import squid-4.11-1.module+el8.3.0+6769+637637ab
This commit is contained in:
parent
bf7f24e547
commit
14299772a1
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/squid-4.4.tar.xz
|
||||
SOURCES/squid-4.11.tar.xz
|
||||
|
@ -1 +1 @@
|
||||
0ab6b133f65866d825bf72cbbe8cef209768b2fa SOURCES/squid-4.4.tar.xz
|
||||
053277bf5497163ffc9261b9807abda5959bb6fc SOURCES/squid-4.11.tar.xz
|
||||
|
@ -1,95 +0,0 @@
|
||||
------------------------------------------------------------
|
||||
revno: 14311
|
||||
revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
|
||||
parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
|
||||
------------------------------------------------------------
|
||||
revno: 14311
|
||||
revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
|
||||
parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
|
||||
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
|
||||
author: Francesco Chemolli <kinkie@squid-cache.org>
|
||||
committer: Amos Jeffries <squid3@treenet.co.nz>
|
||||
branch nick: trunk
|
||||
timestamp: Thu 2015-09-24 06:05:37 -0700
|
||||
message:
|
||||
Bug 4323: Netfilter broken cross-includes with Linux 4.2
|
||||
------------------------------------------------------------
|
||||
# Bazaar merge directive format 2 (Bazaar 0.90)
|
||||
# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
|
||||
# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
|
||||
# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
|
||||
# timestamp: 2015-09-24 13:06:33 +0000
|
||||
# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
|
||||
# base_revision_id: squid3@treenet.co.nz-20150924032241-\
|
||||
# 6cx3g6hwz9xfoybr
|
||||
#
|
||||
# Begin patch
|
||||
=== modified file 'compat/os/linux.h'
|
||||
--- compat/os/linux.h 2015-01-13 07:25:36 +0000
|
||||
+++ compat/os/linux.h 2015-09-24 13:05:37 +0000
|
||||
@@ -30,6 +30,21 @@
|
||||
#endif
|
||||
|
||||
/*
|
||||
+ * Netfilter header madness. (see Bug 4323)
|
||||
+ *
|
||||
+ * Netfilter have a history of defining their own versions of network protocol
|
||||
+ * primitives without sufficient protection against the POSIX defines which are
|
||||
+ * aways present in Linux.
|
||||
+ *
|
||||
+ * netinet/in.h must be included before any other sys header in order to properly
|
||||
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
|
||||
+ * to workaround it.
|
||||
+ */
|
||||
+#if HAVE_NETINET_IN_H
|
||||
+#include <netinet/in.h>
|
||||
+#endif
|
||||
+
|
||||
+/*
|
||||
* sys/capability.h is only needed in Linux apparently.
|
||||
*
|
||||
* HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
|
||||
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
|
||||
author: Francesco Chemolli <kinkie@squid-cache.org>
|
||||
committer: Amos Jeffries <squid3@treenet.co.nz>
|
||||
branch nick: trunk
|
||||
timestamp: Thu 2015-09-24 06:05:37 -0700
|
||||
message:
|
||||
Bug 4323: Netfilter broken cross-includes with Linux 4.2
|
||||
------------------------------------------------------------
|
||||
# Bazaar merge directive format 2 (Bazaar 0.90)
|
||||
# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
|
||||
# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
|
||||
# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
|
||||
# timestamp: 2015-09-24 13:06:33 +0000
|
||||
# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
|
||||
# base_revision_id: squid3@treenet.co.nz-20150924032241-\
|
||||
# 6cx3g6hwz9xfoybr
|
||||
#
|
||||
# Begin patch
|
||||
=== modified file 'compat/os/linux.h'
|
||||
--- compat/os/linux.h 2015-01-13 07:25:36 +0000
|
||||
+++ compat/os/linux.h 2015-09-24 13:05:37 +0000
|
||||
@@ -30,6 +30,21 @@
|
||||
#endif
|
||||
|
||||
/*
|
||||
+ * Netfilter header madness. (see Bug 4323)
|
||||
+ *
|
||||
+ * Netfilter have a history of defining their own versions of network protocol
|
||||
+ * primitives without sufficient protection against the POSIX defines which are
|
||||
+ * aways present in Linux.
|
||||
+ *
|
||||
+ * netinet/in.h must be included before any other sys header in order to properly
|
||||
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
|
||||
+ * to workaround it.
|
||||
+ */
|
||||
+#if HAVE_NETINET_IN_H
|
||||
+#include <netinet/in.h>
|
||||
+#endif
|
||||
+
|
||||
+/*
|
||||
* sys/capability.h is only needed in Linux apparently.
