Re: Squid doesn't quote urls in error messages.

[Lincoln Yeoh <lyeoh () POP JARING MY>]

At 12:16 PM 28-10-2000 +1100, Robert Collins wrote:
> You have to get the browser to send non-escaped URI's for that to work.

Some Netscape browsers don't convert spaces to %20. But you don't need to
rely on that. All you need to do is find some way of getting the Squid
proxy to complain, and then it will send an error page with the url to you.

For example you could try:
http://nonexistentname.amazon.com/<script>alert(this.document.cookie)</script>

Squid will then give you a "The requested URL could not be retrieved" page,
and if you have javascript enabled you'll get an alert box.

> What's the general consensus on this as a risk? Getting the exact unaltered
> url from squid is very useful for troubleshooting problems through squid.
> And Squid cannot change the url when it receives it - thats against rfc

I strongly agree, getting the exact unaltered url from squid can be useful.
But if I'm getting one, I want an exact unaltered url from squid, not a
full fledged autosubmitting form or fancy javascript bird flying around my
cursor ;).

It's a risk, especially to those who have javascript on. I believe there
are already ways to exploit it. Even if there aren't any now, I'm sure Mr
Georgi Guninski can come up one or two every couple of weeks ;).

Cheerio,
Link.