import RHEL 10 Beta squid-6.10-1.el10
This commit is contained in:
		
							parent
							
								
									fc71adfc98
								
							
						
					
					
						commit
						1e3863fd14
					
				
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -1 +1 @@ | |||||||
| SOURCES/squid-4.15.tar.xz | squid-6.10.tar.xz | ||||||
|  | |||||||
| @ -1 +0,0 @@ | |||||||
| 60bda34ba39657e2d870c8c1d2acece8a69c3075 SOURCES/squid-4.15.tar.xz |  | ||||||
| @ -1,127 +0,0 @@ | |||||||
| diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc
 |  | ||||||
| index b665bcf..d287e55 100644
 |  | ||||||
| --- a/src/clients/FtpClient.cc
 |  | ||||||
| +++ b/src/clients/FtpClient.cc
 |  | ||||||
| @@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel()
 |  | ||||||
|  bool |  | ||||||
|  Ftp::Client::openListenSocket() |  | ||||||
|  { |  | ||||||
| -    return false;
 |  | ||||||
| +    debugs(9, 3, HERE);
 |  | ||||||
| +	  return false;
 |  | ||||||
|  } |  | ||||||
|   |  | ||||||
|  /// creates a data channel Comm close callback |  | ||||||
| diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h
 |  | ||||||
| index a76a5a0..218d696 100644
 |  | ||||||
| --- a/src/clients/FtpClient.h
 |  | ||||||
| +++ b/src/clients/FtpClient.h
 |  | ||||||
| @@ -118,7 +118,7 @@ public:
 |  | ||||||
|      bool sendPort(); |  | ||||||
|      bool sendPassive(); |  | ||||||
|      void connectDataChannel(); |  | ||||||
| -    bool openListenSocket();
 |  | ||||||
| +    virtual bool openListenSocket();
 |  | ||||||
|      void switchTimeoutToDataChannel(); |  | ||||||
|   |  | ||||||
|      CtrlChannel ctrl; ///< FTP control channel state |  | ||||||
| diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
 |  | ||||||
| index 411bce9..31d3e36 100644
 |  | ||||||
| --- a/src/clients/FtpGateway.cc
 |  | ||||||
| +++ b/src/clients/FtpGateway.cc
 |  | ||||||
| @@ -87,6 +87,13 @@ struct GatewayFlags {
 |  | ||||||
|  class Gateway; |  | ||||||
|  typedef void (StateMethod)(Ftp::Gateway *); |  | ||||||
|   |  | ||||||
| +} // namespace FTP
 |  | ||||||
| +
 |  | ||||||
| +static void ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback);
 |  | ||||||
| +
 |  | ||||||
| +namespace Ftp
 |  | ||||||
| +{
 |  | ||||||
| +
 |  | ||||||
|  /// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI, |  | ||||||
|  /// converts it into one or more FTP commands, and then |  | ||||||
|  /// converts one or more FTP responses into the final HTTP response. |  | ||||||
| @@ -137,7 +144,11 @@ public:
 |  | ||||||
|   |  | ||||||
|      /// create a data channel acceptor and start listening. |  | ||||||
|      void listenForDataChannel(const Comm::ConnectionPointer &conn); |  | ||||||
| -
 |  | ||||||
| +    virtual bool openListenSocket() {
 |  | ||||||
| +    		debugs(9, 3, HERE);
 |  | ||||||
| +				ftpOpenListenSocket(this, 0);
 |  | ||||||
| +        return Comm::IsConnOpen(data.conn);
 |  | ||||||
| +		}
 |  | ||||||
|      int checkAuth(const HttpHeader * req_hdr); |  | ||||||
|      void checkUrlpath(); |  | ||||||
|      void buildTitleUrl(); |  | ||||||
| @@ -1787,6 +1798,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
 |  | ||||||
|      } |  | ||||||
|   |  | ||||||
|      ftpState->listenForDataChannel(temp); |  | ||||||
| +    ftpState->data.listenConn = temp;
 |  | ||||||
|  } |  | ||||||
|   |  | ||||||
|  static void |  | ||||||
| @@ -1822,13 +1834,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
 |  | ||||||
|      // pull out the internal IP address bytes to send in PORT command... |  | ||||||
|      // source them from the listen_conn->local |  | ||||||
|   |  | ||||||
| +    struct sockaddr_in addr;
 |  | ||||||
| +    socklen_t addrlen = sizeof(addr);
 |  | ||||||
| +    getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
 |  | ||||||
| +    unsigned char port_high = ntohs(addr.sin_port) >> 8;
 |  | ||||||
| +    unsigned char port_low  = ntohs(addr.sin_port) & 0xff;
 |  | ||||||
| +
 |  | ||||||
|      struct addrinfo *AI = NULL; |  | ||||||
|      ftpState->data.listenConn->local.getAddrInfo(AI, AF_INET); |  | ||||||
|      unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr; |  | ||||||
| -    unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
 |  | ||||||
| +    // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
 |  | ||||||
|      snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n", |  | ||||||
|               addrptr[0], addrptr[1], addrptr[2], addrptr[3], |  | ||||||
| -             portptr[0], portptr[1]);
 |  | ||||||
| +             port_high, port_low);
 |  | ||||||
|      ftpState->writeCommand(cbuf); |  | ||||||
|      ftpState->state = Ftp::Client::SENT_PORT; |  | ||||||
|   |  | ||||||
| @@ -1881,14 +1899,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
 |  | ||||||
|          return; |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| +
 |  | ||||||
| +    unsigned int port;
 |  | ||||||
| +    struct sockaddr_storage addr;
 |  | ||||||
| +    socklen_t addrlen = sizeof(addr);
 |  | ||||||
| +    getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
 |  | ||||||
| +    if (addr.ss_family == AF_INET) {
 |  | ||||||
| +        struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr;
 |  | ||||||
| +        port = ntohs( addr4->sin_port );
 |  | ||||||
| +    } else {
 |  | ||||||
| +        struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr;
 |  | ||||||
| +        port = ntohs( addr6->sin6_port );
 |  | ||||||
| +    }
 |  | ||||||
| +
 |  | ||||||
|      char buf[MAX_IPSTRLEN]; |  | ||||||
|   |  | ||||||
|      /* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */ |  | ||||||
|      /* Which can be used by EITHER protocol. */ |  | ||||||
| -    snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n",
 |  | ||||||
| +    snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n",
 |  | ||||||
|               ( ftpState->data.listenConn->local.isIPv6() ? 2 : 1 ), |  | ||||||
|               ftpState->data.listenConn->local.toStr(buf,MAX_IPSTRLEN), |  | ||||||
| -             ftpState->data.listenConn->local.port() );
 |  | ||||||
| +             port);
 |  | ||||||
|   |  | ||||||
|      ftpState->writeCommand(cbuf); |  | ||||||
|      ftpState->state = Ftp::Client::SENT_EPRT; |  | ||||||
| @@ -1907,7 +1938,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
 |  | ||||||
|          ftpSendPORT(ftpState); |  | ||||||
|          return; |  | ||||||
|      } |  | ||||||
| -
 |  | ||||||
| +    ftpState->ctrl.message = NULL;
 |  | ||||||
|      ftpRestOrList(ftpState); |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| @ -1,143 +0,0 @@ | |||||||
| From 771908d313ee9c255adfb5e4fdba4d6797c18409 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Amos Jeffries <yadij@users.noreply.github.com> |  | ||||||
| Date: Thu, 7 Mar 2019 13:50:38 +0000 |  | ||||||
| Subject: [PATCH] Bug 4928: Cannot convert non-IPv4 to IPv4 (#379) |  | ||||||
| 
 |  | ||||||
| ... when reaching client_ip_max_connections |  | ||||||
| 
 |  | ||||||
| The client_ip_max_connections limit is checked before the TCP dst-IP is located for the newly received TCP connection. This leaves Squid unable to fetch the NFMARK or similar |  | ||||||
| details later on (they do not exist for [::]). |  | ||||||
| 
 |  | ||||||
| Move client_ip_max_connections test later in the TCP accept process to ensure dst-IP is known when the error is produced. |  | ||||||
| ---
 |  | ||||||
|  src/comm/TcpAcceptor.cc | 82 ++++++++++++++++++++--------------------- |  | ||||||
|  1 file changed, 39 insertions(+), 43 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc
 |  | ||||||
| index d4b576d..936aa30 100644
 |  | ||||||
| --- a/src/comm/TcpAcceptor.cc
 |  | ||||||
| +++ b/src/comm/TcpAcceptor.cc
 |  | ||||||
| @@ -282,7 +282,16 @@ Comm::TcpAcceptor::acceptOne()
 |  | ||||||
|      ConnectionPointer newConnDetails = new Connection(); |  | ||||||
|      const Comm::Flag flag = oldAccept(newConnDetails); |  | ||||||
|   |  | ||||||
| -    if (flag == Comm::COMM_ERROR) {
 |  | ||||||
| +    /* Check for errors */
 |  | ||||||
| +    if (!newConnDetails->isOpen()) {
 |  | ||||||
| +
 |  | ||||||
| +        if (flag == Comm::NOMESSAGE) {
 |  | ||||||
| +            /* register interest again */
 |  | ||||||
| +            debugs(5, 5, HERE << "try later: " << conn << " handler Subscription: " << theCallSub);
 |  | ||||||
| +            SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0);
 |  | ||||||
| +            return;
 |  | ||||||
| +        }
 |  | ||||||
| +
 |  | ||||||
|          // A non-recoverable error; notify the caller */ |  | ||||||
|          debugs(5, 5, HERE << "non-recoverable error:" << status() << " handler Subscription: " << theCallSub); |  | ||||||
|          if (intendedForUserConnections()) |  | ||||||
| @@ -292,16 +301,12 @@ Comm::TcpAcceptor::acceptOne()
 |  | ||||||
|          return; |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -    if (flag == Comm::NOMESSAGE) {
 |  | ||||||
| -        /* register interest again */
 |  | ||||||
| -        debugs(5, 5, "try later: " << conn << " handler Subscription: " << theCallSub);
 |  | ||||||
| -    } else {
 |  | ||||||
| -        debugs(5, 5, "Listener: " << conn <<
 |  | ||||||
| -               " accepted new connection " << newConnDetails <<
 |  | ||||||
| -               " handler Subscription: " << theCallSub);
 |  | ||||||
| -        notify(flag, newConnDetails);
 |  | ||||||
| -    }
 |  | ||||||
| +    newConnDetails->nfmark = Ip::Qos::getNfmarkFromConnection(newConnDetails, Ip::Qos::dirAccepted);
 |  | ||||||
|   |  | ||||||
| +    debugs(5, 5, HERE << "Listener: " << conn <<
 |  | ||||||
| +           " accepted new connection " << newConnDetails <<
 |  | ||||||
| +           " handler Subscription: " << theCallSub);
 |  | ||||||
| +    notify(flag, newConnDetails);
 |  | ||||||
|      SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0); |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| @@ -341,8 +346,8 @@ Comm::TcpAcceptor::notify(const Comm::Flag flag, const Comm::ConnectionPointer &
 |  | ||||||
|   * |  | ||||||
|   * \retval Comm::OK          success. details parameter filled. |  | ||||||
|   * \retval Comm::NOMESSAGE   attempted accept() but nothing useful came in. |  | ||||||
| - *                           Or this client has too many connections already.
 |  | ||||||
|   * \retval Comm::COMM_ERROR  an outright failure occurred. |  | ||||||
| + *                           Or this client has too many connections already.
 |  | ||||||
|   */ |  | ||||||
|  Comm::Flag |  | ||||||
|  Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details) |  | ||||||
| @@ -383,6 +388,15 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
 |  | ||||||
|   |  | ||||||
|      details->remote = *gai; |  | ||||||
|   |  | ||||||
| +    if ( Config.client_ip_max_connections >= 0) {
 |  | ||||||
| +        if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) {
 |  | ||||||
| +            debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections.");
 |  | ||||||
| +            Ip::Address::FreeAddr(gai);
 |  | ||||||
| +            PROF_stop(comm_accept);
 |  | ||||||
| +            return Comm::COMM_ERROR;
 |  | ||||||
| +        }
 |  | ||||||
| +    }
 |  | ||||||
| +
 |  | ||||||
|      // lookup the local-end details of this new connection |  | ||||||
|      Ip::Address::InitAddr(gai); |  | ||||||
|      details->local.setEmpty(); |  | ||||||
| @@ -396,6 +410,23 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
 |  | ||||||
|      details->local = *gai; |  | ||||||
|      Ip::Address::FreeAddr(gai); |  | ||||||
|   |  | ||||||
| +    /* fdstat update */
 |  | ||||||
| +    fdd_table[sock].close_file = NULL;
 |  | ||||||
| +    fdd_table[sock].close_line = 0;
 |  | ||||||
| +
 |  | ||||||
| +    fde *F = &fd_table[sock];
 |  | ||||||
| +    details->remote.toStr(F->ipaddr,MAX_IPSTRLEN);
 |  | ||||||
| +    F->remote_port = details->remote.port();
 |  | ||||||
| +    F->local_addr = details->local;
 |  | ||||||
| +    F->sock_family = details->local.isIPv6()?AF_INET6:AF_INET;
 |  | ||||||
| +
 |  | ||||||
| +    // set socket flags
 |  | ||||||
| +    commSetCloseOnExec(sock);
 |  | ||||||
| +    commSetNonBlocking(sock);
 |  | ||||||
| +
 |  | ||||||
| +    /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */
 |  | ||||||
| +    F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet?
 |  | ||||||
| +
 |  | ||||||
|      // Perform NAT or TPROXY operations to retrieve the real client/dest IP addresses |  | ||||||
|      if (conn->flags&(COMM_TRANSPARENT|COMM_INTERCEPTION) && !Ip::Interceptor.Lookup(details, conn)) { |  | ||||||
|          debugs(50, DBG_IMPORTANT, "ERROR: NAT/TPROXY lookup failed to locate original IPs on " << details); |  | ||||||
| @@ -414,33 +445,6 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
 |  | ||||||
|      } |  | ||||||
|  #endif |  | ||||||
|   |  | ||||||
| -    details->nfmark = Ip::Qos::getNfmarkFromConnection(details, Ip::Qos::dirAccepted);
 |  | ||||||
| -
 |  | ||||||
| -    if (Config.client_ip_max_connections >= 0) {
 |  | ||||||
| -        if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) {
 |  | ||||||
| -            debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections.");
 |  | ||||||
| -            PROF_stop(comm_accept);
 |  | ||||||
| -            return Comm::NOMESSAGE;
 |  | ||||||
| -        }
 |  | ||||||
| -    }
 |  | ||||||
| -
 |  | ||||||
| -    /* fdstat update */
 |  | ||||||
| -    fdd_table[sock].close_file = NULL;
 |  | ||||||
| -    fdd_table[sock].close_line = 0;
 |  | ||||||
| -
 |  | ||||||
| -    fde *F = &fd_table[sock];
 |  | ||||||
| -    details->remote.toStr(F->ipaddr,MAX_IPSTRLEN);
 |  | ||||||
| -    F->remote_port = details->remote.port();
 |  | ||||||
| -    F->local_addr = details->local;
 |  | ||||||
| -    F->sock_family = details->local.isIPv6()?AF_INET6:AF_INET;
 |  | ||||||
| -
 |  | ||||||
| -    // set socket flags
 |  | ||||||
| -    commSetCloseOnExec(sock);
 |  | ||||||
| -    commSetNonBlocking(sock);
 |  | ||||||
| -
 |  | ||||||
| -    /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */
 |  | ||||||
| -    F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet?
 |  | ||||||
| -
 |  | ||||||
|      PROF_stop(comm_accept); |  | ||||||
|      return Comm::OK; |  | ||||||
|  } |  | ||||||
| @ -1,41 +0,0 @@ | |||||||
| diff --git a/compat/os/linux.h b/compat/os/linux.h
 |  | ||||||
| index 0ff05c6..d51389b 100644
 |  | ||||||
| --- a/compat/os/linux.h
 |  | ||||||
| +++ b/compat/os/linux.h
 |  | ||||||
| @@ -44,6 +44,36 @@
 |  | ||||||
|  #include <netinet/in.h> |  | ||||||
|  #endif |  | ||||||
|   |  | ||||||
| +/*
 |  | ||||||
| + * Netfilter header madness. (see Bug 4323)
 |  | ||||||
| + *
 |  | ||||||
| + * Netfilter have a history of defining their own versions of network protocol
 |  | ||||||
| + * primitives without sufficient protection against the POSIX defines which are
 |  | ||||||
| + * aways present in Linux.
 |  | ||||||
| + *
 |  | ||||||
| + * netinet/in.h must be included before any other sys header in order to properly
 |  | ||||||
| + * activate include guards in <linux/libc-compat.h> the kernel maintainers added
 |  | ||||||
| + * to workaround it.
 |  | ||||||
| + */
 |  | ||||||
| +#if HAVE_NETINET_IN_H
 |  | ||||||
| +#include <netinet/in.h>
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
| +/*
 |  | ||||||
| + * Netfilter header madness. (see Bug 4323)
 |  | ||||||
| + *
 |  | ||||||
| + * Netfilter have a history of defining their own versions of network protocol
 |  | ||||||
| + * primitives without sufficient protection against the POSIX defines which are
 |  | ||||||
| + * aways present in Linux.
 |  | ||||||
| + *
 |  | ||||||
| + * netinet/in.h must be included before any other sys header in order to properly
 |  | ||||||
| + * activate include guards in <linux/libc-compat.h> the kernel maintainers added
 |  | ||||||
| + * to workaround it.
 |  | ||||||
| + */
 |  | ||||||
| +#if HAVE_NETINET_IN_H
 |  | ||||||
| +#include <netinet/in.h>
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|  /* |  | ||||||
|   * sys/capability.h is only needed in Linux apparently. |  | ||||||
|   * |  | ||||||
| @ -1,178 +0,0 @@ | |||||||
| diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc
 |  | ||||||
| index 01a4c12..b5c1679 100644
 |  | ||||||
| --- a/src/acl/RegexData.cc
 |  | ||||||
| +++ b/src/acl/RegexData.cc
 |  | ||||||
| @@ -22,6 +22,7 @@
 |  | ||||||
|  #include "ConfigParser.h" |  | ||||||
|  #include "Debug.h" |  | ||||||
|  #include "sbuf/List.h" |  | ||||||
| +#include "sbuf/Algorithms.h"
 |  | ||||||
|   |  | ||||||
|  ACLRegexData::~ACLRegexData() |  | ||||||
|  { |  | ||||||
| @@ -129,6 +130,18 @@ compileRE(std::list<RegexPattern> &curlist, const char * RE, int flags)
 |  | ||||||
|      return true; |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| +static bool
 |  | ||||||
| +compileRE(std::list<RegexPattern> &curlist, const SBufList &RE, int flags)
 |  | ||||||
| +{
 |  | ||||||
| +	if (RE.empty())
 |  | ||||||
| +		return curlist.empty(); // XXX: old code did this. It looks wrong.
 |  | ||||||
| +	SBuf regexp;
 |  | ||||||
| +	static const SBuf openparen("("), closeparen(")"), separator(")|(");
 |  | ||||||
| +	JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen,
 |  | ||||||
| +			closeparen);
 |  | ||||||
| +	return compileRE(curlist, regexp.c_str(), flags);
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
|  /** Compose and compile one large RE from a set of (small) REs. |  | ||||||
|   * The ultimate goal is to have only one RE per ACL so that match() is |  | ||||||
|   * called only once per ACL. |  | ||||||
| @@ -137,16 +150,11 @@ static int
 |  | ||||||
|  compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl) |  | ||||||
|  { |  | ||||||
|      std::list<RegexPattern> newlist; |  | ||||||
| -    int numREs = 0;
 |  | ||||||
| +    SBufList accumulatedRE;
 |  | ||||||
| +    int numREs = 0, reSize = 0;
 |  | ||||||
|      int flags = REG_EXTENDED | REG_NOSUB; |  | ||||||
| -    int largeREindex = 0;
 |  | ||||||
| -    char largeRE[BUFSIZ];
 |  | ||||||
| -    *largeRE = 0;
 |  | ||||||
|   |  | ||||||
|      for (const SBuf & configurationLineWord : sl) { |  | ||||||
| -        int RElen;
 |  | ||||||
| -        RElen = configurationLineWord.length();
 |  | ||||||
| -
 |  | ||||||
|          static const SBuf minus_i("-i"); |  | ||||||
|          static const SBuf plus_i("+i"); |  | ||||||
|          if (configurationLineWord == minus_i) { |  | ||||||
| @@ -155,10 +163,11 @@ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
 |  | ||||||
|                  debugs(28, 2, "optimisation of -i ... -i" ); |  | ||||||
|              } else { |  | ||||||
|                  debugs(28, 2, "-i" ); |  | ||||||
| -                if (!compileRE(newlist, largeRE, flags))
 |  | ||||||
| +                if (!compileRE(newlist, accumulatedRE, flags))
 |  | ||||||
|                      return 0; |  | ||||||
|                  flags |= REG_ICASE; |  | ||||||
| -                largeRE[largeREindex=0] = '\0';
 |  | ||||||
| +                accumulatedRE.clear();
 |  | ||||||
| +                reSize = 0;
 |  | ||||||
|              } |  | ||||||
|          } else if (configurationLineWord == plus_i) { |  | ||||||
|              if ((flags & REG_ICASE) == 0) { |  | ||||||
| @@ -166,37 +175,34 @@ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
 |  | ||||||
|                  debugs(28, 2, "optimisation of +i ... +i"); |  | ||||||
|              } else { |  | ||||||
|                  debugs(28, 2, "+i"); |  | ||||||
| -                if (!compileRE(newlist, largeRE, flags))
 |  | ||||||
| +                if (!compileRE(newlist, accumulatedRE, flags))
 |  | ||||||
|                      return 0; |  | ||||||
|                  flags &= ~REG_ICASE; |  | ||||||
| -                largeRE[largeREindex=0] = '\0';
 |  | ||||||
| +                accumulatedRE.clear();
 |  | ||||||
| +                reSize = 0;
 |  | ||||||
|              } |  | ||||||