|
||||
*
|
||||
* HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
|
||||
|
@ -1,5 +1,5 @@
|
||||
diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc
|
||||
index 777210c..4c80511 100644
|
||||
index b665bcf..d287e55 100644
|
||||
--- a/src/clients/FtpClient.cc
|
||||
+++ b/src/clients/FtpClient.cc
|
||||
@@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel()
|
||||
@ -13,7 +13,7 @@ index 777210c..4c80511 100644
|
||||
|
||||
/// creates a data channel Comm close callback
|
||||
diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h
|
||||
index 465fdb7..75dbd3b 100644
|
||||
index a76a5a0..218d696 100644
|
||||
--- a/src/clients/FtpClient.h
|
||||
+++ b/src/clients/FtpClient.h
|
||||
@@ -118,7 +118,7 @@ public:
|
||||
@ -26,7 +26,7 @@ index 465fdb7..75dbd3b 100644
|
||||
|
||||
CtrlChannel ctrl; ///< FTP control channel state
|
||||
diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
|
||||
index a13cdda..b958b14 100644
|
||||
index 411bce9..31d3e36 100644
|
||||
--- a/src/clients/FtpGateway.cc
|
||||
+++ b/src/clients/FtpGateway.cc
|
||||
@@ -87,6 +87,13 @@ struct GatewayFlags {
|
||||
@ -56,7 +56,7 @@ index a13cdda..b958b14 100644
|
||||
int checkAuth(const HttpHeader * req_hdr);
|
||||
void checkUrlpath();
|
||||
void buildTitleUrl();
|
||||
@@ -1792,6 +1803,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
|
||||
@@ -1787,6 +1798,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
|
||||
}
|
||||
|
||||
ftpState->listenForDataChannel(temp);
|
||||
@ -64,7 +64,7 @@ index a13cdda..b958b14 100644
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -1827,13 +1839,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
|
||||
@@ -1822,13 +1834,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
|
||||
// pull out the internal IP address bytes to send in PORT command...
|
||||
// source them from the listen_conn->local
|
||||
|
||||
@ -86,7 +86,7 @@ index a13cdda..b958b14 100644
|
||||
ftpState->writeCommand(cbuf);
|
||||
ftpState->state = Ftp::Client::SENT_PORT;
|
||||
|
||||
@@ -1886,14 +1904,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
|
||||
@@ -1881,14 +1899,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
|
||||
return;
|
||||
}
|
||||
|
||||
@ -116,7 +116,7 @@ index a13cdda..b958b14 100644
|
||||
|
||||
ftpState->writeCommand(cbuf);
|
||||
ftpState->state = Ftp::Client::SENT_EPRT;
|
||||
@@ -1912,7 +1943,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
|
||||
@@ -1907,7 +1938,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
|
||||
ftpSendPORT(ftpState);
|
||||
return;
|
||||
}
|
@ -1,7 +1,8 @@
|
||||
diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre
|
||||
--- squid-4.0.11/src/cf.data.pre.config 2016-06-09 22:32:57.000000000 +0200
|
||||
+++ squid-4.0.11/src/cf.data.pre 2016-07-11 21:08:35.090976840 +0200
|
||||
@@ -4658,7 +4658,7 @@ DOC_END
|
||||
diff --git a/src/cf.data.pre b/src/cf.data.pre
|
||||
index 26ef576..30d5509 100644
|
||||
--- a/src/cf.data.pre
|
||||
+++ b/src/cf.data.pre
|
||||
@@ -5006,7 +5006,7 @@ DOC_END
|
||||
|
||||
NAME: logfile_rotate
|
||||
TYPE: int
|
||||
@ -10,7 +11,7 @@ diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre
|
||||
LOC: Config.Log.rotateNumber
|
||||
DOC_START
|
||||
Specifies the default number of logfile rotations to make when you
|
||||
@@ -6444,11 +6444,11 @@ COMMENT_END
|
||||
@@ -6857,11 +6857,11 @@ COMMENT_END
|
||||
|
||||
NAME: cache_mgr
|
||||
TYPE: string
|
41
SOURCES/squid-4.11-include-guards.patch
Normal file
41
SOURCES/squid-4.11-include-guards.patch
Normal file
@ -0,0 +1,41 @@
|
||||
diff --git a/compat/os/linux.h b/compat/os/linux.h
|
||||
index 0ff05c6..d51389b 100644
|
||||
--- a/compat/os/linux.h
|
||||
+++ b/compat/os/linux.h
|
||||
@@ -44,6 +44,36 @@
|
||||
#include <netinet/in.h>
|
||||
#endif
|
||||
|
||||
+/*
|
||||
+ * Netfilter header madness. (see Bug 4323)
|
||||
+ *
|
||||
+ * Netfilter have a history of defining their own versions of network protocol
|
||||
+ * primitives without sufficient protection against the POSIX defines which are
|
||||
+ * aways present in Linux.
