Add an enable-proxy-authentication-forwarding directive

It allows to keep Proxy-Authorization headers in requests
and Proxy-Authenticate headers in responses.

This was previously done by default, but forwarding such
headers potentially allows malicious sites to trick the
user into providing them with login information.

Reported by Chris John Riley.

diff --git a/loadcfg.c b/loadcfg.c
index 24ae8c0..5a048cd 100644 (file)
--- a/loadcfg.c
+++ b/loadcfg.c
@@ -1,4 +1,4 @@
-const char loadcfg_rcs[] = "$Id: loadcfg.c,v 1.135 2012/12/07 12:45:20 fabiankeil Exp $";
+const char loadcfg_rcs[] = "$Id: loadcfg.c,v 1.136 2013/03/01 17:39:05 fabiankeil Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/loadcfg.c,v $
@@ -132,6 +132,7 @@ static struct file_list *current_configfile = NULL;
 #define hash_deny_access                 1227333715U /* "deny-access" */
 #define hash_enable_edit_actions         2517097536U /* "enable-edit-actions" */
 #define hash_enable_compression          3943696946U /* "enable-compression" */
+#define hash_enable_proxy_authentication_forwarding 4040610791U /* enable-proxy-authentication-forwarding */
 #define hash_enable_remote_toggle        2979744683U /* "enable-remote-toggle" */
 #define hash_enable_remote_http_toggle    110543988U /* "enable-remote-http-toggle" */
 #define hash_enforce_blocks              1862427469U /* "enforce-blocks" */
@@ -484,6 +485,7 @@ struct configuration_spec * load_config(void)
    config->feature_flags            &= ~RUNTIME_FEATURE_SPLIT_LARGE_FORMS;
    config->feature_flags            &= ~RUNTIME_FEATURE_ACCEPT_INTERCEPTED_REQUESTS;
    config->feature_flags            &= ~RUNTIME_FEATURE_EMPTY_DOC_RETURNS_OK;
+   config->feature_flags            &= ~RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS;
 #ifdef FEATURE_COMPRESSION
    config->feature_flags            &= ~RUNTIME_FEATURE_COMPRESSION;
    /*
@@ -821,6 +823,19 @@ struct configuration_spec * load_config(void)
             break;
 #endif /* def FEATURE_COMPRESSION */
 
+/* *************************************************************************
+ * enable-proxy-authentication-forwarding 0|1
+ * *************************************************************************/
+         case hash_enable_proxy_authentication_forwarding:
+            if (parse_toggle_state(cmd, arg) == 1)
+            {
+               config->feature_flags |= RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS;
+            }
+            else
+            {
+               config->feature_flags &= ~RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS;
+            }
+            break;
 
 /* *************************************************************************
  * enable-remote-toggle 0|1

diff --git a/parsers.c b/parsers.c
index 6cba35e..188fa17 100644 (file)
--- a/parsers.c
+++ b/parsers.c
@@ -1,4 +1,4 @@
-const char parsers_rcs[] = "$Id: parsers.c,v 1.273 2013/01/04 12:19:47 fabiankeil Exp $";
+const char parsers_rcs[] = "$Id: parsers.c,v 1.274 2013/01/04 12:20:31 fabiankeil Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/parsers.c,v $
@@ -148,6 +148,7 @@ static jb_err server_connection_adder(struct client_state *csp);
 #ifdef FEATURE_CONNECTION_KEEP_ALIVE
 static jb_err server_proxy_connection_adder(struct client_state *csp);
 #endif /* def FEATURE_CONNECTION_KEEP_ALIVE */
+static jb_err proxy_authentication(struct client_state *csp, char **header);
 
 static jb_err create_forged_referrer(char **header, const char *hostport);
 static jb_err create_fake_referrer(char **header, const char *fake_referrer);
@@ -198,6 +199,7 @@ static const struct parsers client_patterns[] = {
    { "Request-Range:",           14,   client_range },
    { "If-Range:",                 9,   client_range },
    { "X-Filter:",                 9,   client_x_filter },
+   { "Proxy-Authorization:",     20,   proxy_authentication },
 #if 0
    { "Transfer-Encoding:",       18,   client_transfer_encoding },
 #endif
@@ -223,6 +225,7 @@ static const struct parsers server_patterns[] = {
    { "Transfer-Encoding:",       18, server_transfer_coding },
    { "content-disposition:",     20, server_content_disposition },
    { "Last-Modified:",           14, server_last_modified },
+   { "Proxy-Authenticate:",      19, proxy_authentication },
    { "*",                         0, crunch_server_header },
    { "*",                         0, filter_header },
    { NULL,                        0, NULL }
@@ -1733,6 +1736,36 @@ static jb_err server_proxy_connection(struct client_state *csp, char **header)
 }
 
 
+/*********************************************************************
+ *
+ * Function    :  proxy_authentication
+ *
+ * Description :  Removes headers that are relevant for proxy
+ *                authentication unless forwarding them has
+ *                been explicitly requested.
+ *
+ * Parameters  :
+ *          1  :  csp = Current client state (buffers, headers, etc...)
+ *          2  :  header = On input, pointer to header to modify.
+ *                On output, pointer to the modified header, or NULL
+ *                to remove the header.  This function frees the
+ *                original string if necessary.
+ *
+ * Returns     :  JB_ERR_OK.
+ *
+ *********************************************************************/
+static jb_err proxy_authentication(struct client_state *csp, char **header)
+{
+   if ((csp->config->feature_flags &
+      RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS) == 0) {
+      log_error(LOG_LEVEL_HEADER,
+         "Forwarding proxy authentication headers is disabled. Crunching: %s", *header);
+      freez(*header);
+   }
+   return JB_ERR_OK;
+}
+
+
 /*********************************************************************
  *
  * Function    :  client_keep_alive

diff --git a/project.h b/project.h
index b880241..01f166e 100644 (file)
--- a/project.h
+++ b/project.h
@@ -1,7 +1,7 @@
 #ifndef PROJECT_H_INCLUDED
 #define PROJECT_H_INCLUDED
 /** Version string. */
-#define PROJECT_H_VERSION "$Id: project.h,v 1.194 2012/12/07 12:43:55 fabiankeil Exp $"
+#define PROJECT_H_VERSION "$Id: project.h,v 1.195 2012/12/07 12:45:20 fabiankeil Exp $"
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/project.h,v $
@@ -1220,6 +1220,9 @@ struct access_control_list
 /** configuration_spec::feature_flags: Pipelined requests are served instead of being discarded. */
 #define RUNTIME_FEATURE_TOLERATE_PIPELINING       2048U
 
+/** configuration_spec::feature_flags: Proxy authentication headers are forwarded instead of removed. */
+#define RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS      4096U
+
 /**
  * Data loaded from the configuration file.
  *