| -        } else if (RElen + largeREindex + 3 < BUFSIZ-1) {
 |  | ||||||
| +        } else if (reSize < 1024) {
 |  | ||||||
|              debugs(28, 2, "adding RE '" << configurationLineWord << "'"); |  | ||||||
| -            if (largeREindex > 0) {
 |  | ||||||
| -                largeRE[largeREindex] = '|';
 |  | ||||||
| -                ++largeREindex;
 |  | ||||||
| -            }
 |  | ||||||
| -            largeRE[largeREindex] = '(';
 |  | ||||||
| -            ++largeREindex;
 |  | ||||||
| -            configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex);
 |  | ||||||
| -            largeREindex += configurationLineWord.length();
 |  | ||||||
| -            largeRE[largeREindex] = ')';
 |  | ||||||
| -            ++largeREindex;
 |  | ||||||
| -            largeRE[largeREindex] = '\0';
 |  | ||||||
| +            accumulatedRE.push_back(configurationLineWord);
 |  | ||||||
|              ++numREs; |  | ||||||
| +            reSize += configurationLineWord.length();
 |  | ||||||
|          } else { |  | ||||||
|              debugs(28, 2, "buffer full, generating new optimised RE..." ); |  | ||||||
| -            if (!compileRE(newlist, largeRE, flags))
 |  | ||||||
| +            accumulatedRE.push_back(configurationLineWord);
 |  | ||||||
| +            if (!compileRE(newlist, accumulatedRE, flags))
 |  | ||||||
|                  return 0; |  | ||||||
| -            largeRE[largeREindex=0] = '\0';
 |  | ||||||
| +            accumulatedRE.clear();
 |  | ||||||
| +            reSize = 0;
 |  | ||||||
|              continue;    /* do the loop again to add the RE to largeRE */ |  | ||||||
|          } |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -    if (!compileRE(newlist, largeRE, flags))
 |  | ||||||
| +    if (!compileRE(newlist, accumulatedRE, flags))
 |  | ||||||
|          return 0; |  | ||||||
|   |  | ||||||
| +    accumulatedRE.clear();
 |  | ||||||
| +    reSize = 0;
 |  | ||||||
| +
 |  | ||||||
|      /* all was successful, so put the new list at the tail */ |  | ||||||
|      curlist.splice(curlist.end(), newlist); |  | ||||||
|   |  | ||||||
| diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h
 |  | ||||||
| index 21ee889..338e9c0 100644
 |  | ||||||
| --- a/src/sbuf/Algorithms.h
 |  | ||||||
| +++ b/src/sbuf/Algorithms.h
 |  | ||||||
| @@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator)
 |  | ||||||
|      return rv; |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| +/** Join container of SBufs and append to supplied target
 |  | ||||||
| + *
 |  | ||||||
| + * append to the target SBuf all elements in the [begin,end) range from
 |  | ||||||
| + * an iterable container, prefixed by prefix, separated by separator and
 |  | ||||||
| + * followed by suffix. Prefix and suffix are added also in case of empty
 |  | ||||||
| + * iterable
 |  | ||||||
| + *
 |  | ||||||
| + * \return the modified dest
 |  | ||||||
| + */
 |  | ||||||
| +template <class ContainerIterator>
 |  | ||||||
| +SBuf&
 |  | ||||||
| +JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin,
 |  | ||||||
| +                      const ContainerIterator &end, const SBuf& separator,
 |  | ||||||
| +                      const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf())
 |  | ||||||
| +{
 |  | ||||||
| +    if (begin == end) {
 |  | ||||||
| +        dest.append(prefix).append(suffix);
 |  | ||||||
| +        return dest;
 |  | ||||||
| +    }
 |  | ||||||
| +
 |  | ||||||
| +    // optimization: pre-calculate needed storage
 |  | ||||||
| +    const SBuf::size_type totalContainerSize =
 |  | ||||||
| +        std::accumulate(begin, end, 0, SBufAddLength(separator)) +
 |  | ||||||
| +        dest.length() + prefix.length() + suffix.length();
 |  | ||||||
| +    SBufReservationRequirements req;
 |  | ||||||
| +    req.minSpace = totalContainerSize;
 |  | ||||||
| +    dest.reserve(req);
 |  | ||||||
| +
 |  | ||||||
| +    auto i = begin;
 |  | ||||||
| +    dest.append(prefix);
 |  | ||||||
| +    dest.append(*i);
 |  | ||||||
| +    ++i;
 |  | ||||||
| +    for (; i != end; ++i)
 |  | ||||||
| +        dest.append(separator).append(*i);
 |  | ||||||
| +    dest.append(suffix);
 |  | ||||||
| +    return dest;
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
| +
 |  | ||||||
| +/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf
 |  | ||||||
| +template <class ContainerIterator>
 |  | ||||||
| +SBuf
 |  | ||||||
| +JoinContainerToSBuf(const ContainerIterator &begin,
 |  | ||||||
| +                    const ContainerIterator &end, const SBuf& separator,
 |  | ||||||
| +                    const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf())
 |  | ||||||
| +{
 |  | ||||||
| +    SBuf rv;
 |  | ||||||
| +    return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix);
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
| +
 |  | ||||||
|  namespace std { |  | ||||||
|  /// default hash functor to support std::unordered_map<SBuf,*> |  | ||||||
|  template <> |  | ||||||
| @ -1,424 +0,0 @@ | |||||||
| commit b003a0da7865caa25b5d1e70c79329b32409b02a (HEAD -> refs/heads/v4, refs/remotes/origin/v4) |  | ||||||
| Author: Amos Jeffries <yadij@users.noreply.github.com> |  | ||||||
| Date:   2021-09-24 21:53:11 +0000 |  | ||||||
| 
 |  | ||||||
|     WCCP: Validate packets better (#899) |  | ||||||
|      |  | ||||||
|     Update WCCP to support exception based error handling for |  | ||||||
|     parsing and processing we are moving Squid to for protocol |  | ||||||
|     handling. |  | ||||||
|      |  | ||||||
|     Update the main WCCPv2 parsing checks to throw meaningful |  | ||||||
|     exceptions when detected. |  | ||||||
| 
 |  | ||||||
| diff --git a/src/wccp2.cc b/src/wccp2.cc
 |  | ||||||
| index ee592449c..6ef469e91 100644
 |  | ||||||
| --- a/src/wccp2.cc
 |  | ||||||
| +++ b/src/wccp2.cc
 |  | ||||||
| @@ -1108,6 +1108,59 @@ wccp2ConnectionClose(void)
 |  | ||||||
|   * Functions for handling the requests. |  | ||||||
|   */ |  | ||||||
|   |  | ||||||
| +/// Checks that the given area section ends inside the given (whole) area.
 |  | ||||||
| +/// \param error the message to throw when the section does not fit
 |  | ||||||
| +static void
 |  | ||||||
| +CheckSectionLength(const void *sectionStart, const size_t sectionLength, const void *wholeStart, const size_t wholeSize, const char *error)
 |  | ||||||
| +{
 |  | ||||||
| +    assert(sectionStart);
 |  | ||||||
| +    assert(wholeStart);
 |  | ||||||
| +
 |  | ||||||
| +    const auto wholeEnd = static_cast<const char*>(wholeStart) + wholeSize;
 |  | ||||||
| +    assert(sectionStart >= wholeStart && "we never go backwards");
 |  | ||||||
| +    assert(sectionStart <= wholeEnd && "we never go beyond our whole (but zero-sized fields are OK)");
 |  | ||||||
| +    static_assert(sizeof(wccp2_i_see_you_t) <= PTRDIFF_MAX, "paranoid: no UB when subtracting in-whole pointers");
 |  | ||||||
| +    // subtraction safe due to the three assertions above
 |  | ||||||
| +    const auto remainderDiff = wholeEnd - static_cast<const char*>(sectionStart);
 |  | ||||||
| +
 |  | ||||||
| +    // casting safe due to the assertions above (and size_t definition)
 |  | ||||||
| +    assert(remainderDiff >= 0);
 |  | ||||||
| +    const auto remainderSize = static_cast<size_t>(remainderDiff);
 |  | ||||||
| +
 |  | ||||||
| +    if (sectionLength <= remainderSize)
 |  | ||||||
| +        return;
 |  | ||||||
| +
 |  | ||||||
| +    throw TextException(error, Here());
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
| +/// Checks that the area contains at least dataLength bytes after the header.
 |  | ||||||
| +/// The size of the field header itself is not included in dataLength.
 |  | ||||||
| +/// \returns the total field size -- the field header and field data combined
 |  | ||||||
| +template<class FieldHeader>
 |  | ||||||
| +static size_t
 |  | ||||||
| +CheckFieldDataLength(const FieldHeader *header, const size_t dataLength, const void *areaStart, const size_t areaSize, const char *error)
 |  | ||||||
| +{
 |  | ||||||
| +    assert(header);
 |  | ||||||
| +    const auto dataStart = reinterpret_cast<const char*>(header) + sizeof(header);
 |  | ||||||
| +    CheckSectionLength(dataStart, dataLength, areaStart, areaSize, error);
 |  | ||||||
| +    return sizeof(header) + dataLength; // no overflow after CheckSectionLength()
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
| +/// Positions the given field at a given start within a given packet area.
 |  | ||||||
| +/// The Field type determines the correct field size (used for bounds checking).
 |  | ||||||
| +/// \param field the field pointer the function should set
 |  | ||||||
| +/// \param areaStart the start of a packet (sub)structure containing the field
 |  | ||||||
| +/// \param areaSize the size of the packet (sub)structure starting at areaStart
 |  | ||||||
| +/// \param fieldStart the start of a field within the given area
 |  | ||||||
| +/// \param error the message to throw when the field does not fit the area
 |  | ||||||
| +template<class Field>
 |  | ||||||
| +static void
 |  | ||||||
| +SetField(Field *&field, const void *fieldStart, const void *areaStart, const size_t areaSize, const char *error)
 |  | ||||||
| +{
 |  | ||||||
| +    CheckSectionLength(fieldStart, sizeof(Field), areaStart, areaSize, error);
 |  | ||||||
| +    field = static_cast<Field*>(const_cast<void*>(fieldStart));
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
|  /* |  | ||||||
|   * Accept the UDP packet |  | ||||||
|   */ |  | ||||||
| @@ -1124,8 +1177,6 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|   |  | ||||||
|      /* These structs form the parts of the packet */ |  | ||||||
|   |  | ||||||
| -    struct wccp2_item_header_t *header = NULL;
 |  | ||||||
| -
 |  | ||||||
|      struct wccp2_security_none_t *security_info = NULL; |  | ||||||
|   |  | ||||||
|      struct wccp2_service_info_t *service_info = NULL; |  | ||||||
| @@ -1141,14 +1192,13 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|      struct wccp2_cache_identity_info_t *cache_identity = NULL; |  | ||||||
|   |  | ||||||
|      struct wccp2_capability_info_header_t *router_capability_header = NULL; |  | ||||||
| +    char *router_capability_data_start = nullptr;
 |  | ||||||
|   |  | ||||||
|      struct wccp2_capability_element_t *router_capability_element; |  | ||||||
|   |  | ||||||
|      struct sockaddr_in from; |  | ||||||
|   |  | ||||||
|      struct in_addr cache_address; |  | ||||||
| -    int len, found;
 |  | ||||||
| -    short int data_length, offset;
 |  | ||||||
|      uint32_t tmp; |  | ||||||
|      char *ptr; |  | ||||||
|      int num_caches; |  | ||||||
| @@ -1161,20 +1211,18 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|      Ip::Address from_tmp; |  | ||||||
|      from_tmp.setIPv4(); |  | ||||||
|   |  | ||||||
| -    len = comm_udp_recvfrom(sock,
 |  | ||||||
| -                            &wccp2_i_see_you,
 |  | ||||||
| -                            WCCP_RESPONSE_SIZE,
 |  | ||||||
| -                            0,
 |  | ||||||
| -                            from_tmp);
 |  | ||||||
| +    const auto lenOrError = comm_udp_recvfrom(sock, &wccp2_i_see_you, WCCP_RESPONSE_SIZE, 0, from_tmp);
 |  | ||||||
|   |  | ||||||
| -    if (len < 0)
 |  | ||||||
| +    if (lenOrError < 0)
 |  | ||||||
|          return; |  | ||||||
| +    const auto len = static_cast<size_t>(lenOrError);
 |  | ||||||
|   |  | ||||||
| -    if (ntohs(wccp2_i_see_you.version) != WCCP2_VERSION)
 |  | ||||||
| -        return;
 |  | ||||||
| -
 |  | ||||||
| -    if (ntohl(wccp2_i_see_you.type) != WCCP2_I_SEE_YOU)
 |  | ||||||
| -        return;
 |  | ||||||
| +    try {
 |  | ||||||
| +        // TODO: Remove wccp2_i_see_you.data and use a buffer to read messages.
 |  | ||||||
| +        const auto message_header_size = sizeof(wccp2_i_see_you) - sizeof(wccp2_i_see_you.data);
 |  | ||||||
| +        Must2(len >= message_header_size, "incomplete WCCP message header");
 |  | ||||||
| +        Must2(ntohs(wccp2_i_see_you.version) == WCCP2_VERSION, "WCCP version unsupported");
 |  | ||||||
| +        Must2(ntohl(wccp2_i_see_you.type) == WCCP2_I_SEE_YOU, "WCCP packet type unsupported");
 |  | ||||||
|   |  | ||||||
|      /* FIXME INET6 : drop conversion boundary */ |  | ||||||
|      from_tmp.getSockAddr(from); |  | ||||||
| @@ -1182,73 +1230,60 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|      debugs(80, 3, "Incoming WCCPv2 I_SEE_YOU length " << ntohs(wccp2_i_see_you.length) << "."); |  | ||||||
|   |  | ||||||
|      /* Record the total data length */ |  | ||||||
| -    data_length = ntohs(wccp2_i_see_you.length);
 |  | ||||||
| +    const auto data_length = ntohs(wccp2_i_see_you.length);
 |  | ||||||
| +    Must2(data_length <= len - message_header_size,
 |  | ||||||
| +          "malformed packet claiming it's bigger than received data");
 |  | ||||||
|   |  | ||||||
| -    offset = 0;
 |  | ||||||
| -
 |  | ||||||
| -    if (data_length > len) {
 |  | ||||||
| -        debugs(80, DBG_IMPORTANT, "ERROR: Malformed WCCPv2 packet claiming it's bigger than received data");
 |  | ||||||
| -        return;
 |  | ||||||
| -    }
 |  | ||||||
| +    size_t offset = 0;
 |  | ||||||
|   |  | ||||||
|      /* Go through the data structure */ |  | ||||||
| -    while (data_length > offset) {
 |  | ||||||
| +    while (offset + sizeof(struct wccp2_item_header_t) <= data_length) {
 |  | ||||||
|   |  | ||||||
|          char *data = wccp2_i_see_you.data; |  | ||||||
|   |  | ||||||
| -        header = (struct wccp2_item_header_t *) &data[offset];
 |  | ||||||
| +        const auto itemHeader = reinterpret_cast<const wccp2_item_header_t*>(&data[offset]);
 |  | ||||||
| +        const auto itemSize = CheckFieldDataLength(itemHeader, ntohs(itemHeader->length),
 |  | ||||||
| +                              data, data_length, "truncated record");
 |  | ||||||
| +        // XXX: Check "The specified length must be a multiple of 4 octets"
 |  | ||||||
| +        // requirement to avoid unaligned memory reads after the first item.
 |  | ||||||
|   |  | ||||||
| -        switch (ntohs(header->type)) {
 |  | ||||||
| +        switch (ntohs(itemHeader->type)) {
 |  | ||||||
|   |  | ||||||
|          case WCCP2_SECURITY_INFO: |  | ||||||
| -
 |  | ||||||
| -            if (security_info != NULL) {
 |  | ||||||
| -                debugs(80, DBG_IMPORTANT, "Duplicate security definition");
 |  | ||||||
| -                return;
 |  | ||||||
| -            }
 |  | ||||||
| -
 |  | ||||||
| -            security_info = (struct wccp2_security_none_t *) &wccp2_i_see_you.data[offset];
 |  | ||||||
| +            Must2(!security_info, "duplicate security definition");
 |  | ||||||
| +            SetField(security_info, itemHeader, itemHeader, itemSize,
 |  | ||||||
| +                     "security definition truncated");
 |  | ||||||
|              break; |  | ||||||
|   |  | ||||||
|          case WCCP2_SERVICE_INFO: |  | ||||||
| -
 |  | ||||||
| -            if (service_info != NULL) {
 |  | ||||||
| -                debugs(80, DBG_IMPORTANT, "Duplicate service_info definition");
 |  | ||||||
| -                return;
 |  | ||||||
| -            }
 |  | ||||||
| -
 |  | ||||||
| -            service_info = (struct wccp2_service_info_t *) &wccp2_i_see_you.data[offset];
 |  | ||||||
| +            Must2(!service_info, "duplicate service_info definition");
 |  | ||||||
| +            SetField(service_info, itemHeader, itemHeader, itemSize,
 |  | ||||||
| +                     "service_info definition truncated");
 |  | ||||||
|              break; |  | ||||||
|   |  | ||||||
|          case WCCP2_ROUTER_ID_INFO: |  | ||||||
| -
 |  | ||||||
| -            if (router_identity_info != NULL) {
 |  | ||||||
| -                debugs(80, DBG_IMPORTANT, "Duplicate router_identity_info definition");
 |  | ||||||
| -                return;
 |  | ||||||
| -            }
 |  | ||||||
| -
 |  | ||||||
| -            router_identity_info = (struct router_identity_info_t *) &wccp2_i_see_you.data[offset];
 |  | ||||||
| +            Must2(!router_identity_info, "duplicate router_identity_info definition");
 |  | ||||||
| +            SetField(router_identity_info, itemHeader, itemHeader, itemSize,
 |  | ||||||
| +                     "router_identity_info definition truncated");
 |  | ||||||
|              break; |  | ||||||
|   |  | ||||||
|          case WCCP2_RTR_VIEW_INFO: |  | ||||||
| -
 |  | ||||||
| -            if (router_view_header != NULL) {
 |  | ||||||
| -                debugs(80, DBG_IMPORTANT, "Duplicate router_view definition");
 |  | ||||||
| -                return;
 |  | ||||||
| -            }
 |  | ||||||
| -
 |  | ||||||
| -            router_view_header = (struct router_view_t *) &wccp2_i_see_you.data[offset];
 |  | ||||||
| +            Must2(!router_view_header, "duplicate router_view definition");
 |  | ||||||
| +            SetField(router_view_header, itemHeader, itemHeader, itemSize,
 |  | ||||||
| +                     "router_view definition truncated");
 |  | ||||||
|              break; |  | ||||||
|   |  | ||||||
| -        case WCCP2_CAPABILITY_INFO:
 |  | ||||||
| -
 |  | ||||||
| -            if (router_capability_header != NULL) {
 |  | ||||||
| -                debugs(80, DBG_IMPORTANT, "Duplicate router_capability definition");
 |  | ||||||
| -                return;
 |  | ||||||
| -            }
 |  | ||||||
| +        case WCCP2_CAPABILITY_INFO: {
 |  | ||||||
| +            Must2(!router_capability_header, "duplicate router_capability definition");
 |  | ||||||
| +            SetField(router_capability_header, itemHeader, itemHeader, itemSize,
 |  | ||||||
| +                     "router_capability definition truncated");
 |  | ||||||
|   |  | ||||||
| -            router_capability_header = (struct wccp2_capability_info_header_t *) &wccp2_i_see_you.data[offset];
 |  | ||||||
| +            CheckFieldDataLength(router_capability_header, ntohs(router_capability_header->capability_info_length),
 |  | ||||||
| +                                 itemHeader, itemSize, "capability info truncated");
 |  | ||||||
| +            router_capability_data_start = reinterpret_cast<char*>(router_capability_header) +
 |  | ||||||
| +                                           sizeof(*router_capability_header);
 |  | ||||||
|              break; |  | ||||||
| +        }
 |  | ||||||
|   |  | ||||||
|          /* Nothing to do for the types below */ |  | ||||||
|   |  | ||||||
| @@ -1257,22 +1292,17 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|              break; |  | ||||||
|   |  | ||||||
|          default: |  | ||||||
| -            debugs(80, DBG_IMPORTANT, "Unknown record type in WCCPv2 Packet (" << ntohs(header->type) << ").");
 |  | ||||||
| +            debugs(80, DBG_IMPORTANT, "Unknown record type in WCCPv2 Packet (" << ntohs(itemHeader->type) << ").");
 |  | ||||||
|          } |  | ||||||
|   |  | ||||||
| -        offset += sizeof(struct wccp2_item_header_t);
 |  | ||||||
| -        offset += ntohs(header->length);
 |  | ||||||
| -
 |  | ||||||
| -        if (offset > data_length) {
 |  | ||||||
| -            debugs(80, DBG_IMPORTANT, "Error: WCCPv2 packet tried to tell us there is data beyond the end of the packet");
 |  | ||||||
| -            return;
 |  | ||||||
| -        }
 |  | ||||||
| +        offset += itemSize;
 |  | ||||||
| +        assert(offset <= data_length && "CheckFieldDataLength(itemHeader...) established that");
 |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -    if ((security_info == NULL) || (service_info == NULL) || (router_identity_info == NULL) || (router_view_header == NULL)) {
 |  | ||||||
| -        debugs(80, DBG_IMPORTANT, "Incomplete WCCPv2 Packet");
 |  | ||||||
| -        return;
 |  | ||||||
| -    }
 |  | ||||||
| +    Must2(security_info, "packet missing security definition");
 |  | ||||||
| +    Must2(service_info, "packet missing service_info definition");
 |  | ||||||
| +    Must2(router_identity_info, "packet missing router_identity_info definition");