|
||||
+ *
|
||||
+ * netinet/in.h must be included before any other sys header in order to properly
|
||||
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
|
||||
+ * to workaround it.
|
||||
+ */
|
||||
+#if HAVE_NETINET_IN_H
|
||||
+#include <netinet/in.h>
|
||||
+#endif
|
||||
+
|
||||
+/*
|
||||
+ * Netfilter header madness. (see Bug 4323)
|
||||
+ *
|
||||
+ * Netfilter have a history of defining their own versions of network protocol
|
||||
+ * primitives without sufficient protection against the POSIX defines which are
|
||||
+ * aways present in Linux.
|
||||
+ *
|
||||
+ * netinet/in.h must be included before any other sys header in order to properly
|
||||
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
|
||||
+ * to workaround it.
|
||||
+ */
|
||||
+#if HAVE_NETINET_IN_H
|
||||
+#include <netinet/in.h>
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* sys/capability.h is only needed in Linux apparently.
|
||||
*
|
@ -1,7 +1,8 @@
|
||||
diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART
|
||||
--- squid-3.1.0.9/QUICKSTART.location 2009-06-26 12:35:27.000000000 +0200
|
||||
+++ squid-3.1.0.9/QUICKSTART 2009-07-17 14:03:10.000000000 +0200
|
||||
@@ -10,10 +10,9 @@ After you retrieved, compiled and instal
|
||||
diff --git a/QUICKSTART b/QUICKSTART
|
||||
index e5299b4..a243437 100644
|
||||
--- a/QUICKSTART
|
||||
+++ b/QUICKSTART
|
||||
@@ -10,10 +10,9 @@ After you retrieved, compiled and installed the Squid software (see
|
||||
INSTALL in the same directory), you have to configure the squid.conf
|
||||
file. This is the list of the values you *need* to change, because no
|
||||
sensible defaults could be defined. Do not touch the other variables
|
||||
@ -14,7 +15,7 @@ diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART
|
||||
|
||||
==============================================================================
|
||||
|
||||
@@ -82,12 +81,12 @@ After editing squid.conf to your liking,
|
||||
@@ -80,12 +79,12 @@ After editing squid.conf to your liking, run Squid from the command
|
||||
line TWICE:
|
||||
|
||||
To create any disk cache_dir configured:
|
@ -6,5 +6,5 @@ index 90ac6a4..8dbed90 100755
|
||||
-#!/usr/local/bin/perl -Tw
|
||||
+#!/usr/bin/perl -Tw
|
||||
#
|
||||
# * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
|
||||
# * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
|
||||
# *
|
39
SOURCES/squid-4.11-systemd.patch
Normal file
39
SOURCES/squid-4.11-systemd.patch
Normal file
@ -0,0 +1,39 @@
|
||||
diff --git a/configure b/configure
|
||||
index 17b2ebf..9530f6b 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -33915,6 +33915,7 @@ done
|
||||
fi
|
||||
if test "x$SYSTEMD_LIBS" != "x" ; then
|
||||
CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS"
|
||||
+ LDFLAGS="$SYSTEMD_LIBS $LDFLAGS"
|
||||
|
||||
$as_echo "#define USE_SYSTEMD 1" >>confdefs.h
|
||||
|
||||
diff --git a/src/Debug.h b/src/Debug.h
|
||||
index 6eecd01..ddd9e38 100644
|
||||
--- a/src/Debug.h
|
||||
+++ b/src/Debug.h
|
||||
@@ -99,6 +99,10 @@ public:
|
||||
|
||||
/// configures the active debugging context to write syslog ALERT
|
||||
static void ForceAlert();
|
||||
+
|
||||
+ /// prefixes each grouped debugs() line after the first one in the group
|
||||
+ static std::ostream& Extra(std::ostream &os) { return os << "\n "; }
|
||||
+
|
||||
private:
|
||||
static Context *Current; ///< deepest active context; nil outside debugs()
|
||||
};
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index d3c5da8..806302c 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -2162,6 +2162,7 @@ if test "x$with_systemd" != "xno" -a "x$squid_host_os" = "xlinux"; then
|
||||
fi
|
||||
if test "x$SYSTEMD_LIBS" != "x" ; then
|
||||
CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS"
|
||||
+ LDFLAGS="$SYSTEMD_LIBS $LDFLAGS"
|
||||
AC_DEFINE(USE_SYSTEMD,1,[systemd support is available])
|
||||
else
|
||||
with_systemd=no
|
25
SOURCES/squid-4.11.tar.xz.asc
Normal file
25
