FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

squid -- confusing results on empty acl declarations

Affected packages
squid < 2.5.7_5

Details

VuXML ID a30e5e44-5440-11d9-9e1e-c296ac722cb3
Discovery 2004-12-21
Entry 2004-12-23
Modified 2005-02-08

Applying an empty ACL list results in unexpected behavior: anything will match an empty ACL list. For example,

The meaning of the configuration gets very confusing when we encounter empty ACLs such as

acl something src "/path/to/empty_file.txt"
http_access allow something somewhere

gets parsed (with warnings) as

http_access allow somewhere

And similarily if you are using proxy_auth acls without having any auth schemes defined.

References

CVE Name CVE-2005-0194
URL http://www.squid-cache.org/bugs/show_bug.cgi?id=1166
URL http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls