[squid-users] SQUID-2025:2 workaround

[Alex Rousskov]

On 2025-10-17 07:46, Marcus Kool wrote:

> My squid.conf (v6.8) has "email_err_data off" but "squid -k parse 2>&1 | 
> grep email_err_data" produces nothing.  Is this expected behavior?

No, it is not. You should see something like

     2025/10/17 10:07:53| Processing: email_err_data off

Please make sure that your "squid -k parse" command works with the same 
configuration file you are adding an email_err_data directive to. For 
example, you might be adding that directive to some custom configuration 
file but executing "squid -k parse" against the default configuration 
file. Using something like "grep -E 'email_err_data|Configuration File'" 
may help with catching such a mismatch.

And check that "squid -k parse" actually succeeds rather than fails 
before it can get to email_err_data processing.

 > Does the workaround work for Squid 6.8?

AFAICT, that workaround works similarly for Squid v6.8 and Squid v7.1.

FWIW, I do not think that email_err_data workaround covers all 
problematic cases in all setups. It may cover cases that SQUID-2025:2 
specifically talks about, but even that probably depends on "web 
application" internals. See the first paragraph of [1] and note that 
email_err_data affects %W but has no effect on %R. You should patch or 
upgrade!

If you do rely on that workaround (instead of patching or upgrading), 
then consider configuring your Squid to deny TRACE requests as well. See 
the last paragraph of [1] for motivation.


HTH,

Alex.

[1]: For more information, see the commit message linked from the 
"Updated Packages" section of the Advisory:
https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f