SOURCES/squid-4.11.tar.xz.asc
Normal file
@ -0,0 +1,25 @@
|
||||
File: squid-4.11.tar.xz
|
||||
Date: Sun Apr 19 12:56:37 UTC 2020
|
||||
Size: 2447700
|
||||
MD5 : 10f34e852153a9996aa4614670e2bda1
|
||||
SHA1: 053277bf5497163ffc9261b9807abda5959bb6fc
|
||||
Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
|
||||
B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E
|
||||
keyring = http://www.squid-cache.org/pgp.asc
|
||||
keyserver = pool.sks-keyservers.net
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAl6cSpEACgkQzW2/jvOx
|
||||
fT6YbA/6A+IbIbNBJUW45oj23Io9Tw/CzAcTeLHR+McKwV77qMbR+L+kQ+fUdM5F
|
||||
rHAmd8bVVlyHc4WanVfWItEmzBzHA/ifTNvVpefSGGEbDb80RF66k7ACiZUokg1b
|
||||
kkPwc/SjDhe2wvketIaBiVVd7pylrlCdVvazcF8gE9MWDOIlJND5mnHXidXvwkbJ
|
||||
T2//8JZVEmcmN9pdFGNAUVckFm+AnwWXcRM1SQPYDGSVUtjVlqido8snLTA1mZwl
|
||||
rIpjppujMV54OOWlj+Gqa3MZkpNzIaMCAfphzUFlsQY+/sRUYAOv1wmxw2WclxlK
|
||||
WlWM+fw8OsYNDMwkOScKZZWceoAkq6UsUHzCAdJIdLqV/R6mZ9nfuZ6BHIr0+2dP
|
||||
bDf9MU4KXbwEuXiRD/KPziUxxOZwSPivbm3wy9DqTTZfO9V+Iq6FVHX+ahxJ0XbM
|
||||
JWRYA3GW+DRLjorfsWxU5r4UJsrnBfhItPUAfGPjPjEGZ/pn8r9G6MGenNGPLMKy
|
||||
wP1rMlOhrZPwerzokzAvKx8G0WWkfN+IPv2JK3rDot6RiJIOuvnZZd4RIuVNTGbh
|
||||
liO7M24JlWX3WD2wHBzxQag46+plb3VvrrVChwIQnZ2Qzpf50w0Bife/wtNBGpK0
|
||||
k/Xi/nocO796YS8GZBnmhS1lEGEwp/YpJBFWmIjTWMUMEOcswVA=
|
||||
=PKl0
|
||||
-----END PGP SIGNATURE-----
|
@ -1,139 +0,0 @@
|
||||
commit 7f73e9c5d17664b882ed32590e6af310c247f320
|
||||
Author: Amos Jeffries <yadij@users.noreply.github.com>
|
||||
Date: 2019-06-19 05:58:36 +0000
|
||||
|
||||
Update HttpHeader::getAuth to SBuf (#416)
|
||||
|
||||
Replace the fixed-size buffer for decoding base64 tokens with an
|
||||
SBuf to avoid decoder issues on large inputs.
|
||||
|
||||
Update callers to SBuf API operations for more efficient memory
|
||||
management.
|
||||
|
||||
diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc
|
||||
index 1e2b650..284a057 100644
|
||||
--- a/src/HttpHeader.cc
|
||||
+++ b/src/HttpHeader.cc
|
||||
@@ -1268,43 +1268,46 @@ HttpHeader::getContRange() const
|
||||
return cr;
|
||||
}
|
||||
|
||||
-const char *
|
||||
-HttpHeader::getAuth(Http::HdrType id, const char *auth_scheme) const
|
||||
+SBuf
|
||||
+HttpHeader::getAuthToken(Http::HdrType id, const char *auth_scheme) const
|
||||
{
|
||||
const char *field;
|
||||
int l;
|
||||
assert(auth_scheme);
|
||||
field = getStr(id);
|
||||
|
||||
+ static const SBuf nil;
|
||||
if (!field) /* no authorization field */
|
||||
- return NULL;
|
||||
+ return nil;
|
||||
|
||||
l = strlen(auth_scheme);
|
||||
|
||||
if (!l || strncasecmp(field, auth_scheme, l)) /* wrong scheme */
|
||||
- return NULL;
|
||||
+ return nil;
|
||||
|
||||
field += l;
|
||||
|
||||
if (!xisspace(*field)) /* wrong scheme */
|
||||
- return NULL;
|
||||
+ return nil;
|
||||
|
||||
/* skip white space */
|
||||
for (; field && xisspace(*field); ++field);
|
||||
|
||||
if (!*field) /* no authorization cookie */
|
||||
- return NULL;
|
||||
+ return nil;
|
||||
|
||||
- static char decodedAuthToken[8192];
|
||||
+ const auto fieldLen = strlen(field);
|
||||
+ SBuf result;
|
||||
+ char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen));
|
||||
struct base64_decode_ctx ctx;
|
||||
base64_decode_init(&ctx);
|
||||
size_t decodedLen = 0;
|
||||
- if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), strlen(field), field) ||
|
||||
+ if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, field) ||
|
||||
!base64_decode_final(&ctx)) {
|
||||
- return NULL;
|
||||
+ return nil;
|
||||
}
|
||||
- decodedAuthToken[decodedLen] = '\0';
|
||||
- return decodedAuthToken;
|
||||
+ result.rawAppendFinish(decodedAuthToken, decodedLen);
|
||||
+ return result;
|
||||
}
|
||||
|
||||
ETag
|
||||
diff --git a/src/HttpHeader.h b/src/HttpHeader.h
|
||||
index a26b127..3b262be 100644
|
||||
--- a/src/HttpHeader.h
|
||||
+++ b/src/HttpHeader.h
|
||||
@@ -134,7 +134,7 @@ public:
|
||||
HttpHdrRange *getRange() const;
|
||||
HttpHdrSc *getSc() const;
|
||||
HttpHdrContRange *getContRange() const;
|
||||
- const char *getAuth(Http::HdrType id, const char *auth_scheme) const;
|
||||
+ SBuf getAuthToken(Http::HdrType id, const char *auth_scheme) const;
|
||||
ETag getETag(Http::HdrType id) const;
|
||||
TimeOrTag getTimeOrTag(Http::HdrType id) const;
|
||||
int hasListMember(Http::HdrType id, const char *member, const char separator) const;
|
||||
diff --git a/src/cache_manager.cc b/src/cache_manager.cc
|
||||
index da22f7a..2fae767 100644
|
||||
--- a/src/cache_manager.cc
|
||||
+++ b/src/cache_manager.cc
|
||||
@@ -27,6 +27,7 @@
|
||||
#include "mgr/FunAction.h"
|
||||
#include "mgr/QueryParams.h"
|
||||
#include "protos.h"
|
||||
+#include "sbuf/StringConvert.h"
|
||||
#include "SquidConfig.h"
|
||||
#include "SquidTime.h"
|
||||
#include "Store.h"
|
||||
@@ -243,20 +244,20 @@ CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams ¶m
|
||||
// TODO: use the authentication system decode to retrieve these details properly.
|
||||
|
||||
/* base 64 _decoded_ user:passwd pair */
|
||||
- const char *basic_cookie = request->header.getAuth(Http::HdrType::AUTHORIZATION, "Basic");
|
||||
+ const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic"));
|
||||
|
||||
- if (!basic_cookie)
|
||||
+ if (basic_cookie.isEmpty())
|
||||
return;
|
||||
|
||||
- const char *passwd_del;
|
||||
- if (!(passwd_del = strchr(basic_cookie, ':'))) {
|
||||
+ const auto colonPos = basic_cookie.find(':');
|
||||
+ if (colonPos == SBuf::npos) {
|
||||
debugs(16, DBG_IMPORTANT, "CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'");
|
||||
return;
|
||||
}
|
||||
|
||||
/* found user:password pair, reset old values */
|
||||
- params.userName.limitInit(basic_cookie, passwd_del - basic_cookie);
|
||||
- params.password = passwd_del + 1;
|
||||
+ params.userName = SBufToString(basic_cookie.substr(0, colonPos));
|
||||
+ params.password = SBufToString(basic_cookie.substr(colonPos+1));
|
||||
|
||||
/* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */
|
||||
debugs(16, 9, "CacheManager::ParseHeaders: got user: '" <<
|
||||
diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
|
||||
index b958b14..7ca5d24 100644
|
||||
--- a/src/clients/FtpGateway.cc
|
||||
+++ b/src/clients/FtpGateway.cc
|
||||
@@ -1050,7 +1050,7 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr)
|
||||
|
||||
#if HAVE_AUTH_MODULE_BASIC
|
||||
/* Check HTTP Authorization: headers (better than defaults, but less than URL) */
|
||||
- const SBuf auth(req_hdr->getAuth(Http::HdrType::AUTHORIZATION, "Basic"));
|
||||
+ const auto auth(req_hdr->getAuthToken(Http::HdrType::AUTHORIZATION, "Basic"));
|
||||
if (!auth.isEmpty()) {
|
||||
flags.authenticated = 1;
|
||||
loginParser(auth, false);
|
@ -1,64 +0,0 @@
|
||||
diff --git a/tools/cachemgr.cc b/tools/cachemgr.cc
|
||||
index 0c745c2..8a67eba 100644
|
||||
--- a/tools/cachemgr.cc
|
||||
+++ b/tools/cachemgr.cc
|
||||
@@ -355,7 +355,7 @@ auth_html(const char *host, int port, const char *user_name)
|
||||
|
||||
printf("<TR><TH ALIGN=\"left\">Manager name:</TH><TD><INPUT NAME=\"user_name\" ");
|
||||
|
||||
- printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", user_name);
|
||||
+ printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", rfc1738_escape(user_name));
|
||||
|
||||
printf("<TR><TH ALIGN=\"left\">Password:</TH><TD><INPUT TYPE=\"password\" NAME=\"passwd\" ");
|
||||
|
||||
@@ -419,7 +419,7 @@ menu_url(cachemgr_request * req, const char *action)
|
||||
script_name,
|
||||
req->hostname,
|
||||
req->port,
|
||||
- safe_str(req->user_name),
|
||||
+ rfc1738_escape(safe_str(req->user_name)),
|
||||
action,
|
||||
safe_str(req->pub_auth));
|
||||
return url;
|
||||
@@ -1074,8 +1074,8 @@ make_pub_auth(cachemgr_request * req)
|
||||
const int bufLen = snprintf(buf, sizeof(buf), "%s|%d|%s|%s",
|
||||
req->hostname,
|
||||
(int) now,
|
||||
- req->user_name ? req->user_name : "",
|
||||
- req->passwd);
|
||||
+ rfc1738_escape(safe_str(req->user_name)),