 |  | ||||||
| +    Must2(router_view_header, "packet missing router_view definition");
 |  | ||||||
|   |  | ||||||
|      debugs(80, 5, "Complete packet received"); |  | ||||||
|   |  | ||||||
| @@ -1308,10 +1338,7 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|              break; |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -    if (router_list_ptr->next == NULL) {
 |  | ||||||
| -        debugs(80, DBG_IMPORTANT, "WCCPv2 Packet received from unknown router");
 |  | ||||||
| -        return;
 |  | ||||||
| -    }
 |  | ||||||
| +    Must2(router_list_ptr->next, "packet received from unknown router");
 |  | ||||||
|   |  | ||||||
|      /* Set the router id */ |  | ||||||
|      router_list_ptr->info->router_address = router_identity_info->router_id_element.router_address; |  | ||||||
| @@ -1331,11 +1358,20 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|          } |  | ||||||
|      } else { |  | ||||||
|   |  | ||||||
| -        char *end = ((char *) router_capability_header) + sizeof(*router_capability_header) + ntohs(router_capability_header->capability_info_length) - sizeof(struct wccp2_capability_info_header_t);
 |  | ||||||
| -
 |  | ||||||
| -        router_capability_element = (struct wccp2_capability_element_t *) (((char *) router_capability_header) + sizeof(*router_capability_header));
 |  | ||||||
| -
 |  | ||||||
| -        while ((char *) router_capability_element <= end) {
 |  | ||||||
| +        const auto router_capability_data_length = ntohs(router_capability_header->capability_info_length);
 |  | ||||||
| +        assert(router_capability_data_start);
 |  | ||||||
| +        const auto router_capability_data_end = router_capability_data_start +
 |  | ||||||
| +                                                router_capability_data_length;
 |  | ||||||
| +        for (auto router_capability_data_current = router_capability_data_start;
 |  | ||||||
| +                router_capability_data_current < router_capability_data_end;) {
 |  | ||||||
| +
 |  | ||||||
| +            SetField(router_capability_element, router_capability_data_current,
 |  | ||||||
| +                     router_capability_data_start, router_capability_data_length,
 |  | ||||||
| +                     "capability element header truncated");
 |  | ||||||
| +            const auto elementSize = CheckFieldDataLength(
 |  | ||||||
| +                                         router_capability_element, ntohs(router_capability_element->capability_length),
 |  | ||||||
| +                                         router_capability_data_start, router_capability_data_length,
 |  | ||||||
| +                                         "capability element truncated");
 |  | ||||||
|   |  | ||||||
|              switch (ntohs(router_capability_element->capability_type)) { |  | ||||||
|   |  | ||||||
| @@ -1377,7 +1413,7 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|                  debugs(80, DBG_IMPORTANT, "Unknown capability type in WCCPv2 Packet (" << ntohs(router_capability_element->capability_type) << ")."); |  | ||||||
|              } |  | ||||||
|   |  | ||||||
| -            router_capability_element = (struct wccp2_capability_element_t *) (((char *) router_capability_element) + sizeof(struct wccp2_item_header_t) + ntohs(router_capability_element->capability_length));
 |  | ||||||
| +            router_capability_data_current += elementSize;
 |  | ||||||
|          } |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| @@ -1396,23 +1432,34 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|      num_caches = 0; |  | ||||||
|   |  | ||||||
|      /* Check to see if we're the master cache and update the cache list */ |  | ||||||
| -    found = 0;
 |  | ||||||
| +    bool found = false;
 |  | ||||||
|      service_list_ptr->lowest_ip = 1; |  | ||||||
|      cache_list_ptr = &router_list_ptr->cache_list_head; |  | ||||||
|   |  | ||||||
|      /* to find the list of caches, we start at the end of the router view header */ |  | ||||||
|   |  | ||||||
|      ptr = (char *) (router_view_header) + sizeof(struct router_view_t); |  | ||||||
| +    const auto router_view_size = sizeof(struct router_view_t) +
 |  | ||||||
| +                                  ntohs(router_view_header->header.length);
 |  | ||||||
|   |  | ||||||
|      /* Then we read the number of routers */ |  | ||||||
| -    memcpy(&tmp, ptr, sizeof(tmp));
 |  | ||||||
| +    const uint32_t *routerCountRaw = nullptr;
 |  | ||||||
| +    SetField(routerCountRaw, ptr, router_view_header, router_view_size,
 |  | ||||||
| +             "malformed packet (truncated router view info w/o number of routers)");
 |  | ||||||
|   |  | ||||||
|      /* skip the number plus all the ip's */ |  | ||||||
| -
 |  | ||||||
| -    ptr += sizeof(tmp) + (ntohl(tmp) * sizeof(struct in_addr));
 |  | ||||||
| +    ptr += sizeof(*routerCountRaw);
 |  | ||||||
| +    const auto ipCount = ntohl(*routerCountRaw);
 |  | ||||||
| +    const auto ipsSize = ipCount * sizeof(struct in_addr); // we check for unsigned overflow below
 |  | ||||||
| +    Must2(ipsSize / sizeof(struct in_addr) != ipCount, "huge IP address count");
 |  | ||||||
| +    CheckSectionLength(ptr, ipsSize, router_view_header, router_view_size, "invalid IP address count");
 |  | ||||||
| +    ptr += ipsSize;
 |  | ||||||
|   |  | ||||||
|      /* Then read the number of caches */ |  | ||||||
| -    memcpy(&tmp, ptr, sizeof(tmp));
 |  | ||||||
| +    const uint32_t *cacheCountRaw = nullptr;
 |  | ||||||
| +    SetField(cacheCountRaw, ptr, router_view_header, router_view_size,
 |  | ||||||
| +             "malformed packet (truncated router view info w/o cache count)");
 |  | ||||||
| +    memcpy(&tmp, cacheCountRaw, sizeof(tmp)); // TODO: Replace tmp with cacheCount
 |  | ||||||
|      ptr += sizeof(tmp); |  | ||||||
|   |  | ||||||
|      if (ntohl(tmp) != 0) { |  | ||||||
| @@ -1426,7 +1473,8 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|   |  | ||||||
|              case WCCP2_ASSIGNMENT_METHOD_HASH: |  | ||||||
|   |  | ||||||
| -                cache_identity = (struct wccp2_cache_identity_info_t *) ptr;
 |  | ||||||
| +                SetField(cache_identity, ptr, router_view_header, router_view_size,
 |  | ||||||
| +                         "malformed packet (truncated router view info cache w/o assignment hash)");
 |  | ||||||
|   |  | ||||||
|                  ptr += sizeof(struct wccp2_cache_identity_info_t); |  | ||||||
|   |  | ||||||
| @@ -1437,13 +1485,15 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|   |  | ||||||
|              case WCCP2_ASSIGNMENT_METHOD_MASK: |  | ||||||
|   |  | ||||||
| -                cache_mask_info = (struct cache_mask_info_t *) ptr;
 |  | ||||||
| +                SetField(cache_mask_info, ptr, router_view_header, router_view_size,
 |  | ||||||
| +                         "malformed packet (truncated router view info cache w/o assignment mask)");
 |  | ||||||
|   |  | ||||||
|                  /* The mask assignment has an undocumented variable length entry here */ |  | ||||||
|   |  | ||||||
|                  if (ntohl(cache_mask_info->num1) == 3) { |  | ||||||
|   |  | ||||||
| -                    cache_mask_identity = (struct wccp2_cache_mask_identity_info_t *) ptr;
 |  | ||||||
| +                    SetField(cache_mask_identity, ptr, router_view_header, router_view_size,
 |  | ||||||
| +                             "malformed packet (truncated router view info cache w/o assignment mask identity)");
 |  | ||||||
|   |  | ||||||
|                      ptr += sizeof(struct wccp2_cache_mask_identity_info_t); |  | ||||||
|   |  | ||||||
| @@ -1474,10 +1524,7 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|              debugs (80, 5,  "checking cache list: (" << std::hex << cache_address.s_addr << ":" <<  router_list_ptr->local_ip.s_addr << ")"); |  | ||||||
|   |  | ||||||
|              /* Check to see if it's the master, or us */ |  | ||||||
| -
 |  | ||||||
| -            if (cache_address.s_addr == router_list_ptr->local_ip.s_addr) {
 |  | ||||||
| -                found = 1;
 |  | ||||||
| -            }
 |  | ||||||
| +            found = found || (cache_address.s_addr == router_list_ptr->local_ip.s_addr);
 |  | ||||||
|   |  | ||||||
|              if (cache_address.s_addr < router_list_ptr->local_ip.s_addr) { |  | ||||||
|                  service_list_ptr->lowest_ip = 0; |  | ||||||
| @@ -1494,7 +1541,7 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|          cache_list_ptr->next = NULL; |  | ||||||
|   |  | ||||||
|          service_list_ptr->lowest_ip = 1; |  | ||||||
| -        found = 1;
 |  | ||||||
| +        found = true;
 |  | ||||||
|          num_caches = 1; |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| @@ -1502,7 +1549,7 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|   |  | ||||||
|      router_list_ptr->num_caches = htonl(num_caches); |  | ||||||
|   |  | ||||||
| -    if ((found == 1) && (service_list_ptr->lowest_ip == 1)) {
 |  | ||||||
| +    if (found && (service_list_ptr->lowest_ip == 1)) {
 |  | ||||||
|          if (ntohl(router_view_header->change_number) != router_list_ptr->member_change) { |  | ||||||
|              debugs(80, 4, "Change detected - queueing up new assignment"); |  | ||||||
|              router_list_ptr->member_change = ntohl(router_view_header->change_number); |  | ||||||
| @@ -1515,6 +1562,10 @@ wccp2HandleUdp(int sock, void *)
 |  | ||||||
|          eventDelete(wccp2AssignBuckets, NULL); |  | ||||||
|          debugs(80, 5, "I am not the lowest ip cache - not assigning buckets"); |  | ||||||
|      } |  | ||||||
| +
 |  | ||||||
| +    } catch (...) {
 |  | ||||||
| +        debugs(80, DBG_IMPORTANT, "ERROR: Ignoring WCCPv2 message: " << CurrentException);
 |  | ||||||
| +    }
 |  | ||||||
|  } |  | ||||||
|   |  | ||||||
|  static void |  | ||||||
| @ -1,129 +0,0 @@ | |||||||
| From 780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Joshua Rogers <MegaManSec@users.noreply.github.com> |  | ||||||
| Date: Mon, 18 Apr 2022 13:42:36 +0000 |  | ||||||
| Subject: [PATCH] Improve handling of Gopher responses (#1022) |  | ||||||
| 
 |  | ||||||
| ---
 |  | ||||||
|  src/gopher.cc | 45 ++++++++++++++++++++------------------------- |  | ||||||
|  1 file changed, 20 insertions(+), 25 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/src/gopher.cc b/src/gopher.cc
 |  | ||||||
| index 169b0e18299..6187da18bcd 100644
 |  | ||||||
| --- a/src/gopher.cc
 |  | ||||||
| +++ b/src/gopher.cc
 |  | ||||||
| @@ -371,7 +371,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
 |  | ||||||
|      char *lpos = NULL; |  | ||||||
|      char *tline = NULL; |  | ||||||
|      LOCAL_ARRAY(char, line, TEMP_BUF_SIZE); |  | ||||||
| -    LOCAL_ARRAY(char, tmpbuf, TEMP_BUF_SIZE);
 |  | ||||||
|      char *name = NULL; |  | ||||||
|      char *selector = NULL; |  | ||||||
|      char *host = NULL; |  | ||||||
| @@ -381,7 +380,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
 |  | ||||||
|      char gtype; |  | ||||||
|      StoreEntry *entry = NULL; |  | ||||||
|   |  | ||||||
| -    memset(tmpbuf, '\0', TEMP_BUF_SIZE);
 |  | ||||||
|      memset(line, '\0', TEMP_BUF_SIZE); |  | ||||||
|   |  | ||||||
|      entry = gopherState->entry; |  | ||||||
| @@ -416,7 +414,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
 |  | ||||||
|          return; |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -    String outbuf;
 |  | ||||||
| +    SBuf outbuf;
 |  | ||||||
|   |  | ||||||
|      if (!gopherState->HTML_header_added) { |  | ||||||
|          if (gopherState->conversion == GopherStateData::HTML_CSO_RESULT) |  | ||||||
| @@ -583,34 +581,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
 |  | ||||||
|                          break; |  | ||||||
|                      } |  | ||||||
|   |  | ||||||
| -                    memset(tmpbuf, '\0', TEMP_BUF_SIZE);
 |  | ||||||
| -
 |  | ||||||
|                      if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) { |  | ||||||
|                          if (strlen(escaped_selector) != 0) |  | ||||||
| -                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
 |  | ||||||
| -                                     icon_url, escaped_selector, rfc1738_escape_part(host),
 |  | ||||||
| -                                     *port ? ":" : "", port, html_quote(name));
 |  | ||||||
| +                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
 |  | ||||||
| +                                           icon_url, escaped_selector, rfc1738_escape_part(host),
 |  | ||||||
| +                                           *port ? ":" : "", port, html_quote(name));
 |  | ||||||
|                          else |  | ||||||
| -                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
 |  | ||||||
| -                                     icon_url, rfc1738_escape_part(host), *port ? ":" : "",
 |  | ||||||
| -                                     port, html_quote(name));
 |  | ||||||
| +                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
 |  | ||||||
| +                                           icon_url, rfc1738_escape_part(host), *port ? ":" : "",
 |  | ||||||
| +                                           port, html_quote(name));
 |  | ||||||
|   |  | ||||||
|                      } else if (gtype == GOPHER_INFO) { |  | ||||||
| -                        snprintf(tmpbuf, TEMP_BUF_SIZE, "\t%s\n", html_quote(name));
 |  | ||||||
| +                        outbuf.appendf("\t%s\n", html_quote(name));
 |  | ||||||
|                      } else { |  | ||||||
|                          if (strncmp(selector, "GET /", 5) == 0) { |  | ||||||
|                              /* WWW link */ |  | ||||||
| -                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
 |  | ||||||
| -                                     icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
 |  | ||||||
| +                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
 |  | ||||||
| +                                           icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
 |  | ||||||
| +                        } else if (gtype == GOPHER_WWW) {
 |  | ||||||
| +                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
 |  | ||||||
| +                                           icon_url, rfc1738_escape_unescaped(selector), html_quote(name));
 |  | ||||||
|                          } else { |  | ||||||
|                              /* Standard link */ |  | ||||||
| -                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
 |  | ||||||
| -                                     icon_url, host, gtype, escaped_selector, html_quote(name));
 |  | ||||||
| +                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
 |  | ||||||
| +                                           icon_url, host, gtype, escaped_selector, html_quote(name));
 |  | ||||||
|                          } |  | ||||||
|                      } |  | ||||||
|   |  | ||||||
|                      safe_free(escaped_selector); |  | ||||||
| -                    outbuf.append(tmpbuf);
 |  | ||||||
|                  } else { |  | ||||||
|                      memset(line, '\0', TEMP_BUF_SIZE); |  | ||||||
|                      continue; |  | ||||||
| @@ -643,13 +641,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
 |  | ||||||
|                      break; |  | ||||||
|   |  | ||||||
|                  if (gopherState->cso_recno != recno) { |  | ||||||
| -                    snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
 |  | ||||||
| +                    outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
 |  | ||||||
|                      gopherState->cso_recno = recno; |  | ||||||
|                  } else { |  | ||||||
| -                    snprintf(tmpbuf, TEMP_BUF_SIZE, "%s\n", html_quote(result));
 |  | ||||||
| +                    outbuf.appendf("%s\n", html_quote(result));
 |  | ||||||
|                  } |  | ||||||
|   |  | ||||||
| -                outbuf.append(tmpbuf);
 |  | ||||||
|                  break; |  | ||||||
|              } else { |  | ||||||
|                  int code; |  | ||||||
| @@ -677,8 +674,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
 |  | ||||||
|   |  | ||||||
|                  case 502: { /* Too Many Matches */ |  | ||||||
|                      /* Print the message the server returns */ |  | ||||||
| -                    snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
 |  | ||||||
| -                    outbuf.append(tmpbuf);
 |  | ||||||
| +                    outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
 |  | ||||||
|                      break; |  | ||||||
|                  } |  | ||||||
|   |  | ||||||
| @@ -694,13 +690,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
 |  | ||||||
|   |  | ||||||
|      }               /* while loop */ |  | ||||||
|   |  | ||||||
| -    if (outbuf.size() > 0) {
 |  | ||||||
| -        entry->append(outbuf.rawBuf(), outbuf.size());
 |  | ||||||
| +    if (outbuf.length() > 0) {
 |  | ||||||
| +        entry->append(outbuf.rawContent(), outbuf.length());
 |  | ||||||
|          /* now let start sending stuff to client */ |  | ||||||
|          entry->flush(); |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -    outbuf.clean();
 |  | ||||||
|      return; |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| @ -1,38 +0,0 @@ | |||||||
| commit 4031c6c2b004190fdffbc19dab7cd0305a2025b7 (refs/remotes/origin/v4, refs/remotes/github/v4, refs/heads/v4) |  | ||||||
| Author: Amos Jeffries <yadij@users.noreply.github.com> |  | ||||||
| Date:   2022-08-09 23:34:54 +0000 |  | ||||||
| 
 |  | ||||||
|     Bug 3193 pt2: NTLM decoder truncating strings (#1114) |  | ||||||
|      |  | ||||||
|     The initial bug fix overlooked large 'offset' causing integer |  | ||||||
|     wrap to extract a too-short length string. |  | ||||||
|      |  | ||||||
|     Improve debugs and checks sequence to clarify cases and ensure |  | ||||||
|     that all are handled correctly. |  | ||||||
| 
 |  | ||||||
| diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
 |  | ||||||
| index 5d9637290..f00fd51f8 100644
 |  | ||||||
| --- a/lib/ntlmauth/ntlmauth.cc
 |  | ||||||
| +++ b/lib/ntlmauth/ntlmauth.cc
 |  | ||||||
| @@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
 |  | ||||||
|      int32_t o = le32toh(str->offset); |  | ||||||
|      // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o); |  | ||||||
|   |  | ||||||
| -    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
 |  | ||||||
| -        debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
 |  | ||||||
| +    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
 |  | ||||||
| +        debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
 |  | ||||||
|          return rv; |  | ||||||
|      } |  | ||||||
| +    else if (o <= 0 || o > packet_size) {
 |  | ||||||
| +        debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
 |  | ||||||
| +        return rv;
 |  | ||||||
| +    }
 |  | ||||||
| +    else if (l > packet_size - o) {
 |  | ||||||
| +        debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
 |  | ||||||
| +        return rv;
 |  | ||||||
| +    }
 |  | ||||||
| +
 |  | ||||||
|      rv.str = (char *)packet + o; |  | ||||||
|      rv.l = 0; |  | ||||||
|      if ((flags & NTLM_NEGOTIATE_ASCII) == 0) { |  | ||||||
| @ -1,24 +0,0 @@ | |||||||
| diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
 |  | ||||||
| index 20b9bf1..81ebb18 100644
 |  | ||||||
| --- a/src/anyp/Uri.cc
 |  | ||||||
| +++ b/src/anyp/Uri.cc
 |  | ||||||
| @@ -173,6 +173,10 @@ urlInitialize(void)
 |  | ||||||
|      assert(0 == matchDomainName("*.foo.com", ".foo.com", mdnHonorWildcards)); |  | ||||||
|      assert(0 != matchDomainName("*.foo.com", "foo.com", mdnHonorWildcards)); |  | ||||||
|   |  | ||||||
| +    assert(0 != matchDomainName("foo.com", ""));
 |  | ||||||
| +    assert(0 != matchDomainName("foo.com", "", mdnHonorWildcards));
