocol],
request->http_ver.major, request->http_ver.minor);
- request->header.packInto(&str);
+ request->header.packInto(&str, true /* hide authorization data */);
}
str.append("\r\n", 2);
@@ -960,16 +958,8 @@ ErrorState::Convert(char token, bool bui
} else
p = "[no request]";
break;
- }
- if (request != NULL) {
- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n",
- SQUIDSBUFPRINT(request->method.image()),
- SQUIDSBUFPRINT(request->url.path()),
- AnyP::ProtocolType_str[request->http_ver.protocol],
- request->http_ver.major, request->http_ver.minor);
- request->header.packInto(&mb, true); //hide authorization data
- } else if (request_hdrs) {
- p = request_hdrs;
+ } else if (request) {
+ request->pack(&mb, true /* hide authorization data */);
} else {
p = "[no request]";
}
Index: squid-4.17/src/errorpage.h
===================================================================
--- squid-4.17.orig/src/errorpage.h
+++ squid-4.17/src/errorpage.h
@@ -164,7 +164,6 @@ public:
MemBuf *listing;
} ftp;
- char *request_hdrs;
char *err_msg; /* Preformatted error message from the cache */
#if USE_OPENSSL
Index: squid-4.17/src/tests/stub_HttpRequest.cc
===================================================================
--- squid-4.17.orig/src/tests/stub_HttpRequest.cc
+++ squid-4.17/src/tests/stub_HttpRequest.cc
@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const Ht
bool HttpRequest::bodyNibbled() const STUB_RETVAL(false)
int HttpRequest::prefixLen() const STUB_RETVAL(0)
void HttpRequest::swapOut(StoreEntry *) STUB
-void HttpRequest::pack(Packable *) const STUB
+void HttpRequest::pack(Packable *, bool) const STUB
void HttpRequest::httpRequestPack(void *, Packable *) STUB
HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
