Bracket IPv6 addresses in more cases#2363
Bracket IPv6 addresses in more cases#2363fatelei wants to merge 2 commits intosquid-cache:masterfrom
Conversation
squid-anubis
added
the
M-failed-description
|
Cannot create a git commit message from PR title and description. Error while parsing PR description body: Problematic parser input: Please see PR title and description formatting requirements for more details. This message was added by Anubis bot. Anubis will add a new message if the error text changes. Anubis will remove M-failed-description label when there are no corresponding failures to report. |
fatelei
changed the title
squid-anubis
added
M-failed-other
There was a problem hiding this comment.
I agree that Squid code should be modified. Please do not interpret my review as implying that there are no relevant Squid bugs here! Once my specific change request is addressed, if there are no new surprises, I plan to fix this PR title/description and approve this PR.
In my tests, the second presented python script produces an invalid CONNECT request:
2026/01/30 09:43:44.356| 11,2| client_side.cc(1237) parseHttpRequest: HTTP Client REQUEST:
---------
CONNECT 2600:3c03::f03c:94ff:fef6:a3ae:443 HTTP/1.1
Host: 2600:3c03::f03c:94ff:fef6:a3ae:443
Accept: */*
The above request has invalid target (missing brackets). That is, IMHO, an httpx bug. The Host header is similarly malformed. There is no need to discuss that httpx bug in this pull request -- we should be focusing on Squid bugs here.
Also note that its malformed IP-based Host header does not match the test-ipv6.com Host header in the Python script, but that mismatch is not necessarily an httpx bug -- headers parameter in client.get() call could refer to GET headers rather than CONNECT headers. I am only noting this here because it may help interpret the test correctly. There is no need to discuss this aspect in this pull request.
In my tests, Squid v7+ correctly rejects that malformed CONNECT:
2026/01/30 09:43:44.357| 23,2| Uri.cc(550) parse: error: garbage after host:port in CONNECT target
exception location: Uri.cc(341) parse rawUrl[34]=2600:3c03::f03c:94ff:fef6:a3ae:443
err=ERR_INVALID_URL/- ... 1769784224.000370 12 127.0.0.1:37452 NONE_NONE/400 3629 - 2600:3c03::f03c:94ff:fef6:a3ae:443 - HIER_NONE/- text/html
I can reproduce the 0.0.10.40:3 problem with Squid v6, which is no longer supported by the Squid Project.
rousskov
added
the
S-waiting-for-author
rousskov
added
S-waiting-for-reviewer
rousskov
changed the title
squid-anubis
removed
the
M-failed-description
rousskov
left a comment
rousskov
left a comment
There was a problem hiding this comment.
I have adjusted PR title/description. If you can detail what specific use cases this PR fixes (from Squid master/v8 point of view!), please adjust PR description further to describe those use cases.
| if (pinning.serverConnection != nullptr) { | ||
| static char ip[MAX_IPSTRLEN]; | ||
| connectHost = pinning.serverConnection->remote.toStr(ip, sizeof(ip)); | ||
| connectHost = pinning.serverConnection->remote.toHostStr(ip, sizeof(ip)); |
There was a problem hiding this comment.
src/client_side.cc:3097:65: error: invalid conversion from ‘unsigned int’ to ‘const char*’
This change (and a similar change further below) does not compile because toHostStr() does not return an SBuf while connectHost is an SBuf. For a solution example, see AnyP::Uri::hostOrIp() that implements a similar to-SBuf conversion of a toHostStr() result.
And please test PR code.
| static char ip[MAX_IPSTRLEN]; | ||
| assert(clientConnection->flags & (COMM_TRANSPARENT | COMM_INTERCEPTION)); | ||
| request->url.host(clientConnection->local.toStr(ip, sizeof(ip))); | ||
| request->url.host(clientConnection->local.toHostStr(ip, sizeof(ip))); |
There was a problem hiding this comment.
This change does not compile. Please see the other change request for more related details, but the solution here is going to be a bit different. Most likely, you would be able to call host(ip) after filling ip using toHostStr().
|
Here is a copy of the original (v6-based?) PR description by @fatelei, detailing the problem and the tests: my squid config test script in python it work in http, but in https it fail there is relate log here it connect 0.0.10.40:3, this is not right relate issue: langgenius/dify#31637 |
rousskov
added
S-waiting-for-author
3 participants
IPv6 addresses in request target and Host header value should be
bracketed.
Ip::Address::toStr()calls do not bracket. The exacteffects of this fix are not known because this improvement was triggered
as a bug fix for Squid v6, and that particular bug does not affect Squid
v7+.
buildFakeRequest()code analysis suggests that Squid v7+ wascreating fake
CONNECTrequests with an unbracketed IPv6 Host headervalue (but that header may be effectively unused and that request
target was bracketed correctly).