 |  | ||||||
| +    assert(0 != matchDomainName("foo.com", "", mdnRejectSubsubDomains));
 |  | ||||||
| +
 |  | ||||||
|      /* more cases? */ |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| @@ -756,6 +760,8 @@ matchDomainName(const char *h, const char *d, MatchDomainNameFlags flags)
 |  | ||||||
|          return -1; |  | ||||||
|   |  | ||||||
|      dl = strlen(d); |  | ||||||
| +    if (dl == 0)
 |  | ||||||
| +        return 1;
 |  | ||||||
|   |  | ||||||
|      /* |  | ||||||
|       * Start at the ends of the two strings and work towards the |  | ||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -1,23 +0,0 @@ | |||||||
| diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
 |  | ||||||
| index 6a9736f..0a883fa 100644
 |  | ||||||
| --- a/src/auth/digest/Config.cc
 |  | ||||||
| +++ b/src/auth/digest/Config.cc
 |  | ||||||
| @@ -847,11 +847,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm)
 |  | ||||||
|              break; |  | ||||||
|   |  | ||||||
|          case DIGEST_NC: |  | ||||||
| -            if (value.size() != 8) {
 |  | ||||||
| +            if (value.size() == 8) {
 |  | ||||||
| +                // for historical reasons, the nc value MUST be exactly 8 bytes
 |  | ||||||
| +                static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size");
 |  | ||||||
| +                xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
 |  | ||||||
| +                debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
 |  | ||||||
| +            } else {
 |  | ||||||
|                  debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'"); |  | ||||||
| +                digest_request->nc[0] = 0;
 |  | ||||||
|              } |  | ||||||
| -            xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
 |  | ||||||
| -            debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
 |  | ||||||
|              break; |  | ||||||
|   |  | ||||||
|          case DIGEST_CNONCE: |  | ||||||
| @ -1,30 +0,0 @@ | |||||||
| commit 77b3fb4df0f126784d5fd4967c28ed40eb8d521b |  | ||||||
| Author: Alex Rousskov <rousskov@measurement-factory.com> |  | ||||||
| Date:   Wed Oct 25 19:41:45 2023 +0000 |  | ||||||
| 
 |  | ||||||
|     RFC 1123: Fix date parsing (#1538) |  | ||||||
|      |  | ||||||
|     The bug was discovered and detailed by Joshua Rogers at |  | ||||||
|     https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html |  | ||||||
|     where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time |  | ||||||
|     Handling". |  | ||||||
| 
 |  | ||||||
| diff --git a/lib/rfc1123.c b/lib/rfc1123.c
 |  | ||||||
| index e5bf9a4d7..cb484cc00 100644
 |  | ||||||
| --- a/lib/rfc1123.c
 |  | ||||||
| +++ b/lib/rfc1123.c
 |  | ||||||
| @@ -50,7 +50,13 @@ make_month(const char *s)
 |  | ||||||
|      char month[3]; |  | ||||||
|   |  | ||||||
|      month[0] = xtoupper(*s); |  | ||||||
| +    if (!month[0])
 |  | ||||||
| +        return -1; // protects *(s + 1) below
 |  | ||||||
| +
 |  | ||||||
|      month[1] = xtolower(*(s + 1)); |  | ||||||
| +    if (!month[1])
 |  | ||||||
| +        return -1; // protects *(s + 2) below
 |  | ||||||
| +
 |  | ||||||
|      month[2] = xtolower(*(s + 2)); |  | ||||||
|   |  | ||||||
|      for (i = 0; i < 12; i++) |  | ||||||
| 
 |  | ||||||
| @ -1,62 +0,0 @@ | |||||||
| diff --git a/src/ipc.cc b/src/ipc.cc
 |  | ||||||
| index 42e11e6..a68e623 100644
 |  | ||||||
| --- a/src/ipc.cc
 |  | ||||||
| +++ b/src/ipc.cc
 |  | ||||||
| @@ -19,6 +19,11 @@
 |  | ||||||
|  #include "SquidConfig.h" |  | ||||||
|  #include "SquidIpc.h" |  | ||||||
|  #include "tools.h" |  | ||||||
| +#include <cstdlib>
 |  | ||||||
| +
 |  | ||||||
| +#if HAVE_UNISTD_H
 |  | ||||||
| +#include <unistd.h>
 |  | ||||||
| +#endif
 |  | ||||||
|   |  | ||||||
|  static const char *hello_string = "hi there\n"; |  | ||||||
|  #ifndef HELLO_BUF_SZ |  | ||||||
| @@ -365,6 +370,22 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
 |  | ||||||
|      } |  | ||||||
|   |  | ||||||
|      PutEnvironment(); |  | ||||||
| +
 |  | ||||||
| +    // A dup(2) wrapper that reports and exits the process on errors. The
 |  | ||||||
| +    // exiting logic is only suitable for this child process context.
 |  | ||||||
| +    const auto dupOrExit = [prog,name](const int oldFd) {
 |  | ||||||
| +        const auto newFd = dup(oldFd);
 |  | ||||||
| +        if (newFd < 0) {
 |  | ||||||
| +            const auto savedErrno = errno;
 |  | ||||||
| +            debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
 |  | ||||||
| +                   Debug::Extra << "helper (CHILD) PID: " << getpid() <<
 |  | ||||||
| +                   Debug::Extra << "helper program name: " << prog <<
 |  | ||||||
| +                   Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
 |  | ||||||
| +            _exit(EXIT_FAILURE);
 |  | ||||||
| +        }
 |  | ||||||
| +        return newFd;
 |  | ||||||
| +    };
 |  | ||||||
| +
 |  | ||||||
|      /* |  | ||||||
|       * This double-dup stuff avoids problems when one of |  | ||||||
|       *  crfd, cwfd, or debug_log are in the rage 0-2. |  | ||||||
| @@ -372,17 +393,16 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
 |  | ||||||
|   |  | ||||||
|      do { |  | ||||||
|          /* First make sure 0-2 is occupied by something. Gets cleaned up later */ |  | ||||||
| -        x = dup(crfd);
 |  | ||||||
| -        assert(x > -1);
 |  | ||||||
| -    } while (x < 3 && x > -1);
 |  | ||||||
| +        x = dupOrExit(crfd);
 |  | ||||||
| +    } while (x < 3);
 |  | ||||||
|   |  | ||||||
|      close(x); |  | ||||||
|   |  | ||||||
| -    t1 = dup(crfd);
 |  | ||||||
| +    t1 = dupOrExit(crfd);
 |  | ||||||
|   |  | ||||||
| -    t2 = dup(cwfd);
 |  | ||||||
| +    t2 = dupOrExit(cwfd);
 |  | ||||||
|   |  | ||||||
| -    t3 = dup(fileno(debug_log));
 |  | ||||||
| +    t3 = dupOrExit(fileno(debug_log));
 |  | ||||||
|   |  | ||||||
|      assert(t1 > 2 && t2 > 2 && t3 > 2); |  | ||||||
|   |  | ||||||
| @ -1,50 +0,0 @@ | |||||||
| diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
 |  | ||||||
| index fe2edf6..47aa935 100644
 |  | ||||||
| --- a/src/ClientRequestContext.h
 |  | ||||||
| +++ b/src/ClientRequestContext.h
 |  | ||||||
| @@ -81,6 +81,10 @@ public:
 |  | ||||||
|  #endif |  | ||||||
|      ErrorState *error; ///< saved error page for centralized/delayed processing |  | ||||||
|      bool readNextRequest; ///< whether Squid should read after error handling |  | ||||||
| +
 |  | ||||||
| +#if FOLLOW_X_FORWARDED_FOR
 |  | ||||||
| +    size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
 |  | ||||||
| +#endif
 |  | ||||||
|  }; |  | ||||||
|   |  | ||||||
|  #endif /* SQUID_CLIENTREQUESTCONTEXT_H */ |  | ||||||
| diff --git a/src/client_side_request.cc b/src/client_side_request.cc
 |  | ||||||
| index 1c6ff62..b758f6f 100644
 |  | ||||||
| --- a/src/client_side_request.cc
 |  | ||||||
| +++ b/src/client_side_request.cc
 |  | ||||||
| @@ -78,6 +78,11 @@
 |  | ||||||
|  static const char *const crlf = "\r\n"; |  | ||||||
|   |  | ||||||
|  #if FOLLOW_X_FORWARDED_FOR |  | ||||||
| +
 |  | ||||||
| +#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
 |  | ||||||
| +#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|  static void clientFollowXForwardedForCheck(allow_t answer, void *data); |  | ||||||
|  #endif /* FOLLOW_X_FORWARDED_FOR */ |  | ||||||
|   |  | ||||||
| @@ -485,8 +490,16 @@ clientFollowXForwardedForCheck(allow_t answer, void *data)
 |  | ||||||
|                  /* override the default src_addr tested if we have to go deeper than one level into XFF */ |  | ||||||
|                  Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; |  | ||||||
|              } |  | ||||||
| -            calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
 |  | ||||||
| -            return;
 |  | ||||||
| +            if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
 |  | ||||||
| +                calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
 |  | ||||||
| +                return;
 |  | ||||||
| +            }
 |  | ||||||
| +            const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
 |  | ||||||
| +            debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
 |  | ||||||
| +                   Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
 |  | ||||||
| +                   Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
 |  | ||||||
| +                   Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
 |  | ||||||
| +            // fall through to resume clientAccessCheck() processing
 |  | ||||||
|          } |  | ||||||
|      } |  | ||||||
|   |  | ||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -1,31 +0,0 @@ | |||||||
| commit 8fcff9c09824b18628f010d26a04247f6a6cbcb8 |  | ||||||
| Author: Alex Rousskov <rousskov@measurement-factory.com> |  | ||||||
| Date:   Sun Nov 12 09:33:20 2023 +0000 |  | ||||||
| 
 |  | ||||||
|     Do not update StoreEntry expiration after errorAppendEntry() (#1580) |  | ||||||
|      |  | ||||||
|     errorAppendEntry() is responsible for setting entry expiration times, |  | ||||||
|     which it does by calling StoreEntry::storeErrorResponse() that calls |  | ||||||
|     StoreEntry::negativeCache(). |  | ||||||
|      |  | ||||||
|     This change was triggered by a vulnerability report by Joshua Rogers at |  | ||||||
|     https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where |  | ||||||
|     it was filed as "Use-After-Free in Cache Manager Errors". The reported |  | ||||||
|     "use after free" vulnerability was unknowingly addressed by 2022 commit |  | ||||||
|     1fa761a that removed excessively long "reentrant" store_client calls |  | ||||||
|     responsible for the disappearance of the properly locked StoreEntry in |  | ||||||
|     this (and probably other) contexts. |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| diff --git a/src/cache_manager.cc b/src/cache_manager.cc
 |  | ||||||
| index 8055ece..fdcc9cf 100644
 |  | ||||||
| --- a/src/cache_manager.cc
 |  | ||||||
| +++ b/src/cache_manager.cc
 |  | ||||||
| @@ -323,7 +323,6 @@ CacheManager::Start(const Comm::ConnectionPointer &client, HttpRequest * request
 |  | ||||||
|          const auto err = new ErrorState(ERR_INVALID_URL, Http::scNotFound, request); |  | ||||||
|          err->url = xstrdup(entry->url()); |  | ||||||
|          errorAppendEntry(entry, err); |  | ||||||
| -        entry->expires = squid_curtime;
 |  | ||||||
|          return; |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| @ -1,193 +0,0 @@ | |||||||
| diff --git a/src/http.cc b/src/http.cc
 |  | ||||||
| index b006300..023e411 100644
 |  | ||||||
| --- a/src/http.cc
 |  | ||||||
| +++ b/src/http.cc
 |  | ||||||
| @@ -52,6 +52,7 @@
 |  | ||||||
|  #include "rfc1738.h" |  | ||||||
|  #include "SquidConfig.h" |  | ||||||
|  #include "SquidTime.h" |  | ||||||
| +#include "SquidMath.h"
 |  | ||||||
|  #include "StatCounters.h" |  | ||||||
|  #include "Store.h" |  | ||||||
|  #include "StrList.h" |  | ||||||
| @@ -1150,18 +1151,26 @@ HttpStateData::readReply(const CommIoCbParams &io)
 |  | ||||||
|       * Plus, it breaks our lame *HalfClosed() detection |  | ||||||
|       */ |  | ||||||
|   |  | ||||||
| -    Must(maybeMakeSpaceAvailable(true));
 |  | ||||||
| -    CommIoCbParams rd(this); // will be expanded with ReadNow results
 |  | ||||||
| -    rd.conn = io.conn;
 |  | ||||||
| -    rd.size = entry->bytesWanted(Range<size_t>(0, inBuf.spaceSize()));
 |  | ||||||
| +    size_t moreDataPermission = 0;
 |  | ||||||
| +    if ((!canBufferMoreReplyBytes(&moreDataPermission) || !moreDataPermission)) {
 |  | ||||||
| +        abortTransaction("ready to read required data, but the read buffer is full and cannot be drained");
 |  | ||||||
| +        return;
 |  | ||||||
| +    }
 |  | ||||||
| +
 |  | ||||||
| +    const auto readSizeMax = maybeMakeSpaceAvailable(moreDataPermission);
 |  | ||||||
| +    // TODO: Move this logic inside maybeMakeSpaceAvailable():
 |  | ||||||
| +    const auto readSizeWanted = readSizeMax ? entry->bytesWanted(Range<size_t>(0, readSizeMax)) : 0;
 |  | ||||||
|   |  | ||||||
| -    if (rd.size <= 0) {
 |  | ||||||
| +    if (readSizeWanted <= 0) {
 |  | ||||||
|          assert(entry->mem_obj); |  | ||||||
|          AsyncCall::Pointer nilCall; |  | ||||||
|          entry->mem_obj->delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall))); |  | ||||||
|          return; |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| +    CommIoCbParams rd(this); // will be expanded with ReadNow results
 |  | ||||||
| +    rd.conn = io.conn;
 |  | ||||||
| +    rd.size = readSizeWanted;
 |  | ||||||
|      switch (Comm::ReadNow(rd, inBuf)) { |  | ||||||
|      case Comm::INPROGRESS: |  | ||||||
|          if (inBuf.isEmpty()) |  | ||||||
| @@ -1520,8 +1529,11 @@ HttpStateData::maybeReadVirginBody()
 |  | ||||||
|      if (!Comm::IsConnOpen(serverConnection) || fd_table[serverConnection->fd].closing()) |  | ||||||
|          return; |  | ||||||
|   |  | ||||||
| -    if (!maybeMakeSpaceAvailable(false))
 |  | ||||||
| +    size_t moreDataPermission = 0;
 |  | ||||||
| +    if ((!canBufferMoreReplyBytes(&moreDataPermission)) || !moreDataPermission) {
 |  | ||||||
| +        abortTransaction("more response bytes required, but the read buffer is full and cannot be drained");
 |  | ||||||
|          return; |  | ||||||
| +    }
 |  | ||||||
|   |  | ||||||
|      // XXX: get rid of the do_next_read flag |  | ||||||
|      // check for the proper reasons preventing read(2) |  | ||||||
| @@ -1539,40 +1551,79 @@ HttpStateData::maybeReadVirginBody()
 |  | ||||||
|      Comm::Read(serverConnection, call); |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| +/// Desired inBuf capacity based on various capacity preferences/limits:
 |  | ||||||
| +/// * a smaller buffer may not hold enough for look-ahead header/body parsers;
 |  | ||||||
| +/// * a smaller buffer may result in inefficient tiny network reads;
 |  | ||||||
| +/// * a bigger buffer may waste memory;
 |  | ||||||
| +/// * a bigger buffer may exceed SBuf storage capabilities (SBuf::maxSize);
 |  | ||||||
| +size_t
 |  | ||||||
| +HttpStateData::calcReadBufferCapacityLimit() const
 |  | ||||||
| +{
 |  | ||||||
| +    if (!flags.headers_parsed)
 |  | ||||||
| +        return Config.maxReplyHeaderSize;
 |  | ||||||
| +
 |  | ||||||
| +    // XXX: Our inBuf is not used to maintain the read-ahead gap, and using
 |  | ||||||
| +    // Config.readAheadGap like this creates huge read buffers for large
 |  | ||||||
| +    // read_ahead_gap values. TODO: Switch to using tcp_recv_bufsize as the
 |  | ||||||
| +    // primary read buffer capacity factor.
 |  | ||||||
| +    //
 |  | ||||||
| +    // TODO: Cannot reuse throwing NaturalCast() here. Consider removing
 |  | ||||||
| +    // .value() dereference in NaturalCast() or add/use NaturalCastOrMax().
 |  | ||||||
| +    const auto configurationPreferences = NaturalSum<size_t>(Config.readAheadGap).second ? NaturalSum<size_t>(Config.readAheadGap).first : SBuf::maxSize;
 |  | ||||||
| +
 |  | ||||||
| +    // TODO: Honor TeChunkedParser look-ahead and trailer parsing requirements
 |  | ||||||
| +    // (when explicit configurationPreferences are set too low).
 |  | ||||||
| +
 |  | ||||||
| +    return std::min<size_t>(configurationPreferences, SBuf::maxSize);
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
| +/// The maximum number of virgin reply bytes we may buffer before we violate
 |  | ||||||
| +/// the currently configured response buffering limits.
 |  | ||||||
| +/// \retval std::nullopt means that no more virgin response bytes can be read
 |  | ||||||
| +/// \retval 0 means that more virgin response bytes may be read later
 |  | ||||||
| +/// \retval >0 is the number of bytes that can be read now (subject to other constraints)
 |  | ||||||
|  bool |  | ||||||
| -HttpStateData::maybeMakeSpaceAvailable(bool doGrow)
 |  | ||||||
| +HttpStateData::canBufferMoreReplyBytes(size_t *maxReadSize) const
 |  | ||||||
|  { |  | ||||||
| -    // how much we are allowed to buffer
 |  | ||||||
| -    const int limitBuffer = (flags.headers_parsed ? Config.readAheadGap : Config.maxReplyHeaderSize);
 |  | ||||||
| -
 |  | ||||||
| -    if (limitBuffer < 0 || inBuf.length() >= (SBuf::size_type)limitBuffer) {
 |  | ||||||
| -        // when buffer is at or over limit already
 |  | ||||||
| -        debugs(11, 7, "will not read up to " << limitBuffer << ". buffer has (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
 |  | ||||||
| -        debugs(11, DBG_DATA, "buffer has {" << inBuf << "}");
 |  | ||||||
| -        // Process next response from buffer
 |  | ||||||
| -        processReply();
 |  | ||||||
| -        return false;
 |  | ||||||
| +#if USE_ADAPTATION
 |  | ||||||
| +    // If we do not check this now, we may say the final "no" prematurely below
 |  | ||||||
| +    // because inBuf.length() will decrease as adaptation drains buffered bytes.
 |  | ||||||
| +    if (responseBodyBuffer) {
 |  | ||||||
| +        debugs(11, 3, "yes, but waiting for adaptation to drain read buffer");
 |  | ||||||
| +        *maxReadSize = 0; // yes, we may be able to buffer more (but later)
 |  | ||||||
| +        return true;
 |  | ||||||
| +    }
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
| +    const auto maxCapacity = calcReadBufferCapacityLimit();
 |  | ||||||
| +    if (inBuf.length() >= maxCapacity) {
 |  | ||||||
| +        debugs(11, 3, "no, due to a full buffer: " << inBuf.length() << '/' << inBuf.spaceSize() << "; limit: " << maxCapacity);
 |  | ||||||
| +        return false; // no, configuration prohibits buffering more
 |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| +    *maxReadSize = (maxCapacity - inBuf.length()); // positive
 |  | ||||||
| +    debugs(11, 7, "yes, may read up to " << *maxReadSize << " into " << inBuf.length() << '/' << inBuf.spaceSize());
 |  | ||||||
| +    return true; // yes, can read up to this many bytes (subject to other constraints)
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
| +/// prepare read buffer for reading
 |  | ||||||
| +/// \return the maximum number of bytes the caller should attempt to read
 |  | ||||||
| +/// \retval 0 means that the caller should delay reading
 |  | ||||||
| +size_t
 |  | ||||||
| +HttpStateData::maybeMakeSpaceAvailable(const size_t maxReadSize)
 |  | ||||||
| +{
 |  | ||||||
|      // how much we want to read |  | ||||||
| -    const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), (limitBuffer - inBuf.length()));
 |  | ||||||
| +    const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), maxReadSize);
 |  | ||||||
|   |  | ||||||
| -    if (!read_size) {
 |  | ||||||
| +    if (read_size < 2) {
 |  | ||||||
|          debugs(11, 7, "will not read up to " << read_size << " into buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection); |  | ||||||
| -        return false;
 |  | ||||||
| +        return 0;
 |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -    // just report whether we could grow or not, do not actually do it
 |  | ||||||
| -    if (doGrow)
 |  | ||||||
| -        return (read_size >= 2);
 |  | ||||||
| -
 |  | ||||||
|      // we may need to grow the buffer |  | ||||||
|      inBuf.reserveSpace(read_size); |  | ||||||
| -    debugs(11, 8, (!flags.do_next_read ? "will not" : "may") <<
 |  | ||||||
| -           " read up to " << read_size << " bytes info buf(" << inBuf.length() << "/" << inBuf.spaceSize() <<
 |  | ||||||
| -           ") from " << serverConnection);
 |  | ||||||
| -
 |  | ||||||
| -    return (inBuf.spaceSize() >= 2); // only read if there is 1+ bytes of space available
 |  | ||||||
| +    debugs(11, 7, "may read up to " << read_size << " bytes info buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
 |  | ||||||
| +    return read_size;
 |  | ||||||
|  } |  | ||||||
|   |  | ||||||
|  /// called after writing the very last request byte (body, last-chunk, etc) |  | ||||||