|
||||
+ rfc1738_escape(req->passwd));
|
||||
debug("cmgr: pre-encoded for pub: %s\n", buf);
|
||||
|
||||
const int encodedLen = base64_encode_len(bufLen);
|
||||
@@ -1094,8 +1094,6 @@ decode_pub_auth(cachemgr_request * req)
|
||||
char *buf;
|
||||
const char *host_name;
|
||||
const char *time_str;
|
||||
- const char *user_name;
|
||||
- const char *passwd;
|
||||
|
||||
debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth));
|
||||
safe_free(req->passwd);
|
||||
@@ -1131,17 +1129,21 @@ decode_pub_auth(cachemgr_request * req)
|
||||
|
||||
debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now);
|
||||
|
||||
+ char *user_name;
|
||||
if ((user_name = strtok(NULL, "|")) == NULL) {
|
||||
xfree(buf);
|
||||
return;
|
||||
}
|
||||
+ rfc1738_unescape(user_name);
|
||||
|
||||
debug("cmgr: decoded uname: '%s'\n", user_name);
|
||||
|
||||
+ char *passwd;
|
||||
if ((passwd = strtok(NULL, "|")) == NULL) {
|
||||
xfree(buf);
|
||||
return;
|
||||
}
|
||||
+ rfc1738_unescape(passwd);
|
||||
|
||||
debug("cmgr: decoded passwd: '%s'\n", passwd);
|
||||
|
@ -1,12 +0,0 @@
|
||||
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
|
||||
index 9165ef99c..32a3df322 100644
|
||||
--- a/src/cache_cf.cc
|
||||
+++ b/src/cache_cf.cc
|
||||
@@ -2081,6 +2081,7 @@ parse_peer(CachePeer ** head)
|
||||
|
||||
CachePeer *p = new CachePeer;
|
||||
p->host = xstrdup(host_str);
|
||||
+ Tolower(p->host);
|
||||
p->name = xstrdup(host_str);
|
||||
p->type = parseNeighborType(token);
|
||||
|
@ -1,26 +0,0 @@
|
||||
diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 b/src/http/url_rewriters/LFS/url_lfs_rewrite.8
|
||||
index 3053180..1d295fb 100644
|
||||
--- a/src/http/url_rewriters/LFS/url_lfs_rewrite.8
|
||||
+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.8
|
||||
@@ -135,7 +135,7 @@
|
||||
.if n .ad l
|
||||
.nh
|
||||
.SH "NAME"
|
||||
-url_lfs_rewrite
|
||||
+\& url_lfs_rewrite \- a URL-rewriter based on local file existence
|
||||
.SH "SYNOPSIS"
|
||||
.IX Header "SYNOPSIS"
|
||||
.Vb 1
|
||||
diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in
|
||||
index a7168e0..da7055c 100755
|
||||
--- a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in
|
||||
+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in
|
||||
@@ -8,7 +8,7 @@ use Pod::Usage;
|
||||
|
||||
=head1 NAME
|
||||
|
||||
-B<url_lfs_rewrite>
|
||||
+B<url_lfs_rewrite> - a URL-rewriter based on local file existence
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
@ -1,25 +0,0 @@
|
||||
File: squid-4.4.tar.xz
|
||||
Date: Sat Oct 27 21:20:24 UTC 2018
|
||||
Size: 2436468
|
||||
MD5 : 892504ca9700e1f139a53f84098613bd
|
||||
SHA1: 0ab6b133f65866d825bf72cbbe8cef209768b2fa
|
||||
Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
|
||||
B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E
|
||||
keyring = http://www.squid-cache.org/pgp.asc
|
||||
keyserver = pool.sks-keyservers.net
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlvU1qAACgkQzW2/jvOx
|
||||
fT5Y3Q//R3/ZtDHal9H9c4VUB1fEzkk22JfgXTzRRUdzNkN+XxDkVGmM9R0E0Opo
|
||||
9E/lsE9PcLX1EBtBXbPfwLESzfMe4QJgqq1B4FocpJcdtfCQX6ADU4Qdfc+oo8Z1
|
||||
J/xCf8XrU3yUgXn3pMnQ9DT+IuPYe+Jte7Awm148mC15GMC49NBAYAd793XZ+L2t
|
||||
fVPCbVYA40AU3xVJkxlblh7O0E8UEQ7zQMxcXM2jJJ4jJOjqecOIoJt6lyPD59q3
|
||||
UjD0EmcjTj54BpaU8r++kAc2TkLyBvFV1vWQuQRNG5IAMEOF3H8OfujCXl3lX9fD
|
||||
Tvi9763f9LxdImLJttkzgTt20XAudlUmKOdpj6t1uF+7EmNJg/ChowyLsLzlLLST
|
||||
1mGNdcUdP9VhX2aoTXN/ctn8BTQ/cNIx2VY8kKWsXB+ymFcCJRBW1cBAr3R+UzuX
|
||||
KVlsDzlxP6Dp8EFvKN3sIbM/QtpstKgbTkxro7d9XBkeldsasd5uI2Yt5PSMIs+y
|
||||
VtscqCnwDjxAIW6FNqB96J4hcOYECdWHDL3s46wEDnQaiR0IdBAN5QHn1imzM5e1
|
||||
eHuwZimqBW6vE4rPnVpPIr1Gml5OlLl3te2jsbUVmBiOwDVlQLZJQGzI5UTazvnN
|
||||
eR3QeTW+ggSAdVc6GEApELARfKPRxywLQTOlAhEPn0xayy4ByME=
|
||||
=1eSQ
|
||||
-----END PGP SIGNATURE-----
|
@ -4,14 +4,15 @@ Documentation=man:squid(8)
|
||||
After=network.target network-online.target nss-lookup.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
