[Fwd: Bug in Squid+SSL, POST data sent encrypted with MSIE 6.0]

-------- Original Message --------
Subject: Bug in Squid+SSL, POST data sent encrypted with MSIE 6.0
Date: 05 Nov 2001 18:24:20 -0500
From: Terence Haddock <haddock@forthillcompany.com>
To: hno@squid-cache.org

Dear Henrik Nordström,

I have Squid-2.4.STABLE1 manually patched to include SSL gateway support
from your Squid SSL project (using patch from 2001-05-04). I had a
problem with POST requests over HTTPS, and was able to reproduct it with
MSIE 6.0 running under Windows NT. From a packet dump, it appeared the
POST data was being sent to the server encrypted, causing all sorts of
havoc.

After tracing POST requests, I discovered a line in pump.c that may be
the cause, starting at line 228:

----
    int len = 0;
    errno = 0;
    statCounter.syscalls.sock.reads++;
    len = read(fd, buf, bytes_to_read);
    fd_bytes(fd, len, FD_READ);
    debug(61, 5) ("pumpReadFromClient: FD %d: len %d.\n", fd, len);
----
Note the plain read() in this code. This means, if all of the data is
not ready in the first read() request, this later read() in pump.c will
read encrypted data and pass that onto the server.
I changed this to:
----
    int len = 0;
    errno = 0;
    statCounter.syscalls.sock.reads++;
    len = fd_table[fd].read_method(fd, buf, bytes_to_read);
    fd_bytes(fd, len, FD_READ);
    debug(61, 5) ("pumpReadFromClient: FD %d: len %d.\n", fd, len);
----
And the problem went away. For my application, this is sufficent, but I
do not know if this is a 100% fix, I.E. is pump.c used for other
protocols, other methods, where fd_table[fd].read_method may not be
initialized.
I cannot find any changes in pump.c since the latest patches, but there
is a mention on the News for October 19th: "The SSL tweaking options and
POST bug fix has been committed to HEAD/2.5", but I am not familiar with
Squid 2.5 to tell if this bug is really fixed. Sorry if this is known
and fixed.
Sincerely,
Terence Haddock
Fort Hill Company