| diff --git a/src/http.h b/src/http.h
 |  | ||||||
| index 8965b77..007d2e6 100644
 |  | ||||||
| --- a/src/http.h
 |  | ||||||
| +++ b/src/http.h
 |  | ||||||
| @@ -15,6 +15,8 @@
 |  | ||||||
|  #include "http/StateFlags.h" |  | ||||||
|  #include "sbuf/SBuf.h" |  | ||||||
|   |  | ||||||
| +#include <optional>
 |  | ||||||
| +
 |  | ||||||
|  class FwdState; |  | ||||||
|  class HttpHeader; |  | ||||||
|   |  | ||||||
| @@ -107,16 +109,9 @@ private:
 |  | ||||||
|   |  | ||||||
|      void abortTransaction(const char *reason) { abortAll(reason); } // abnormal termination |  | ||||||
|   |  | ||||||
| -    /**
 |  | ||||||
| -     * determine if read buffer can have space made available
 |  | ||||||
| -     * for a read.
 |  | ||||||
| -     *
 |  | ||||||
| -     * \param grow  whether to actually expand the buffer
 |  | ||||||
| -     *
 |  | ||||||
| -     * \return whether the buffer can be grown to provide space
 |  | ||||||
| -     *         regardless of whether the grow actually happened.
 |  | ||||||
| -     */
 |  | ||||||
| -    bool maybeMakeSpaceAvailable(bool grow);
 |  | ||||||
| +    size_t calcReadBufferCapacityLimit() const;
 |  | ||||||
| +    bool canBufferMoreReplyBytes(size_t *maxReadSize) const;
 |  | ||||||
| +    size_t maybeMakeSpaceAvailable(size_t maxReadSize);
 |  | ||||||
|   |  | ||||||
|      // consuming request body |  | ||||||
|      virtual void handleMoreRequestBodyAvailable(); |  | ||||||
| @ -1,105 +0,0 @@ | |||||||
| diff --git a/src/SquidString.h b/src/SquidString.h
 |  | ||||||
| index a791885..b9aef38 100644
 |  | ||||||
| --- a/src/SquidString.h
 |  | ||||||
| +++ b/src/SquidString.h
 |  | ||||||
| @@ -114,7 +114,16 @@ private:
 |  | ||||||
|   |  | ||||||
|      size_type len_;  /* current length  */ |  | ||||||
|   |  | ||||||
| -    static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers
 |  | ||||||
| +    /// An earlier 64KB limit was meant to protect some fixed-size buffers, but
 |  | ||||||
| +    /// (a) we do not know where those buffers are (or whether they still exist)
 |  | ||||||
| +    /// (b) too many String users unknowingly exceeded that limit and asserted.
 |  | ||||||
| +    /// We are now using a larger limit to reduce the number of (b) cases,
 |  | ||||||
| +    /// especially cases where "compact" lists of items grow 50% in size when we
 |  | ||||||
| +    /// convert them to canonical form. The new limit is selected to withstand
 |  | ||||||
| +    /// concatenation and ~50% expansion of two HTTP headers limited by default
 |  | ||||||
| +    /// request_header_max_size and reply_header_max_size settings.
 |  | ||||||
| +    static const size_type SizeMax_ = 3*64*1024 - 1;
 |  | ||||||
| +
 |  | ||||||
|      /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_ |  | ||||||
|      static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; } |  | ||||||
|   |  | ||||||
| diff --git a/src/cache_cf.cc b/src/cache_cf.cc
 |  | ||||||
| index a9c1b7e..46f07bb 100644
 |  | ||||||
| --- a/src/cache_cf.cc
 |  | ||||||
| +++ b/src/cache_cf.cc
 |  | ||||||
| @@ -935,6 +935,18 @@ configDoConfigure(void)
 |  | ||||||
|                 (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize); |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| +    // Warn about the dangers of exceeding String limits when manipulating HTTP
 |  | ||||||
| +    // headers. Technically, we do not concatenate _requests_, so we could relax
 |  | ||||||
| +    // their check, but we keep the two checks the same for simplicity sake.
 |  | ||||||
| +    const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3;
 |  | ||||||
| +    // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings
 |  | ||||||
| +    if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax)
 |  | ||||||
| +        debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax <<
 |  | ||||||
| +               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes");
 |  | ||||||
| +    if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax)
 |  | ||||||
| +        debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax <<
 |  | ||||||
| +               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes");
 |  | ||||||
| +
 |  | ||||||
|      /* |  | ||||||
|       * Disable client side request pipelining if client_persistent_connections OFF. |  | ||||||
|       * Waste of resources queueing any pipelined requests when the first will close the connection. |  | ||||||
| diff --git a/src/cf.data.pre b/src/cf.data.pre
 |  | ||||||
| index bc2ddcd..d55b870 100644
 |  | ||||||
| --- a/src/cf.data.pre
 |  | ||||||
| +++ b/src/cf.data.pre
 |  | ||||||
| @@ -6196,11 +6196,14 @@ TYPE: b_size_t
 |  | ||||||
|  DEFAULT: 64 KB |  | ||||||
|  LOC: Config.maxRequestHeaderSize |  | ||||||
|  DOC_START |  | ||||||
| -	This specifies the maximum size for HTTP headers in a request.
 |  | ||||||
| -	Request headers are usually relatively small (about 512 bytes).
 |  | ||||||
| -	Placing a limit on the request header size will catch certain
 |  | ||||||
| -	bugs (for example with persistent connections) and possibly
 |  | ||||||
| -	buffer-overflow or denial-of-service attacks.
 |  | ||||||
| +	This directives limits the header size of a received HTTP request
 |  | ||||||
| +	(including request-line). Increasing this limit beyond its 64 KB default
 |  | ||||||
| +	exposes certain old Squid code to various denial-of-service attacks. This
 |  | ||||||
| +	limit also applies to received FTP commands.
 |  | ||||||
| +
 |  | ||||||
| +	This limit has no direct affect on Squid memory consumption.
 |  | ||||||
| +
 |  | ||||||
| +	Squid does not check this limit when sending requests.
 |  | ||||||
|  DOC_END |  | ||||||
|   |  | ||||||
|  NAME: reply_header_max_size |  | ||||||
| @@ -6209,11 +6212,14 @@ TYPE: b_size_t
 |  | ||||||
|  DEFAULT: 64 KB |  | ||||||
|  LOC: Config.maxReplyHeaderSize |  | ||||||
|  DOC_START |  | ||||||
| -	This specifies the maximum size for HTTP headers in a reply.
 |  | ||||||
| -	Reply headers are usually relatively small (about 512 bytes).
 |  | ||||||
| -	Placing a limit on the reply header size will catch certain
 |  | ||||||
| -	bugs (for example with persistent connections) and possibly
 |  | ||||||
| -	buffer-overflow or denial-of-service attacks.
 |  | ||||||
| +	This directives limits the header size of a received HTTP response
 |  | ||||||
| +	(including status-line). Increasing this limit beyond its 64 KB default
 |  | ||||||
| +	exposes certain old Squid code to various denial-of-service attacks. This
 |  | ||||||
| +	limit also applies to FTP command responses.
 |  | ||||||
| +
 |  | ||||||
| +	Squid also checks this limit when loading hit responses from disk cache.
 |  | ||||||
| +
 |  | ||||||
| +	Squid does not check this limit when sending responses.
 |  | ||||||
|  DOC_END |  | ||||||
|   |  | ||||||
|  NAME: request_body_max_size |  | ||||||
| diff --git a/src/http.cc b/src/http.cc
 |  | ||||||
| index 877172d..b006300 100644
 |  | ||||||
| --- a/src/http.cc
 |  | ||||||
| +++ b/src/http.cc
 |  | ||||||
| @@ -1820,8 +1820,9 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
 |  | ||||||
|   |  | ||||||
|          String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR); |  | ||||||
|   |  | ||||||
| -        // if we cannot double strFwd size, then it grew past 50% of the limit
 |  | ||||||
| -        if (!strFwd.canGrowBy(strFwd.size())) {
 |  | ||||||
| +        // Detect unreasonably long header values. And paranoidly check String
 |  | ||||||
| +        // limits: a String ought to accommodate two reasonable-length values.
 |  | ||||||
| +        if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) {
 |  | ||||||
|              // There is probably a forwarding loop with Via detection disabled. |  | ||||||
|              // If we do nothing, String will assert on overflow soon. |  | ||||||
|              // TODO: Terminate all transactions with huge XFF? |  | ||||||
| @ -1,32 +0,0 @@ | |||||||
| diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
 |  | ||||||
| index da9867f..e992638 100644
 |  | ||||||
| --- a/src/clients/FtpGateway.cc
 |  | ||||||
| +++ b/src/clients/FtpGateway.cc
 |  | ||||||
| @@ -1084,16 +1084,17 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr)
 |  | ||||||
|  void |  | ||||||
|  Ftp::Gateway::checkUrlpath() |  | ||||||
|  { |  | ||||||
| -    static SBuf str_type_eq("type=");
 |  | ||||||
| -    auto t = request->url.path().rfind(';');
 |  | ||||||
| -
 |  | ||||||
| -    if (t != SBuf::npos) {
 |  | ||||||
| -        auto filenameEnd = t-1;
 |  | ||||||
| -        if (request->url.path().substr(++t).cmp(str_type_eq, str_type_eq.length()) == 0) {
 |  | ||||||
| -            t += str_type_eq.length();
 |  | ||||||
| -            typecode = (char)xtoupper(request->url.path()[t]);
 |  | ||||||
| -            request->url.path(request->url.path().substr(0,filenameEnd));
 |  | ||||||
| -        }
 |  | ||||||
| +    // If typecode was specified, extract it and leave just the filename in
 |  | ||||||
| +    // url.path. Tolerate trailing garbage or missing typecode value. Roughly:
 |  | ||||||
| +    // [filename] ;type=[typecode char] [trailing garbage]
 |  | ||||||
| +    static const SBuf middle(";type=");
 |  | ||||||
| +    const auto typeSpecStart = request->url.path().find(middle);
 |  | ||||||
| +    if (typeSpecStart != SBuf::npos) {
 |  | ||||||
| +        const auto fullPath = request->url.path();
 |  | ||||||
| +        const auto typecodePos = typeSpecStart + middle.length();
 |  | ||||||
| +        typecode = (typecodePos < fullPath.length()) ?
 |  | ||||||
| +            static_cast<char>(xtoupper(fullPath[typecodePos])) : '\0';
 |  | ||||||
| +        request->url.path(fullPath.substr(0, typeSpecStart));
 |  | ||||||
|      } |  | ||||||
|   |  | ||||||
|      int l = request->url.path().length(); |  | ||||||
| @ -1,367 +0,0 @@ | |||||||
| From 8d0ee420a4d91ac7fd97316338f1e28b4b060cbf Mon Sep 17 00:00:00 2001 |  | ||||||
| From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com> |  | ||||||
| Date: Thu, 10 Oct 2024 19:26:27 +0200 |  | ||||||
| Subject: [PATCH 1/6] Ignore whitespace chars after chunk-size |  | ||||||
| 
 |  | ||||||
| Previously (before #1498 change), squid was accepting TE-chunked replies |  | ||||||
| with whitespaces after chunk-size and missing chunk-ext data. After |  | ||||||
| 
 |  | ||||||
| It turned out that replies with such whitespace chars are pretty |  | ||||||
| common and other webservers which can act as forward proxies (e.g. |  | ||||||
| nginx, httpd...) are accepting them. |  | ||||||
| 
 |  | ||||||
| This change will allow to proxy chunked responses from origin server, |  | ||||||
| which had whitespaces inbetween chunk-size and CRLF. |  | ||||||
| ---
 |  | ||||||
|  src/http/one/TeChunkedParser.cc | 1 + |  | ||||||
|  1 file changed, 1 insertion(+) |  | ||||||
| 
 |  | ||||||
| diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 |  | ||||||
| index 9cce10fdc91..04753395e16 100644
 |  | ||||||
| --- a/src/http/one/TeChunkedParser.cc
 |  | ||||||
| +++ b/src/http/one/TeChunkedParser.cc
 |  | ||||||
| @@ -125,6 +125,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
 |  | ||||||
|      // Code becomes much simpler when incremental parsing functions throw on |  | ||||||
|      // bad or insufficient input, like in the code below. TODO: Expand up. |  | ||||||
|      try { |  | ||||||
| +        tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size
 |  | ||||||
|          parseChunkExtensions(tok); // a possibly empty chunk-ext list |  | ||||||
|          tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); |  | ||||||
|          buf_ = tok.remaining(); |  | ||||||
| 
 |  | ||||||
| From 9c8d35f899035fa06021ab3fe6919f892c2f0c6b Mon Sep 17 00:00:00 2001 |  | ||||||
| From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com> |  | ||||||
| Date: Fri, 11 Oct 2024 02:06:31 +0200 |  | ||||||
| Subject: [PATCH 2/6] Added new argument to Http::One::ParseBws() |  | ||||||
| 
 |  | ||||||
| Depending on new wsp_only argument in ParseBws() it will be decided |  | ||||||
| which set of whitespaces characters will be parsed. If wsp_only is set |  | ||||||
| to true, only SP and HTAB chars will be parsed. |  | ||||||
| 
 |  | ||||||
| Also optimized number of ParseBws calls. |  | ||||||
| ---
 |  | ||||||
|  src/http/one/Parser.cc          |  4 ++-- |  | ||||||
|  src/http/one/Parser.h           |  3 ++- |  | ||||||
|  src/http/one/TeChunkedParser.cc | 13 +++++++++---- |  | ||||||
|  src/http/one/TeChunkedParser.h  |  2 +- |  | ||||||
|  4 files changed, 14 insertions(+), 8 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
 |  | ||||||
| index b1908316a0b..01d7e3bc0e8 100644
 |  | ||||||
| --- a/src/http/one/Parser.cc
 |  | ||||||
| +++ b/src/http/one/Parser.cc
 |  | ||||||
| @@ -273,9 +273,9 @@ Http::One::ErrorLevel()
 |  | ||||||
|   |  | ||||||
|  // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule |  | ||||||
|  void |  | ||||||
| -Http::One::ParseBws(Parser::Tokenizer &tok)
 |  | ||||||
| +Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only)
 |  | ||||||
|  { |  | ||||||
| -    const auto count = tok.skipAll(Parser::WhitespaceCharacters());
 |  | ||||||
| +    const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters());
 |  | ||||||
|   |  | ||||||
|      if (tok.atEnd()) |  | ||||||
|          throw InsufficientInput(); // even if count is positive |  | ||||||
| diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
 |  | ||||||
| index d9a0ac8c273..08200371cd6 100644
 |  | ||||||
| --- a/src/http/one/Parser.h
 |  | ||||||
| +++ b/src/http/one/Parser.h
 |  | ||||||
| @@ -163,8 +163,9 @@ class Parser : public RefCountable
 |  | ||||||
|  }; |  | ||||||
|   |  | ||||||
|  /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) |  | ||||||
| +/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars
 |  | ||||||
|  /// \throws InsufficientInput when the end of BWS cannot be confirmed |  | ||||||
| -void ParseBws(Parser::Tokenizer &);
 |  | ||||||
| +void ParseBws(Parser::Tokenizer &, const bool wsp_only = false);
 |  | ||||||
|   |  | ||||||
|  /// the right debugs() level for logging HTTP violation messages |  | ||||||
|  int ErrorLevel(); |  | ||||||
| diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 |  | ||||||
| index 04753395e16..41e1e5ddaea 100644
 |  | ||||||
| --- a/src/http/one/TeChunkedParser.cc
 |  | ||||||
| +++ b/src/http/one/TeChunkedParser.cc
 |  | ||||||
| @@ -125,8 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
 |  | ||||||
|      // Code becomes much simpler when incremental parsing functions throw on |  | ||||||
|      // bad or insufficient input, like in the code below. TODO: Expand up. |  | ||||||
|      try { |  | ||||||
| -        tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size
 |  | ||||||
| -        parseChunkExtensions(tok); // a possibly empty chunk-ext list
 |  | ||||||
| +        // A possibly empty chunk-ext list. If no chunk-ext has been found,
 |  | ||||||
| +        // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF".
 |  | ||||||
| +        if (!parseChunkExtensions(tok))
 |  | ||||||
| +            ParseBws(tok, true);
 |  | ||||||
| +
 |  | ||||||
|          tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); |  | ||||||
|          buf_ = tok.remaining(); |  | ||||||
|          parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; |  | ||||||
| @@ -140,20 +143,22 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
 |  | ||||||
|   |  | ||||||
|  /// Parses the chunk-ext list (RFC 9112 section 7.1.1: |  | ||||||
|  /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) |  | ||||||
| -void
 |  | ||||||
| +bool
 |  | ||||||
|  Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) |  | ||||||
|  { |  | ||||||
| +    bool foundChunkExt = false;
 |  | ||||||
|      do { |  | ||||||
|          auto tok = callerTok; |  | ||||||
|   |  | ||||||
|          ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size |  | ||||||
|   |  | ||||||
|          if (!tok.skip(';')) |  | ||||||
| -            return; // reached the end of extensions (if any)
 |  | ||||||
| +            return foundChunkExt; // reached the end of extensions (if any)
 |  | ||||||
|   |  | ||||||
|          parseOneChunkExtension(tok); |  | ||||||
|          buf_ = tok.remaining(); // got one extension |  | ||||||
|          callerTok = tok; |  | ||||||
| +        foundChunkExt = true;
 |  | ||||||
|      } while (true); |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h
 |  | ||||||
| index 02eacd1bb89..8c5d4bb4cba 100644
 |  | ||||||
| --- a/src/http/one/TeChunkedParser.h
 |  | ||||||
| +++ b/src/http/one/TeChunkedParser.h
 |  | ||||||
| @@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser
 |  | ||||||
|  private: |  | ||||||
|      bool parseChunkSize(Tokenizer &tok); |  | ||||||
|      bool parseChunkMetadataSuffix(Tokenizer &); |  | ||||||
| -    void parseChunkExtensions(Tokenizer &);
 |  | ||||||
| +    bool parseChunkExtensions(Tokenizer &);
 |  | ||||||
|      void parseOneChunkExtension(Tokenizer &); |  | ||||||
|      bool parseChunkBody(Tokenizer &tok); |  | ||||||
|      bool parseChunkEnd(Tokenizer &tok); |  | ||||||
| 
 |  | ||||||
| From 81e67f97f9c386bdd0bb4a5e182395c46adb70ad Mon Sep 17 00:00:00 2001 |  | ||||||
| From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com> |  | ||||||
| Date: Fri, 11 Oct 2024 02:44:33 +0200 |  | ||||||
| Subject: [PATCH 3/6] Fix typo in Parser.h |  | ||||||
| 
 |  | ||||||
| ---
 |  | ||||||
|  src/http/one/Parser.h | 2 +- |  | ||||||
|  1 file changed, 1 insertion(+), 1 deletion(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
 |  | ||||||
| index 08200371cd6..3ef4c5f7752 100644
 |  | ||||||
| --- a/src/http/one/Parser.h
 |  | ||||||
| +++ b/src/http/one/Parser.h
 |  | ||||||
| @@ -163,7 +163,7 @@ class Parser : public RefCountable
 |  | ||||||
|  }; |  | ||||||
|   |  | ||||||
|  /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) |  | ||||||
| -/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars
 |  | ||||||
| +/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars
 |  | ||||||
|  /// \throws InsufficientInput when the end of BWS cannot be confirmed |  | ||||||
|  void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); |  | ||||||
|   |  | ||||||
| 
 |  | ||||||
| From a0d4fe1794e605f8299a5c118c758a807453f016 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Alex Rousskov <rousskov@measurement-factory.com> |  | ||||||
| Date: Thu, 10 Oct 2024 22:39:42 -0400 |  | ||||||
| Subject: [PATCH 4/6] Bug 5449 is a regression of Bug 4492! |  | ||||||
| 
 |  | ||||||
| Both bugs deal with "chunk-size SP+ CRLF" use cases. Bug 4492 had _two_ |  | ||||||
| spaces after chunk-size, which answers one of the PR review questions: |  | ||||||
| Should we skip just one space? No, we should not. |  | ||||||
| 
 |  | ||||||
| The lines moved around in many commits, but I believe this regression |  | ||||||
| was introduced in commit 951013d0 because that commit stopped consuming |  | ||||||
| partially parsed chunk-ext sequences. That consumption was wrong, but it |  | ||||||
| had a positive side effect -- fixing Bug 4492... |  | ||||||
| ---
 |  | ||||||
|  src/http/one/TeChunkedParser.cc | 10 +++++----- |  | ||||||
|  1 file changed, 5 insertions(+), 5 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 |  | ||||||
| index 41e1e5ddaea..aa4a840fdcf 100644
 |  | ||||||
| --- a/src/http/one/TeChunkedParser.cc
 |  | ||||||
| +++ b/src/http/one/TeChunkedParser.cc
 |  | ||||||
| @@ -125,10 +125,10 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
 |  | ||||||
|      // Code becomes much simpler when incremental parsing functions throw on |  | ||||||
|      // bad or insufficient input, like in the code below. TODO: Expand up. |  | ||||||
|      try { |  | ||||||
| -        // A possibly empty chunk-ext list. If no chunk-ext has been found,
 |  | ||||||
| -        // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF".
 |  | ||||||
| -        if (!parseChunkExtensions(tok))
