Squid-Security-Audit

Assertion in Gopher Response Handling

Gopher, other than being a glorified _rat_, is an antiquated protocol described in RFC 1436.

Squid is able to act as a proxy server between HTTP and the Gopher protocol, and can query and retrieve contents from Gopher servers, before sending it to the client in a standard HTML document.

The Issue

When Squid receives a request to a gopher server, it attempts to connect to the server and parse the response. The response is then placed into a standard HTML response for the user’s browsing. This conversion happens in the function gopherToHTML.

This function does many things, but most of the important code for this bug is as follows:

static void
gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) {
[...]
    LOCAL_ARRAY(char, tmpbuf, 4096);
    String outbuf;
[...]
    while (pos < inbuf + len) {
[...]
                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
                                     icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
[...]
                    outbuf.append(tmpbuf);
[...]
    }
}

Here, we can see that the function loops around the response it receives from the server, 4096-bytes at a time. Each loop, it attempts some HTML to the String type, outbuf. The issue here is that there is no check whether that String type is nearly “full” (i.e. near its 65535-byte limit). As such, any response which is large enough can cause an assertion due to the String type being too large. For a minimum (I believe) 6-byte response that Gopher receives, a 107-byte line of HTML is generated: 0\t0\t0\n generates 107-bytes (newlines included):

<IMG border="0" SRC="/squid-internal-static/icons/silk/page_white_text.png"> <A HREF="gopher://0
/00"></A>

Adding this onto the header and footer of approximately 405-bytes which is generated by default, we can calculate that it only takes an approximate 3653-byte Gopher response to cause this assertion; or around 620 lines of that 6-byte response. Therefore, a Proof of concept gopher response is given (Note: the request must be made to a gopher ‘directory’, which simply means the page you are requesting ends in a /, like GET gopher://localhost/ HTTP/1.1\r\n\r\n):