Type=notify
|
||||
LimitNOFILE=16384
|
||||
PIDFile=/run/squid.pid
|
||||
EnvironmentFile=/etc/sysconfig/squid
|
||||
ExecStartPre=/usr/libexec/squid/cache_swap.sh
|
||||
ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF
|
||||
ExecReload=/usr/sbin/squid $SQUID_OPTS -k reconfigure -f $SQUID_CONF
|
||||
ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF
|
||||
TimeoutSec=0
|
||||
ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
|
||||
ExecReload=/usr/bin/kill -HUP $MAINPID
|
||||
KillMode=mixed
|
||||
NotifyAccess=all
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
@ -1,8 +1,8 @@
|
||||
%define __perl_requires %{SOURCE98}
|
||||
|
||||
Name: squid
|
||||
Version: 4.4
|
||||
Release: 8%{?dist}
|
||||
Version: 4.11
|
||||
Release: 1%{?dist}
|
||||
Summary: The Squid proxy caching server
|
||||
Epoch: 7
|
||||
# See CREDITS for breakdown of non GPLv2+ code
|
||||
@ -26,23 +26,17 @@ Source98: perl-requires-squid.sh
|
||||
# Local patches
|
||||
# Applying upstream patches first makes it less likely that local patches
|
||||
# will break upstream ones.
|
||||
Patch201: squid-4.0.11-config.patch
|
||||
Patch202: squid-3.1.0.9-location.patch
|
||||
Patch203: squid-3.0.STABLE1-perlpath.patch
|
||||
Patch204: squid-3.5.9-include-guards.patch
|
||||
Patch205: squid-4.0.21-large-acl.patch
|
||||
Patch201: squid-4.11-config.patch
|
||||
Patch202: squid-4.11-location.patch
|
||||
Patch203: squid-4.11-perlpath.patch
|
||||
Patch204: squid-4.11-include-guards.patch
|
||||
Patch205: squid-4.11-large-acl.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=980511
|
||||
Patch206: squid-4.4.0-active-ftp.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1612524
|
||||
Patch207: squid-4.4.0-man-pages.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1691741
|
||||
Patch208: squid-4.4.0-lower-cachepeer.patch
|
||||
Patch206: squid-4.11-active-ftp.patch
|
||||
# https://github.com/squid-cache/squid/commit/c26cd1cb6a60ff196ef13c00e82576d3bfeb2e30
|
||||
Patch207: squid-4.11-systemd.patch
|
||||
|
||||
# Security fixes
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1729436
|
||||
Patch500: squid-4.4.0-CVE-2019-13345.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1738485
|
||||
Patch501: squid-4.4.0-CVE-2019-12527.patch
|
||||
|
||||
Requires: bash >= 2.0
|
||||
Requires(pre): shadow-utils
|
||||
@ -72,6 +66,8 @@ BuildRequires: perl-generators
|
||||
# For test suite
|
||||
BuildRequires: pkgconfig(cppunit)
|
||||
BuildRequires: autoconf
|
||||
# systemd notify
|
||||
BuildRequires: systemd-devel
|
||||
|
||||
%description
|
||||
Squid is a high-performance proxy caching server for Web clients,
|
||||
@ -96,14 +92,10 @@ lookup program (dnsserver), a program for retrieving FTP data
|
||||
%patch201 -p1 -b .config
|
||||
%patch202 -p1 -b .location
|
||||
%patch203 -p1 -b .perlpath
|
||||
%patch204 -p0 -b .include-guards
|
||||
%patch204 -p1 -b .include-guards
|
||||
%patch205 -p1 -b .large_acl
|
||||
%patch206 -p1 -b .active-ftp
|
||||
%patch207 -p1 -b .man-pages
|
||||