 |  | ||||||
| -            ParseBws(tok, true);
 |  | ||||||
| +        // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
 |  | ||||||
| +        ParseBws(tok, true);
 |  | ||||||
| +
 |  | ||||||
| +        parseChunkExtensions(tok);
 |  | ||||||
|   |  | ||||||
|          tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); |  | ||||||
|          buf_ = tok.remaining(); |  | ||||||
| @@ -150,7 +150,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok)
 |  | ||||||
|      do { |  | ||||||
|          auto tok = callerTok; |  | ||||||
|   |  | ||||||
| -        ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
 |  | ||||||
| +        ParseBws(tok);
 |  | ||||||
|   |  | ||||||
|          if (!tok.skip(';')) |  | ||||||
|              return foundChunkExt; // reached the end of extensions (if any) |  | ||||||
| 
 |  | ||||||
| From f837f5ff61301a17008f16ce1fb793c2abf19786 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Alex Rousskov <rousskov@measurement-factory.com> |  | ||||||
| Date: Thu, 10 Oct 2024 23:06:42 -0400 |  | ||||||
| Subject: [PATCH 5/6] fixup: Fewer conditionals/ifs and more explicit spelling |  | ||||||
| 
 |  | ||||||
| ... to draw code reader attention when something unusual is going on. |  | ||||||
| ---
 |  | ||||||
|  src/http/one/Parser.cc          | 22 ++++++++++++++++++---- |  | ||||||
|  src/http/one/Parser.h           | 10 ++++++++-- |  | ||||||
|  src/http/one/TeChunkedParser.cc | 14 ++++++-------- |  | ||||||
|  src/http/one/TeChunkedParser.h  |  2 +- |  | ||||||
|  4 files changed, 33 insertions(+), 15 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
 |  | ||||||
| index 01d7e3bc0e8..d3937e5e96b 100644
 |  | ||||||
| --- a/src/http/one/Parser.cc
 |  | ||||||
| +++ b/src/http/one/Parser.cc
 |  | ||||||
| @@ -271,11 +271,12 @@ Http::One::ErrorLevel()
 |  | ||||||
|      return Config.onoff.relaxed_header_parser < 0 ? DBG_IMPORTANT : 5; |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| -// BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule
 |  | ||||||
| -void
 |  | ||||||
| -Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only)
 |  | ||||||
| +/// common part of ParseBws() and ParseStrctBws()
 |  | ||||||
| +namespace Http::One {
 |  | ||||||
| +static void
 |  | ||||||
| +ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars)
 |  | ||||||
|  { |  | ||||||
| -    const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters());
 |  | ||||||
| +    const auto count = tok.skipAll(bwsChars);
 |  | ||||||
|   |  | ||||||
|      if (tok.atEnd()) |  | ||||||
|          throw InsufficientInput(); // even if count is positive |  | ||||||
| @@ -290,4 +291,17 @@ Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only)
 |  | ||||||
|   |  | ||||||
|      // success: no more BWS characters expected |  | ||||||
|  } |  | ||||||
| +} // namespace Http::One
 |  | ||||||
| +
 |  | ||||||
| +void
 |  | ||||||
| +Http::One::ParseBws(Parser::Tokenizer &tok)
 |  | ||||||
| +{
 |  | ||||||
| +    ParseBws_(tok, CharacterSet::WSP);
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
| +void
 |  | ||||||
| +Http::One::ParseStrictBws(Parser::Tokenizer &tok)
 |  | ||||||
| +{
 |  | ||||||
| +    ParseBws_(tok, Parser::WhitespaceCharacters());
 |  | ||||||
| +}
 |  | ||||||
|   |  | ||||||
| diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
 |  | ||||||
| index 3ef4c5f7752..49e399de546 100644
 |  | ||||||
| --- a/src/http/one/Parser.h
 |  | ||||||
| +++ b/src/http/one/Parser.h
 |  | ||||||
| @@ -163,9 +163,15 @@ class Parser : public RefCountable
 |  | ||||||
|  }; |  | ||||||
|   |  | ||||||
|  /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) |  | ||||||
| -/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars
 |  | ||||||
|  /// \throws InsufficientInput when the end of BWS cannot be confirmed |  | ||||||
| -void ParseBws(Parser::Tokenizer &, const bool wsp_only = false);
 |  | ||||||
| +/// \sa WhitespaceCharacters() for the definition of BWS characters
 |  | ||||||
| +/// \sa ParseStrictBws() that avoids WhitespaceCharacters() uncertainties
 |  | ||||||
| +void ParseBws(Parser::Tokenizer &);
 |  | ||||||
| +
 |  | ||||||
| +/// Like ParseBws() but only skips CharacterSet::WSP characters. This variation
 |  | ||||||
| +/// must be used if the next element may start with CR or any other character
 |  | ||||||
| +/// from RelaxedDelimiterCharacters().
 |  | ||||||
| +void ParseStrictBws(Parser::Tokenizer &);
 |  | ||||||
|   |  | ||||||
|  /// the right debugs() level for logging HTTP violation messages |  | ||||||
|  int ErrorLevel(); |  | ||||||
| diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 |  | ||||||
| index aa4a840fdcf..859471b8c77 100644
 |  | ||||||
| --- a/src/http/one/TeChunkedParser.cc
 |  | ||||||
| +++ b/src/http/one/TeChunkedParser.cc
 |  | ||||||
| @@ -125,11 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
 |  | ||||||
|      // Code becomes much simpler when incremental parsing functions throw on |  | ||||||
|      // bad or insufficient input, like in the code below. TODO: Expand up. |  | ||||||
|      try { |  | ||||||
| -        // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
 |  | ||||||
| -        ParseBws(tok, true);
 |  | ||||||
| -
 |  | ||||||
| -        parseChunkExtensions(tok);
 |  | ||||||
| +        // Bug 4492: IBM_HTTP_Server sends SP after chunk-size.
 |  | ||||||
| +        // No ParseBws() here because it may consume CR required further below.
 |  | ||||||
| +        ParseStrictBws(tok);
 |  | ||||||
|   |  | ||||||
| +        parseChunkExtensions(tok); // a possibly empty chunk-ext list
 |  | ||||||
|          tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); |  | ||||||
|          buf_ = tok.remaining(); |  | ||||||
|          parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; |  | ||||||
| @@ -143,22 +143,20 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
 |  | ||||||
|   |  | ||||||
|  /// Parses the chunk-ext list (RFC 9112 section 7.1.1: |  | ||||||
|  /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) |  | ||||||
| -bool
 |  | ||||||
| +void
 |  | ||||||
|  Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) |  | ||||||
|  { |  | ||||||
| -    bool foundChunkExt = false;
 |  | ||||||
|      do { |  | ||||||
|          auto tok = callerTok; |  | ||||||
|   |  | ||||||
|          ParseBws(tok); |  | ||||||
|   |  | ||||||
|          if (!tok.skip(';')) |  | ||||||
| -            return foundChunkExt; // reached the end of extensions (if any)
 |  | ||||||
| +            return; // reached the end of extensions (if any)
 |  | ||||||
|   |  | ||||||
|          parseOneChunkExtension(tok); |  | ||||||
|          buf_ = tok.remaining(); // got one extension |  | ||||||
|          callerTok = tok; |  | ||||||
| -        foundChunkExt = true;
 |  | ||||||
|      } while (true); |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h
 |  | ||||||
| index 8c5d4bb4cba..02eacd1bb89 100644
 |  | ||||||
| --- a/src/http/one/TeChunkedParser.h
 |  | ||||||
| +++ b/src/http/one/TeChunkedParser.h
 |  | ||||||
| @@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser
 |  | ||||||
|  private: |  | ||||||
|      bool parseChunkSize(Tokenizer &tok); |  | ||||||
|      bool parseChunkMetadataSuffix(Tokenizer &); |  | ||||||
| -    bool parseChunkExtensions(Tokenizer &);
 |  | ||||||
| +    void parseChunkExtensions(Tokenizer &);
 |  | ||||||
|      void parseOneChunkExtension(Tokenizer &); |  | ||||||
|      bool parseChunkBody(Tokenizer &tok); |  | ||||||
|      bool parseChunkEnd(Tokenizer &tok); |  | ||||||
| 
 |  | ||||||
| From f79936a234e722adb2dd08f31cf6019d81ee712c Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Alex Rousskov <rousskov@measurement-factory.com> |  | ||||||
| Date: Thu, 10 Oct 2024 23:31:08 -0400 |  | ||||||
| Subject: [PATCH 6/6] fixup: Deadly typo |  | ||||||
| 
 |  | ||||||
| ---
 |  | ||||||
|  src/http/one/Parser.cc | 4 ++-- |  | ||||||
|  1 file changed, 2 insertions(+), 2 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
 |  | ||||||
| index d3937e5e96b..7403a9163a2 100644
 |  | ||||||
| --- a/src/http/one/Parser.cc
 |  | ||||||
| +++ b/src/http/one/Parser.cc
 |  | ||||||
| @@ -296,12 +296,12 @@ ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars)
 |  | ||||||
|  void |  | ||||||
|  Http::One::ParseBws(Parser::Tokenizer &tok) |  | ||||||
|  { |  | ||||||
| -    ParseBws_(tok, CharacterSet::WSP);
 |  | ||||||
| +    ParseBws_(tok, Parser::WhitespaceCharacters());
 |  | ||||||
|  } |  | ||||||
|   |  | ||||||
|  void |  | ||||||
|  Http::One::ParseStrictBws(Parser::Tokenizer &tok) |  | ||||||
|  { |  | ||||||
| -    ParseBws_(tok, Parser::WhitespaceCharacters());
 |  | ||||||
| +    ParseBws_(tok, CharacterSet::WSP);
 |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| 
 |  | ||||||
| @ -1,156 +0,0 @@ | |||||||
| commit c08948c8b831a2ba73c676b48aa11ba1b58cc542 |  | ||||||
| Author: Tomas Korbar <tkorbar@redhat.com> |  | ||||||
| Date:   Thu Dec 8 11:03:08 2022 +0100 |  | ||||||
| 
 |  | ||||||
|     Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections |  | ||||||
| 
 |  | ||||||
| diff --git a/src/comm.cc b/src/comm.cc
 |  | ||||||
| index 0d5f34d..6811b54 100644
 |  | ||||||
| --- a/src/comm.cc
 |  | ||||||
| +++ b/src/comm.cc
 |  | ||||||
| @@ -58,6 +58,7 @@
 |  | ||||||
|   */ |  | ||||||
|   |  | ||||||
|  static IOCB commHalfClosedReader; |  | ||||||
| +static int comm_openex(int sock_type, int proto, Ip::Address &, int flags, const char *note);
 |  | ||||||
|  static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI); |  | ||||||
|  static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI); |  | ||||||
|   |  | ||||||
| @@ -75,6 +76,7 @@ static EVH commHalfClosedCheck;
 |  | ||||||
|  static void commPlanHalfClosedCheck(); |  | ||||||
|   |  | ||||||
|  static Comm::Flag commBind(int s, struct addrinfo &); |  | ||||||
| +static void commSetBindAddressNoPort(int);
 |  | ||||||
|  static void commSetReuseAddr(int); |  | ||||||
|  static void commSetNoLinger(int); |  | ||||||
|  #ifdef TCP_NODELAY |  | ||||||
| @@ -201,6 +203,22 @@ comm_local_port(int fd)
 |  | ||||||
|      return F->local_addr.port(); |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| +/// sets the IP_BIND_ADDRESS_NO_PORT socket option to optimize ephemeral port
 |  | ||||||
| +/// reuse by outgoing TCP connections that must bind(2) to a source IP address
 |  | ||||||
| +static void
 |  | ||||||
| +commSetBindAddressNoPort(const int fd)
 |  | ||||||
| +{
 |  | ||||||
| +#if defined(IP_BIND_ADDRESS_NO_PORT)
 |  | ||||||
| +    int flag = 1;
 |  | ||||||
| +    if (setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, reinterpret_cast<char*>(&flag), sizeof(flag)) < 0) {
 |  | ||||||
| +        const auto savedErrno = errno;
 |  | ||||||
| +        debugs(50, DBG_IMPORTANT, "ERROR: setsockopt(IP_BIND_ADDRESS_NO_PORT) failure: " << xstrerr(savedErrno));
 |  | ||||||
| +    }
 |  | ||||||
| +#else
 |  | ||||||
| +    (void)fd;
 |  | ||||||
| +#endif
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
|  static Comm::Flag |  | ||||||
|  commBind(int s, struct addrinfo &inaddr) |  | ||||||
|  { |  | ||||||
| @@ -227,6 +245,10 @@ comm_open(int sock_type,
 |  | ||||||
|            int flags, |  | ||||||
|            const char *note) |  | ||||||
|  { |  | ||||||
| +    // assume zero-port callers do not need to know the assigned port right away
 |  | ||||||
| +    if (sock_type == SOCK_STREAM && addr.port() == 0 && ((flags & COMM_DOBIND) || !addr.isAnyAddr()))
 |  | ||||||
| +        flags |= COMM_DOBIND_PORT_LATER;
 |  | ||||||
| +
 |  | ||||||
|      return comm_openex(sock_type, proto, addr, flags, note); |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| @@ -328,7 +350,7 @@ comm_set_transparent(int fd)
 |  | ||||||
|   * Create a socket. Default is blocking, stream (TCP) socket.  IO_TYPE |  | ||||||
|   * is OR of flags specified in defines.h:COMM_* |  | ||||||
|   */ |  | ||||||
| -int
 |  | ||||||
| +static int
 |  | ||||||
|  comm_openex(int sock_type, |  | ||||||
|              int proto, |  | ||||||
|              Ip::Address &addr, |  | ||||||
| @@ -476,6 +498,9 @@ comm_apply_flags(int new_socket,
 |  | ||||||
|          if ( addr.isNoAddr() ) |  | ||||||
|              debugs(5,0,"CRITICAL: Squid is attempting to bind() port " << addr << "!!"); |  | ||||||
|   |  | ||||||
| +        if ((flags & COMM_DOBIND_PORT_LATER))
 |  | ||||||
| +            commSetBindAddressNoPort(new_socket);
 |  | ||||||
| +
 |  | ||||||
|          if (commBind(new_socket, *AI) != Comm::OK) { |  | ||||||
|              comm_close(new_socket); |  | ||||||
|              return -1; |  | ||||||
| diff --git a/src/comm.h b/src/comm.h
 |  | ||||||
| index c963e1c..9ff201d 100644
 |  | ||||||
| --- a/src/comm.h
 |  | ||||||
| +++ b/src/comm.h
 |  | ||||||
| @@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
 |  | ||||||
|   |  | ||||||
|  /** |  | ||||||
|   * Open a port specially bound for listening or sending through a specific port. |  | ||||||
| - * This is a wrapper providing IPv4/IPv6 failover around comm_openex().
 |  | ||||||
|   * Please use for all listening sockets and bind() outbound sockets. |  | ||||||
|   * |  | ||||||
|   * It will open a socket bound for: |  | ||||||
| @@ -59,7 +58,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
 |  | ||||||
|  int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note); |  | ||||||
|  void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note); |  | ||||||
|   |  | ||||||
| -int comm_openex(int, int, Ip::Address &, int, const char *);
 |  | ||||||
|  unsigned short comm_local_port(int fd); |  | ||||||
|   |  | ||||||
|  int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen); |  | ||||||
| diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc
 |  | ||||||
| index 25a30e4..2082214 100644
 |  | ||||||
| --- a/src/comm/ConnOpener.cc
 |  | ||||||
| +++ b/src/comm/ConnOpener.cc
 |  | ||||||
| @@ -263,7 +263,7 @@ Comm::ConnOpener::createFd()
 |  | ||||||
|      if (callback_ == NULL || callback_->canceled()) |  | ||||||
|          return false; |  | ||||||
|   |  | ||||||
| -    temporaryFd_ = comm_openex(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
 |  | ||||||
| +    temporaryFd_ = comm_open(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
 |  | ||||||
|      if (temporaryFd_ < 0) { |  | ||||||
|          sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd"); |  | ||||||
|          return false; |  | ||||||
| diff --git a/src/comm/Connection.h b/src/comm/Connection.h
 |  | ||||||
| index 4f2f23a..1e32c22 100644
 |  | ||||||
| --- a/src/comm/Connection.h
 |  | ||||||
| +++ b/src/comm/Connection.h
 |  | ||||||
| @@ -47,6 +47,8 @@ namespace Comm
 |  | ||||||
|  #define COMM_DOBIND             0x08  // requires a bind() |  | ||||||
|  #define COMM_TRANSPARENT        0x10  // arrived via TPROXY |  | ||||||
|  #define COMM_INTERCEPTION       0x20  // arrived via NAT |  | ||||||
| +/// Internal Comm optimization: Keep the source port unassigned until connect(2)
 |  | ||||||
| +#define COMM_DOBIND_PORT_LATER 0x100
 |  | ||||||
|   |  | ||||||
|  /** |  | ||||||
|   * Store data about the physical and logical attributes of a connection. |  | ||||||
| diff --git a/src/ipc.cc b/src/ipc.cc
 |  | ||||||
| index e1d48fc..e92a27f 100644
 |  | ||||||
| --- a/src/ipc.cc
 |  | ||||||
| +++ b/src/ipc.cc
 |  | ||||||
| @@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
 |  | ||||||
|      } else void(0) |  | ||||||
|   |  | ||||||
|      if (type == IPC_TCP_SOCKET) { |  | ||||||
| -        crfd = cwfd = comm_open(SOCK_STREAM,
 |  | ||||||
| +        crfd = cwfd = comm_open_listener(SOCK_STREAM,
 |  | ||||||
|                                  0, |  | ||||||
|                                  local_addr, |  | ||||||
|                                  COMM_NOCLOEXEC, |  | ||||||
|                                  name); |  | ||||||
| -        prfd = pwfd = comm_open(SOCK_STREAM,
 |  | ||||||
| +        prfd = pwfd = comm_open_listener(SOCK_STREAM,
 |  | ||||||
|                                  0,          /* protocol */ |  | ||||||
|                                  local_addr, |  | ||||||
|                                  0,          /* blocking */ |  | ||||||
| diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc
 |  | ||||||
| index 58f85e4..5381ab2 100644
 |  | ||||||
| --- a/src/tests/stub_comm.cc
 |  | ||||||
| +++ b/src/tests/stub_comm.cc
 |  | ||||||
| @@ -46,7 +46,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags)
 |  | ||||||
|  void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB |  | ||||||
|  int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1) |  | ||||||
|  void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB |  | ||||||
| -int comm_openex(int, int, Ip::Address &, int, tos_t tos, nfmark_t nfmark, const char *) STUB_RETVAL(-1)
 |  | ||||||
|  unsigned short comm_local_port(int fd) STUB_RETVAL(0) |  | ||||||
|  int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen) STUB_RETVAL(-1) |  | ||||||
|  void commCallCloseHandlers(int fd) STUB |  | ||||||
| @ -1,25 +0,0 @@ | |||||||
| File: squid-4.15.tar.xz |  | ||||||
| Date: Mon 10 May 2021 10:50:22 UTC |  | ||||||
| Size: 2454176 |  | ||||||
| MD5 : a593de9dc888dfeca4f1f7db2cd7d3b9 |  | ||||||
| SHA1: 60bda34ba39657e2d870c8c1d2acece8a69c3075 |  | ||||||
| Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz> |  | ||||||
|             B068 84ED B779 C89B 044E  64E3 CD6D BF8E F3B1 7D3E |  | ||||||
|       keyring = http://www.squid-cache.org/pgp.asc |  | ||||||
|       keyserver = pool.sks-keyservers.net |  | ||||||
| -----BEGIN PGP SIGNATURE----- |  | ||||||
| 
 |  | ||||||
| iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAmCZD/UACgkQzW2/jvOx |  | ||||||
| fT6zZg/+N8JMIYpmVJ7jm4lF0Ub2kEHGTOrc+tnlA3LGnlMQuTm61+BYk58g0SKW |  | ||||||
| 96NbJ0cycW215Q34L+Y0tWuxEbIU01vIc3AA7rQd0LKy+fQU0OtBuhk5Vf4bKilW |  | ||||||
| uHEVIQZs9HmY6bqC+kgtCf49tVZvR8FZYNuilg/68+i/pQdwaDDmVb+j2oF7w+y2 |  | ||||||
| dgkTFWtM5NTL6bqUVC0E7lLFPjzMefKfxkkpWFdV/VrAhU25jN24kpnjcfotQhdW |  | ||||||
| LDFy5okduz3ljso9pBYJfLeMXM1FZPpceC91zj32x3tcUyrD3yIoXob58rEKvfe4 |  | ||||||
| RDXN4SuClsNe4UQ4oNoGIES9XtaYlOzPR1PlbqPUrdp1cDnhgLJ+1fkAixlMqCml |  | ||||||
| wuI1VIKSEY+nvRzQzFHnXJK9otV8QwMF76AHaytO9y+X6JuZmu/CcV1pq61qY9qv |  | ||||||
| t1/8z99wWSxpu17zthZgq64J225GF/hkBedaFlYoS5k5YUMDLPlRSCC0yPmb8JBF |  | ||||||
| Cns5i/aq2PmOx2ZhQ2RQIF416J3HK8Galw8ytFOjnEcn4ux9yzKNjL38p4+PJJA0 |  | ||||||
| 7GCMAqYYNjok3LSkGbiR7cPgbHnkqRfYbPFLMj4FtruoFlZ9L5MIU3oFvqA3ZR6l |  | ||||||
| Az6LaKLsAYPUmukAOPUSIrqpKXZHc7hdBWkT+7RYA4qaoU+9oIo= |  | ||||||
| =1Re1 |  | ||||||
| -----END PGP SIGNATURE----- |  | ||||||
| @ -1,9 +0,0 @@ | |||||||
| # default squid options |  | ||||||
| SQUID_OPTS="" |  | ||||||
| 
 |  | ||||||
| # Time to wait for Squid to shut down when asked. Should not be necessary |  | ||||||
| # most of the time. |  | ||||||
| SQUID_SHUTDOWN_TIMEOUT=100 |  | ||||||
| 
 |  | ||||||
| # default squid conf file |  | ||||||
| SQUID_CONF="/etc/squid/squid.conf" |  | ||||||
| @ -5,12 +5,17 @@ fi | |||||||
| 
 | 
 | ||||||
| SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"} | SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"} | ||||||
| 
 | 
 | ||||||
| CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \ | CACHE_SWAP=`awk '/^[[:blank:]]*cache_dir/ { print $3 }' "$SQUID_CONF"` | ||||||
| 	grep cache_dir | awk '{ print $3 }'` |  | ||||||
| 
 | 
 | ||||||
|  | init_cache_dirs=0 | ||||||
| for adir in $CACHE_SWAP; do | for adir in $CACHE_SWAP; do | ||||||
| 	if [ ! -d $adir/00 ]; then | 	if [ ! -d $adir/00 ]; then | ||||||
| 		echo -n "init_cache_dir $adir... " | 		echo -n "init_cache_dir $adir... " | ||||||
| 		squid -N -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1 | 		init_cache_dirs=1 | ||||||
| 	fi | 	fi | ||||||
| done | done | ||||||
|  | 
 | ||||||
|  | if [ $init_cache_dirs -ne 0 ]; then | ||||||
|  | 	echo "" | ||||||
|  | 	squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1 | ||||||
|  | fi | ||||||
							
