Hi Alexey,
On Wed, Oct 08, 2008 at 12:17:11AM -0400, Alexey Kovyrin wrote:
> Sent the config in private email. Thanks for you help.
sorry for the delay. I have several activities these days. I was a bit worried by not being able to reproduce the issue. I was thinking about a race condition during the session close but I finally found the real culprit in your tcpdump capture. What you see here in the response is wrong :
Status: 302 Found
Location: http://www.market-research-report.com/Merchant2/merchant.mvc?Store_Code=analysis&AFFIL=scribd2121&Screen=PROD&Product_Code=imtc0264
X-Runtime: 0.01000
As you pointed out, haproxy in debug mode stops after the linne "Status:" without any apparent reason. The network trace shows the reason :
0x0200: 4f44 2650 726f 6475 6374 5f43 6f64 653d OD&Product_Code= 0x0210: 696d 7463 3032 3634 0d0d 0a58 2d52 756e imtc0264...X-Run ^^^^^^^
You have the Location line ending with CRCRLF instead of CRLF. I think that somewhere in your application, you have an extraneous "\r" added at the end of the Location header.
I'm a bit worried that some other proxies let it pass through, because if they also allow this in the request, I suspect it might be exploited one way or another to help building content-smuggling attacks, consisting in sending border-line requests so that one components understands one thing while another one understands something else. Trying to pass fake CRLFs is quite common in order to make the first level of proxies believe the rest is data and not inspect it.
Hoping this helps,
Willy
Received on 2008/10/09 23:26
This archive was generated by hypermail 2.2.0 : 2008/10/09 23:30 CEST