Description: fix cache-poisoning attacks via an HTTP request with an absolute-URI
Origin: upstream, http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823968

Index: squid3-3.5.12/src/client_side.cc
===================================================================
--- squid3-3.5.12.orig/src/client_side.cc	2015-12-02 13:10:29.000000000 -0500
+++ squid3-3.5.12/src/client_side.cc	2016-06-07 08:07:50.283434027 -0400
@@ -2660,6 +2660,20 @@
             clientProcessRequestFinished(conn, request);
             return;
         }
+
+        // when absolute-URI is provided Host header should be ignored. However
+        // some code still uses Host directly so normalize it.
+        // For now preserve the case where Host is completely absent. That matters.
+        if (request->header.has(HDR_HOST)) {
+            const char *host = request->header.getStr(HDR_HOST);
+            SBuf authority(request->GetHost());
+            if (request->port != urlDefaultPort(request->url.getScheme()))
+                authority.appendf(":%d", request->port);
+            debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
+            // URL authority overrides Host header
+            request->header.delById(HDR_HOST);
+            request->header.putStr(HDR_HOST, authority.c_str());
+        }
     }
 
     // Some blobs below are still HTTP-specific, but we would have to rewrite