								
								
									
										1
									
								
								sources
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								sources
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1 @@ | |||||||
|  | SHA512 (squid-6.10.tar.xz) = c0b75c3d383b1cd234b30dd02e84e1c5655fc53f63b75704bf4bac9ee0b86ba27e4656116893aff8b95dea19ff1befabcbb9dab3875da52fcb65f1d30f0fe5a9 | ||||||
| @ -1,8 +1,8 @@ | |||||||
| diff --git a/src/cf.data.pre b/src/cf.data.pre
 | diff --git a/src/cf.data.pre b/src/cf.data.pre
 | ||||||
| index 26ef576..30d5509 100644
 | index 44aa34d..12225bc 100644
 | ||||||
| --- a/src/cf.data.pre
 | --- a/src/cf.data.pre
 | ||||||
| +++ b/src/cf.data.pre
 | +++ b/src/cf.data.pre
 | ||||||
| @@ -5006,7 +5006,7 @@ DOC_END
 | @@ -5453,7 +5453,7 @@ DOC_END
 | ||||||
|   |   | ||||||
|  NAME: logfile_rotate |  NAME: logfile_rotate | ||||||
|  TYPE: int |  TYPE: int | ||||||
| @ -11,7 +11,7 @@ index 26ef576..30d5509 100644 | |||||||
|  LOC: Config.Log.rotateNumber |  LOC: Config.Log.rotateNumber | ||||||
|  DOC_START |  DOC_START | ||||||
|  	Specifies the default number of logfile rotations to make when you |  	Specifies the default number of logfile rotations to make when you | ||||||
| @@ -6857,11 +6857,11 @@ COMMENT_END
 | @@ -7447,11 +7447,11 @@ COMMENT_END
 | ||||||
|   |   | ||||||
|  NAME: cache_mgr |  NAME: cache_mgr | ||||||
|  TYPE: string |  TYPE: string | ||||||
| @ -1,8 +1,8 @@ | |||||||
| diff --git a/src/client_side.cc b/src/client_side.cc
 | diff --git a/src/client_side.cc b/src/client_side.cc
 | ||||||
| index f57f3f7..ab393e4 100644
 | index f488fc4..69586df 100644
 | ||||||
| --- a/src/client_side.cc
 | --- a/src/client_side.cc
 | ||||||
| +++ b/src/client_side.cc
 | +++ b/src/client_side.cc
 | ||||||
| @@ -906,7 +906,7 @@ ConnStateData::kick()
 | @@ -932,7 +932,7 @@ ConnStateData::kick()
 | ||||||
|       * We are done with the response, and we are either still receiving request |       * We are done with the response, and we are either still receiving request | ||||||
|       * body (early response!) or have already stopped receiving anything. |       * body (early response!) or have already stopped receiving anything. | ||||||
|       * |       * | ||||||
| @ -11,7 +11,7 @@ index f57f3f7..ab393e4 100644 | |||||||
|       * (XXX: but then we will call readNextRequest() which may succeed and |       * (XXX: but then we will call readNextRequest() which may succeed and | ||||||
|       * execute a smuggled request as we are not done with the current request). |       * execute a smuggled request as we are not done with the current request). | ||||||
|       * |       * | ||||||
| @@ -926,28 +926,12 @@ ConnStateData::kick()
 | @@ -952,28 +952,12 @@ ConnStateData::kick()
 | ||||||
|       * Attempt to parse a request from the request buffer. |       * Attempt to parse a request from the request buffer. | ||||||
|       * If we've been fed a pipelined request it may already |       * If we've been fed a pipelined request it may already | ||||||
|       * be in our read buffer. |       * be in our read buffer. | ||||||
| @ -42,8 +42,8 @@ index f57f3f7..ab393e4 100644 | |||||||
|   |   | ||||||
|      /** \par |      /** \par | ||||||
|       * At this point we either have a parsed request (which we've |       * At this point we either have a parsed request (which we've | ||||||
| @@ -2058,16 +2042,11 @@ ConnStateData::receivedFirstByte()
 | @@ -1893,16 +1877,11 @@ ConnStateData::receivedFirstByte()
 | ||||||
|      commSetConnTimeout(clientConnection, Config.Timeout.request, timeoutCall); |      resetReadTimeout(Config.Timeout.request); | ||||||
|  } |  } | ||||||
|   |   | ||||||
| -/**
 | -/**
 | ||||||
| @ -60,19 +60,19 @@ index f57f3f7..ab393e4 100644 | |||||||
|  { |  { | ||||||
| -    bool parsed_req = false;
 | -    bool parsed_req = false;
 | ||||||
| -
 | -
 | ||||||
|      debugs(33, 5, HERE << clientConnection << ": attempting to parse"); |      debugs(33, 5, clientConnection << ": attempting to parse"); | ||||||
|   |   | ||||||
|      // Loop while we have read bytes that are not needed for producing the body |      // Loop while we have read bytes that are not needed for producing the body | ||||||
| @@ -2116,8 +2095,6 @@ ConnStateData::clientParseRequests()
 | @@ -1947,8 +1926,6 @@ ConnStateData::clientParseRequests()
 | ||||||
|   |   | ||||||
|              processParsedRequest(context); |              processParsedRequest(context); | ||||||
|   |   | ||||||
| -            parsed_req = true; // XXX: do we really need to parse everything right NOW ?
 | -            parsed_req = true; // XXX: do we really need to parse everything right NOW ?
 | ||||||
| -
 | -
 | ||||||
|              if (context->mayUseConnection()) { |              if (context->mayUseConnection()) { | ||||||
|                  debugs(33, 3, HERE << "Not parsing new requests, as this request may need the connection"); |                  debugs(33, 3, "Not parsing new requests, as this request may need the connection"); | ||||||
|                  break; |                  break; | ||||||
| @@ -2130,8 +2107,19 @@ ConnStateData::clientParseRequests()
 | @@ -1961,8 +1938,19 @@ ConnStateData::clientParseRequests()
 | ||||||
|          } |          } | ||||||
|      } |      } | ||||||
|   |   | ||||||
| @ -94,21 +94,16 @@ index f57f3f7..ab393e4 100644 | |||||||
|  } |  } | ||||||
|   |   | ||||||
|  void |  void | ||||||
| @@ -2148,23 +2136,7 @@ ConnStateData::afterClientRead()
 | @@ -1979,18 +1967,7 @@ ConnStateData::afterClientRead()
 | ||||||
|      if (pipeline.empty()) |      if (pipeline.empty()) | ||||||
|          fd_note(clientConnection->fd, "Reading next request"); |          fd_note(clientConnection->fd, "Reading next request"); | ||||||
|   |   | ||||||
| -    if (!clientParseRequests()) {
 | -    if (!clientParseRequests()) {
 | ||||||
| -        if (!isOpen())
 | -        if (!isOpen())
 | ||||||
| -            return;
 | -            return;
 | ||||||
| -        /*
 | -        // We may get here if the client half-closed after sending a partial
 | ||||||
| -         * If the client here is half closed and we failed
 | -        // request. See doClientRead() and shouldCloseOnEof().
 | ||||||
| -         * to parse a request, close the connection.
 | -        // XXX: This partially duplicates ConnStateData::kick().
 | ||||||
| -         * The above check with connFinishedWithConn() only
 |  | ||||||
| -         * succeeds _if_ the buffer is empty which it won't
 |  | ||||||
| -         * be if we have an incomplete request.
 |  | ||||||
| -         * XXX: This duplicates ConnStateData::kick
 |  | ||||||
| -         */
 |  | ||||||
| -        if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) {
 | -        if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) {
 | ||||||
| -            debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing.");
 | -            debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing.");
 | ||||||
| -            clientConnection->close();
 | -            clientConnection->close();
 | ||||||
| @ -119,7 +114,7 @@ index f57f3f7..ab393e4 100644 | |||||||
|   |   | ||||||
|      if (!isOpen()) |      if (!isOpen()) | ||||||
|          return; |          return; | ||||||
| @@ -3945,7 +3917,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic)
 | @@ -3775,7 +3752,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic)
 | ||||||
|      startPinnedConnectionMonitoring(); |      startPinnedConnectionMonitoring(); | ||||||
|   |   | ||||||
|      if (pipeline.empty()) |      if (pipeline.empty()) | ||||||
| @ -129,27 +124,27 @@ index f57f3f7..ab393e4 100644 | |||||||
|   |   | ||||||
|  /// Forward future client requests using the given server connection. |  /// Forward future client requests using the given server connection. | ||||||
| diff --git a/src/client_side.h b/src/client_side.h
 | diff --git a/src/client_side.h b/src/client_side.h
 | ||||||
| index 9fe8463..dfb4d8e 100644
 | index 6027b31..60b99b1 100644
 | ||||||
| --- a/src/client_side.h
 | --- a/src/client_side.h
 | ||||||
| +++ b/src/client_side.h
 | +++ b/src/client_side.h
 | ||||||
| @@ -85,7 +85,6 @@ public:
 | @@ -98,7 +98,6 @@ public:
 | ||||||
|      virtual void doneWithControlMsg(); |      void doneWithControlMsg() override; | ||||||
|   |   | ||||||
|      /// Traffic parsing |      /// Traffic parsing | ||||||
| -    bool clientParseRequests();
 | -    bool clientParseRequests();
 | ||||||
|      void readNextRequest(); |      void readNextRequest(); | ||||||
|   |   | ||||||
|      /// try to make progress on a transaction or read more I/O |      /// try to make progress on a transaction or read more I/O | ||||||
| @@ -373,6 +372,7 @@ private:
 | @@ -443,6 +442,7 @@ private:
 | ||||||
|      virtual bool connFinishedWithConn(int size); |   | ||||||
|      virtual void checkLogging(); |      void checkLogging(); | ||||||
|   |   | ||||||
| +    void parseRequests();
 | +    void parseRequests();
 | ||||||
|      void clientAfterReadingRequests(); |      void clientAfterReadingRequests(); | ||||||
|      bool concurrentRequestQueueFilled() const; |      bool concurrentRequestQueueFilled() const; | ||||||
|   |   | ||||||
| diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc
 | diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc
 | ||||||
| index d7efb0f..655ed83 100644
 | index 8c160e5..f49d5dc 100644
 | ||||||
| --- a/src/tests/stub_client_side.cc
 | --- a/src/tests/stub_client_side.cc
 | ||||||
| +++ b/src/tests/stub_client_side.cc
 | +++ b/src/tests/stub_client_side.cc
 | ||||||
| @@ -14,7 +14,7 @@
 | @@ -14,7 +14,7 @@
 | ||||||
| @ -1,8 +1,7 @@ | |||||||
| diff --git a/QUICKSTART b/QUICKSTART
 | diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART
 | ||||||
| index e5299b4..a243437 100644
 | --- squid-3.1.0.9/QUICKSTART.location	2009-06-26 12:35:27.000000000 +0200
 | ||||||
| --- a/QUICKSTART
 | +++ squid-3.1.0.9/QUICKSTART	2009-07-17 14:03:10.000000000 +0200
 | ||||||
| +++ b/QUICKSTART
 | @@ -10,10 +10,9 @@ After you retrieved, compiled and instal
 | ||||||
| @@ -10,10 +10,9 @@ After you retrieved, compiled and installed the Squid software (see
 |  | ||||||
|  INSTALL in the same directory), you have to configure the squid.conf |  INSTALL in the same directory), you have to configure the squid.conf | ||||||
|  file. This is the list of the values you *need* to change, because no |  file. This is the list of the values you *need* to change, because no | ||||||
|  sensible defaults could be defined. Do not touch the other variables |  sensible defaults could be defined. Do not touch the other variables | ||||||
| @ -15,7 +14,7 @@ index e5299b4..a243437 100644 | |||||||
|   |   | ||||||
|  ============================================================================== |  ============================================================================== | ||||||
|   |   | ||||||
| @@ -80,12 +79,12 @@ After editing squid.conf to your liking, run Squid from the command
 | @@ -82,12 +81,12 @@ After editing squid.conf to your liking,
 | ||||||
|  line TWICE: |  line TWICE: | ||||||
|   |   | ||||||
|  To create any disk cache_dir configured: |  To create any disk cache_dir configured: | ||||||
| @ -1,10 +1,10 @@ | |||||||
| diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl
 | diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl
 | ||||||
| index 90ac6a4..8dbed90 100755
 | index e965e9e..ed5ffcb 100755
 | ||||||
| --- a/contrib/url-normalizer.pl
 | --- a/contrib/url-normalizer.pl
 | ||||||
| +++ b/contrib/url-normalizer.pl
 | +++ b/contrib/url-normalizer.pl
 | ||||||
| @@ -1,4 +1,4 @@
 | @@ -1,4 +1,4 @@
 | ||||||
| -#!/usr/local/bin/perl -Tw
 | -#!/usr/local/bin/perl -Tw
 | ||||||
| +#!/usr/bin/perl -Tw
 | +#!/usr/bin/perl -Tw
 | ||||||
|  # |  # | ||||||
|  # * Copyright (C) 1996-2021 The Squid Software Foundation and contributors |  # * Copyright (C) 1996-2023 The Squid Software Foundation and contributors | ||||||
|  # * |  # * | ||||||
							
								
								
									
										26
									
								
								squid-6.1-symlink-lang-err.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								squid-6.1-symlink-lang-err.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,26 @@ | |||||||
|  | diff --git a/errors/aliases b/errors/aliases
 | ||||||
|  | index c256106..38c123a 100644
 | ||||||
|  | --- a/errors/aliases
 | ||||||
|  | +++ b/errors/aliases
 | ||||||
|  | @@ -14,8 +14,7 @@ da	da-dk
 | ||||||
|  |  de	de-at de-ch de-de de-li de-lu | ||||||
|  |  el	el-gr | ||||||
|  |  en	en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw | ||||||
|  | -es	es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq
 | ||||||
|  | -es-mx	es-bz es-cr es-gt es-hn es-ni es-pa es-sv
 | ||||||
|  | +es	es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl
 | ||||||
|  |  et	et-ee | ||||||
|  |  fa	fa-fa fa-ir | ||||||
|  |  fi	fi-fi | ||||||
|  | diff --git a/errors/language.am b/errors/language.am
 | ||||||
|  | index a437d17..f2fe463 100644
 | ||||||
|  | --- a/errors/language.am
 | ||||||
|  | +++ b/errors/language.am
 | ||||||
|  | @@ -19,7 +19,6 @@ LANGUAGE_FILES = \
 | ||||||
|  |  	de.lang \ | ||||||
|  |  	el.lang \ | ||||||
|  |  	en.lang \ | ||||||
|  | -	es-mx.lang \
 | ||||||
|  |  	es.lang \ | ||||||
|  |  	et.lang \ | ||||||
|  |  	fa.lang \ | ||||||
							