%patch208 -p1 -b .lower-cachepeer
|
||||
|
||||
%patch500 -p1 -b .CVE-2019-13345
|
||||
%patch501 -p1 -b .CVE-2019-12527
|
||||
%patch207 -p1 -b .systemd
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
|
||||
# Patch in the vendor documentation and used different location for documentation
|
||||
@ -320,6 +312,47 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu May 07 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-1
|
||||
- new version 4.11
|
||||
- libsystemd integration
|
||||
- Resolves: #1829467 - squid:4 rebase
|
||||
- Resolves: #1828378 - CVE-2019-12521 squid:4/squid: off-by-one error in
|
||||
addStackElement allows for a heap buffer overflow and a crash
|
||||
- Resolves: #1828377 - CVE-2019-12520 squid:4/squid: improper input validation
|
||||
in request allows for proxy manipulation
|
||||
- Resolves: #1828375 - CVE-2019-12524 squid:4/squid: improper access restriction
|
||||
in url_regex may lead to security bypass
|
||||
- Resolves: #1820664 - CVE-2019-18860 squid: mishandles HTML in the host
|
||||
parameter to cachemgr.cgi which could result in squid behaving in unsecure way
|
||||
- Resolves: #1802514 - CVE-2020-8449 squid:4/squid: Improper input validation
|
||||
issues in HTTP Request processing
|
||||
- Resolves: #1802513 - CVE-2020-8450 squid:4/squid: Buffer overflow in a Squid
|
||||
acting as reverse-proxy
|
||||
- Resolves: #1802512 - CVE-2019-12528 squid:4/squid: Information Disclosure
|
||||
issue in FTP Gateway
|
||||
- Resolves: #1771288 - CVE-2019-18678 squid:4/squid: HTTP Request Splitting
|
||||
issue in HTTP message processing
|
||||
- Resolves: #1771283 - CVE-2019-18679 squid:4/squid: Information Disclosure
|
||||
issue in HTTP Digest Authentication
|
||||
- Resolves: #1771280 - CVE-2019-18677 squid:4/squid: Cross-Site Request Forgery
|
||||
issue in HTTP Request processing
|
||||
- Resolves: #1771275 - CVE-2019-12523 squid:4/squid: Improper input validation
|
||||
in URI processor
|
||||
- Resolves: #1771272 - CVE-2019-18676 squid:4/squid: Buffer overflow in URI
|
||||
processor
|
||||
- Resolves: #1771264 - CVE-2019-12526 squid:4/squid: Heap overflow issue in URN
|
||||
processing
|
||||
- Resolves: #1738581 - CVE-2019-12529 squid: OOB read in Proxy-Authorization
|
||||
header causes DoS
|
||||
|
||||
* Tue Apr 28 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-9
|
||||
- Resolves: #1738583 - CVE-2019-12525 squid:4/squid: parsing of header
|
||||
Proxy-Authentication leads to memory corruption
|
||||
- Resolves: #1828369 - CVE-2020-11945 squid: improper access restriction upon
|
||||
Digest Authentication nonce replay could lead to remote code execution
|
||||
- Resolves: #1828370 - CVE-2019-12519 squid: improper check for new member in
|
||||
ESIExpression::Evaluate allows for stack buffer overflow
|
||||
|
||||
* Fri Aug 23 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-8
|
||||
- Resolves: # 1738485 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow
|
||||
in HttpHeader::getAuth
|
||||
|
Loading…
Reference in New Issue
Block a user