The function ij_untrusted_url() in filters.c clobbers the value of the global variable "referrer", which is set by the config file. Now, when the "single-threaded" option has NOT been specified in the config file, the bug is harmless because this function is run in a child process. However, if single-threading is enabled, all successive connections will use the new value of "referrer".
In particular, by sending a request for "http://host/ij-untrusted-url?a?a?x" to the proxy, one can install the value "x" in the referrer variable.
Steps to Reproduce:
1. request http://host/ij-untrusted-url?a?a?x through the proxy.
Sets "referrer" global variable.
Should use a local variable named "referrer".
Created attachment 55828 [details, diff]
patch for referrer bug
Can auditors have a look ?
Confirmed. That's an interesting bug, a malicious site could override your referrer setting and allow it to be sent (if you were to enable single-threaded operation, for some reason).
it get's worse, there's some heap corruption happening in there due to the inconsistent use of the strsav() function that looks exploitable (single-threaded or not). looks like there are some other errors as well that need correcting.
Is there any reason to use junkbuster rather than privoxy? maybe we should consider abandoning junkbuster as it looks like upstream is inactive.
www-proxy please advise.
fixed both issues in -r3
I've took the liberty to keep keywords unchanged and erase the old version. the new patch is Obviously Correct, tested on x86 by me and is definitely arch independent.
Thx Alin. This one is ready for GLSA.