								
								
									
										17
									
								
								squid-6.10.tar.xz.asc
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								squid-6.10.tar.xz.asc
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,17 @@ | |||||||
|  | File: squid-6.10.tar.xz | ||||||
|  | Date: Sat Jun  8 02:53:29 PM UTC 2024 | ||||||
|  | Size: 2558208 | ||||||
|  | MD5 : 86deefa7282c4388be95260aa4d4cf6a | ||||||
|  | SHA1: 70e90865df0e4e9ba7765b622da40bda9bb8fc5d | ||||||
|  | Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 <kinkie@squid-cache.org> | ||||||
|  |             29B4 B1F7 CE03 D1B1 DED2  2F30 28F8 5029 FEF6 E865 | ||||||
|  | sub   cv25519 2021-05-15 [E] | ||||||
|  |       keyring = http://www.squid-cache.org/pgp.asc | ||||||
|  |       keyserver = pool.sks-keyservers.net | ||||||
|  | -----BEGIN PGP SIGNATURE----- | ||||||
|  | 
 | ||||||
|  | iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCZmRwewAKCRAo+FAp/vbo | ||||||
|  | ZZV0AP0WDdXJFarEEYCSXSv/zT1l0FrI8jLQCT3Rsp6nTbWxfwD/VYmUMDetPLPJ | ||||||
|  | GYHJNrRm7OceMQcsqhQIz6X71SR9AQs= | ||||||
|  | =4HPC | ||||||
|  | -----END PGP SIGNATURE----- | ||||||
| @ -2,6 +2,7 @@ | |||||||
|     weekly |     weekly | ||||||
|     rotate 5 |     rotate 5 | ||||||
|     compress |     compress | ||||||
|  |     delaycompress | ||||||
|     notifempty |     notifempty | ||||||
|     missingok |     missingok | ||||||
|     nocreate |     nocreate | ||||||
| @ -10,7 +11,5 @@ | |||||||
|       # Asks squid to reopen its logs. (logfile_rotate 0 is set in squid.conf) |       # Asks squid to reopen its logs. (logfile_rotate 0 is set in squid.conf) | ||||||
|       # errors redirected to make it silent if squid is not running |       # errors redirected to make it silent if squid is not running | ||||||
|       /usr/sbin/squid -k rotate 2>/dev/null |       /usr/sbin/squid -k rotate 2>/dev/null | ||||||
|       # Wait a little to allow Squid to catch up before the logs is compressed |  | ||||||
|       sleep 1 |  | ||||||
|     endscript |     endscript | ||||||
| } | } | ||||||
| @ -2,6 +2,6 @@ | |||||||
| 
 | 
 | ||||||
| case "$2" in | case "$2" in | ||||||
|         up|down|vpn-up|vpn-down) |         up|down|vpn-up|vpn-down) | ||||||
|                 /bin/systemctl -q reload squid.service || : |                 /usr/bin/systemctl -q reload squid.service || : | ||||||
|                 ;; |                 ;; | ||||||
| esac | esac | ||||||
| @ -1,86 +1,51 @@ | |||||||
| %define __perl_requires %{SOURCE98} | %define __perl_requires %{SOURCE98} | ||||||
| 
 | 
 | ||||||
| Name:     squid | Name:     squid | ||||||
| Version:  4.15 | Version:  6.10 | ||||||
| Release:  10%{?dist}.3 | Release:  1%{?dist} | ||||||
| Summary:  The Squid proxy caching server | Summary:  The Squid proxy caching server | ||||||
| Epoch:    7 | Epoch:    7 | ||||||
| # See CREDITS for breakdown of non GPLv2+ code | # See CREDITS for breakdown of non GPLv2+ code | ||||||
| License:  GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) | License:  GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND LicenseRef-Fedora-Public-Domain AND Beerware) | ||||||
| URL:      http://www.squid-cache.org | URL:      http://www.squid-cache.org | ||||||
| Source0:  http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz | 
 | ||||||
| Source1:  http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz.asc | Source0:  http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz | ||||||
| Source2:  squid.logrotate | Source1:  http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc | ||||||
| Source3:  squid.sysconfig | Source2:  http://www.squid-cache.org/pgp.asc | ||||||
| Source4:  squid.pam | Source3:  squid.logrotate | ||||||
| Source5:  squid.nm | Source4:  squid.sysconfig | ||||||
| Source6:  squid.service | Source5:  squid.pam | ||||||
| Source7:  cache_swap.sh | Source6:  squid.nm | ||||||
|  | Source7:  squid.service | ||||||
|  | Source8:  cache_swap.sh | ||||||
|  | Source9:  squid.sysusers | ||||||
| 
 | 
 | ||||||
| Source98: perl-requires-squid.sh | Source98: perl-requires-squid.sh | ||||||
| 
 | 
 | ||||||
| # Upstream patches | # Upstream patches | ||||||
| 
 | 
 | ||||||
| # Backported patches | # Backported patches | ||||||
| Patch101: squid-4.15-ip-bind-address-no-port.patch | # Patch101: patch | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2072988 |  | ||||||
| 
 | 
 | ||||||
| # Local patches | # Local patches | ||||||
| # Applying upstream patches first makes it less likely that local patches | # Applying upstream patches first makes it less likely that local patches | ||||||
| # will break upstream ones. | # will break upstream ones. | ||||||
| Patch201: squid-4.11-config.patch | Patch201: squid-6.1-config.patch | ||||||
| Patch202: squid-4.11-location.patch | Patch202: squid-6.1-location.patch | ||||||
| Patch203: squid-4.11-perlpath.patch | Patch203: squid-6.1-perlpath.patch | ||||||
| Patch204: squid-4.11-include-guards.patch | # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 | ||||||
| Patch205: squid-4.11-large-acl.patch | # workaround for #1934919 | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=980511 | Patch204: squid-6.1-symlink-lang-err.patch | ||||||
| Patch206: squid-4.11-active-ftp.patch | # Upstream PR: https://github.com/squid-cache/squid/pull/1442 | ||||||
| Patch208: squid-4.11-convert-ipv4.patch | Patch205: squid-6.1-crash-half-closed.patch | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2006121 |  | ||||||
| Patch209: squid-4.15-ftp-filename-extraction.patch |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2076717 |  | ||||||
| Patch210: squid-4.15-halfclosed.patch |  | ||||||
| 
 | 
 | ||||||
| # Security fixes | # cache_swap.sh | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1941506 | Requires: bash gawk | ||||||
| Patch300: squid-4.15-CVE-2021-28116.patch | # for httpd conf file - cachemgr script alias | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2100721 | Requires: httpd-filesystem | ||||||
| Patch301: squid-4.15-CVE-2021-46784.patch |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2129771 |  | ||||||
| Patch302: squid-4.15-CVE-2022-41318.patch |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2245910 |  | ||||||
| # +backported: https://github.com/squid-cache/squid/commit/417da4006cf5c97d44e74431b816fc58fec9e270 |  | ||||||
| Patch303: squid-4.15-CVE-2023-46846.patch |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2245916 |  | ||||||
| Patch304: squid-4.15-CVE-2023-46847.patch |  | ||||||
| # https://issues.redhat.com/browse/RHEL-14792 |  | ||||||
| Patch305: squid-4.15-CVE-2023-5824.patch |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2248521 |  | ||||||
| Patch306: squid-4.15-CVE-2023-46728.patch |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2247567 |  | ||||||
| Patch307: squid-4.15-CVE-2023-46724.patch |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2252926 |  | ||||||
| Patch308: squid-4.15-CVE-2023-49285.patch |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2252923 |  | ||||||
| Patch309: squid-4.15-CVE-2023-49286.patch |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2254663 |  | ||||||
| Patch310: squid-4.15-CVE-2023-50269.patch |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2264309 |  | ||||||
| Patch311: squid-4.15-CVE-2024-25617.patch |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2268366 |  | ||||||
| Patch312: squid-4.15-CVE-2024-25111.patch |  | ||||||
| # Regression caused by squid-4.15-CVE-2023-46846.patch |  | ||||||
| # Upstream PR: https://github.com/squid-cache/squid/pull/1914 |  | ||||||
| Patch313: squid-4.15-ignore-wsp-after-chunk-size.patch |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2260051 |  | ||||||
| Patch314: squid-4.15-CVE-2024-23638.patch |  | ||||||
| 
 | 
 | ||||||
| Requires: bash >= 2.0 |  | ||||||
| Requires(pre): shadow-utils |  | ||||||
| Requires(post): systemd |  | ||||||
| Requires(preun): systemd |  | ||||||
| Requires(postun): systemd |  | ||||||
| # squid_ldap_auth and other LDAP helpers require OpenLDAP | # squid_ldap_auth and other LDAP helpers require OpenLDAP | ||||||
|  | BuildRequires: make | ||||||
| BuildRequires: openldap-devel | BuildRequires: openldap-devel | ||||||
| # squid_pam_auth requires PAM development libs | # squid_pam_auth requires PAM development libs | ||||||
| BuildRequires: pam-devel | BuildRequires: pam-devel | ||||||
| @ -88,8 +53,10 @@ BuildRequires: pam-devel | |||||||
| BuildRequires: openssl-devel | BuildRequires: openssl-devel | ||||||
| # squid_kerb_aut requires Kerberos development libs | # squid_kerb_aut requires Kerberos development libs | ||||||
| BuildRequires: krb5-devel | BuildRequires: krb5-devel | ||||||
| # time_quota requires DB | # time_quota requires TrivialDB | ||||||
| BuildRequires: libdb-devel | BuildRequires: libtdb-devel | ||||||
|  | # ESI support requires Expat & libxml2 | ||||||
|  | BuildRequires: expat-devel libxml2-devel | ||||||
| # TPROXY requires libcap, and also increases security somewhat | # TPROXY requires libcap, and also increases security somewhat | ||||||
| BuildRequires: libcap-devel | BuildRequires: libcap-devel | ||||||
| # eCAP support | # eCAP support | ||||||
| @ -100,13 +67,23 @@ BuildRequires: libtool libtool-ltdl-devel | |||||||
| BuildRequires: perl-generators | BuildRequires: perl-generators | ||||||
| # For test suite | # For test suite | ||||||
| BuildRequires: pkgconfig(cppunit) | BuildRequires: pkgconfig(cppunit) | ||||||
| BuildRequires: autoconf | # For verifying downloded src tarball | ||||||
|  | BuildRequires: gnupg2 | ||||||
|  | # for _tmpfilesdir and _unitdir macro | ||||||
|  | # see https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#_packaging | ||||||
|  | BuildRequires: systemd-rpm-macros | ||||||
| # systemd notify | # systemd notify | ||||||
| BuildRequires: systemd-devel | BuildRequires: systemd-devel | ||||||
| 
 | 
 | ||||||
|  | %{?systemd_requires} | ||||||
|  | %{?sysusers_requires_compat} | ||||||
|  | 
 | ||||||
|  | # Old NetworkManager expects the dispatcher scripts in a different place | ||||||
|  | Conflicts: NetworkManager < 1.20 | ||||||
|  | 
 | ||||||
| %description | %description | ||||||
| Squid is a high-performance proxy caching server for Web clients, | Squid is a high-performance proxy caching server for Web clients, | ||||||
| supporting FTP, gopher, and HTTP data objects. Unlike traditional | supporting FTP and HTTP data objects. Unlike traditional | ||||||
| caching software, Squid handles all requests in a single, | caching software, Squid handles all requests in a single, | ||||||
| non-blocking, I/O-driven process. Squid keeps meta data and especially | non-blocking, I/O-driven process. Squid keeps meta data and especially | ||||||
| hot objects cached in RAM, caches DNS lookups, supports non-blocking | hot objects cached in RAM, caches DNS lookups, supports non-blocking | ||||||
| @ -117,48 +94,15 @@ lookup program (dnsserver), a program for retrieving FTP data | |||||||
| (ftpget), and some management and client tools. | (ftpget), and some management and client tools. | ||||||
| 
 | 
 | ||||||
| %prep | %prep | ||||||
| %setup -q | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' | ||||||
| 
 | 
 | ||||||
| # Upstream patches | %autosetup -p1 | ||||||
| 
 |  | ||||||
| # Backported patches |  | ||||||
| %patch101 -p1 -b .ip-bind-address-no-port |  | ||||||
| 
 |  | ||||||
| # Local patches |  | ||||||
| %patch201 -p1 -b .config |  | ||||||
| %patch202 -p1 -b .location |  | ||||||
| %patch203 -p1 -b .perlpath |  | ||||||
| %patch204 -p1 -b .include-guards |  | ||||||
| %patch205 -p1 -b .large_acl |  | ||||||
| %patch206 -p1 -b .active-ftp |  | ||||||
| %patch208 -p1 -b .convert-ipv4 |  | ||||||
| %patch209 -p1 -b .ftp-fn-extraction |  | ||||||
| %patch210 -p1 -b .halfclosed |  | ||||||
| 
 |  | ||||||
| # Security patches |  | ||||||
| %patch300 -p1 -b .CVE-2021-28116 |  | ||||||
| %patch301 -p1 -b .CVE-2021-46784 |  | ||||||
| %patch302 -p1 -b .CVE-2022-41318 |  | ||||||
| %patch303 -p1 -b .CVE-2023-46846 |  | ||||||
| %patch304 -p1 -b .CVE-2023-46847 |  | ||||||
| %patch305 -p1 -b .CVE-2023-5824 |  | ||||||
| %patch306 -p1 -b .CVE-2023-46728 |  | ||||||
| %patch307 -p1 -b .CVE-2023-46724 |  | ||||||
| %patch308 -p1 -b .CVE-2023-49285 |  | ||||||
| %patch309 -p1 -b .CVE-2023-49286 |  | ||||||
| %patch310 -p1 -b .CVE-2023-50269 |  | ||||||
| %patch311 -p1 -b .CVE-2024-25617 |  | ||||||
| %patch312 -p1 -b .CVE-2024-25111 |  | ||||||
| %patch313 -p1 -b .ignore-wsp-chunk-sz |  | ||||||
| %patch314 -p1 -b .CVE-2024-23638 |  | ||||||
| 
 | 
 | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 | # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 | ||||||
| # Patch in the vendor documentation and used different location for documentation | # Patch in the vendor documentation and used different location for documentation | ||||||
| sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented|' src/squid.8.in | sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented|' src/squid.8.in | ||||||
| 
 | 
 | ||||||
| %build | %build | ||||||
| # cppunit-config patch changes configure.ac |  | ||||||
| autoconf |  | ||||||
| 
 | 
 | ||||||
| # NIS helper has been removed because of the following bug | # NIS helper has been removed because of the following bug | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1531540 | # https://bugzilla.redhat.com/show_bug.cgi?id=1531540 | ||||||
| @ -167,7 +111,7 @@ autoconf | |||||||
|    --datadir=%{_datadir}/squid \ |    --datadir=%{_datadir}/squid \ | ||||||
|    --sysconfdir=%{_sysconfdir}/squid \ |    --sysconfdir=%{_sysconfdir}/squid \ | ||||||
|    --with-logdir='%{_localstatedir}/log/squid' \ |    --with-logdir='%{_localstatedir}/log/squid' \ | ||||||
|    --with-pidfile='%{_localstatedir}/run/squid.pid' \ |    --with-pidfile='/run/squid.pid' \ | ||||||
|    --disable-dependency-tracking \ |    --disable-dependency-tracking \ | ||||||
|    --enable-eui \ |    --enable-eui \ | ||||||
|    --enable-follow-x-forwarded-for \ |    --enable-follow-x-forwarded-for \ | ||||||
| @ -195,7 +139,7 @@ autoconf | |||||||
|    --enable-storeio="aufs,diskd,ufs,rock" \ |    --enable-storeio="aufs,diskd,ufs,rock" \ | ||||||
|    --enable-diskio \ |    --enable-diskio \ | ||||||
|    --enable-wccpv2 \ |    --enable-wccpv2 \ | ||||||
|    --disable-esi \ |    --enable-esi \ | ||||||
|    --enable-ecap \ |    --enable-ecap \ | ||||||
|    --with-aio \ |    --with-aio \ | ||||||
|    --with-default-user="squid" \ |    --with-default-user="squid" \ | ||||||
| @ -204,7 +148,14 @@ autoconf | |||||||
|    --with-pthreads \ |    --with-pthreads \ | ||||||
|    --disable-arch-native \ |    --disable-arch-native \ | ||||||
|    --disable-security-cert-validators \ |    --disable-security-cert-validators \ | ||||||
|    --with-swapdir=%{_localstatedir}/spool/squid |    --disable-strict-error-checking \ | ||||||
|  |    --with-swapdir=%{_localstatedir}/spool/squid \ | ||||||
|  |    --enable-translation | ||||||
|  | 
 | ||||||
|  | # workaround to build squid v5 | ||||||
|  | mkdir -p src/icmp/tests | ||||||
|  | mkdir -p tools/squidclient/tests | ||||||
|  | mkdir -p tools/tests | ||||||
| 
 | 
 | ||||||
| %make_build | %make_build | ||||||
| 
 | 
 | ||||||
| @ -233,22 +184,20 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d | |||||||
| mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig | mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig | ||||||
| mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d | mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d | ||||||
| mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/ | mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/ | ||||||
| mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d | mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d | ||||||
| mkdir -p $RPM_BUILD_ROOT%{_unitdir} | mkdir -p $RPM_BUILD_ROOT%{_unitdir} | ||||||
| mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/squid | mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/squid | ||||||
| install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/squid | install -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/squid | ||||||
| install -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/squid | install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/squid | ||||||
| install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/squid | install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/squid | ||||||
| install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_unitdir} | install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_unitdir} | ||||||
| install -m 755 %{SOURCE7} $RPM_BUILD_ROOT%{_libexecdir}/squid | install -m 755 %{SOURCE8} $RPM_BUILD_ROOT%{_libexecdir}/squid | ||||||
| install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/squid.conf | install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/squid.conf | ||||||
| install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d/20-squid | install -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-squid | ||||||
| mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid | mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid | ||||||
| mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid | mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid | ||||||
| mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/run/squid | mkdir -p $RPM_BUILD_ROOT/run/squid | ||||||
| chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl | chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl | ||||||
| iconv -f ISO88591 -t UTF8 ChangeLog -o ChangeLog.tmp |  | ||||||
| mv -f ChangeLog.tmp ChangeLog |  | ||||||
| 
 | 
 | ||||||
| # install /usr/lib/tmpfiles.d/squid.conf | # install /usr/lib/tmpfiles.d/squid.conf | ||||||
| mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} | mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} | ||||||
| @ -266,11 +215,12 @@ mv $RPM_BUILD_ROOT/usr/share/squid/mib.txt $RPM_BUILD_ROOT/usr/share/snmp/mibs/S | |||||||
| rm -f $RPM_BUILD_ROOT%{_sysconfdir}/squid/squid.conf.documented | rm -f $RPM_BUILD_ROOT%{_sysconfdir}/squid/squid.conf.documented | ||||||
| 
 | 
 | ||||||
| # remove unpackaged files from the buildroot | # remove unpackaged files from the buildroot | ||||||
| rm -f $RPM_BUILD_ROOT%{_bindir}/{RunAccel,RunCache} |  | ||||||
| rm -f $RPM_BUILD_ROOT/squid.httpd.tmp | rm -f $RPM_BUILD_ROOT/squid.httpd.tmp | ||||||
| 
 | 
 | ||||||
|  | # sysusers.d | ||||||
|  | install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf | ||||||
|  | 
 | ||||||
| %files | %files | ||||||
| %defattr(-,root,root,-) |  | ||||||
| %license COPYING  | %license COPYING  | ||||||
| %doc CONTRIBUTORS README ChangeLog QUICKSTART src/squid.conf.documented | %doc CONTRIBUTORS README ChangeLog QUICKSTART src/squid.conf.documented | ||||||
| %doc contrib/url-normalizer.pl contrib/user-agents.pl | %doc contrib/url-normalizer.pl contrib/user-agents.pl | ||||||
| @ -282,7 +232,7 @@ rm -f $RPM_BUILD_ROOT/squid.httpd.tmp | |||||||
| %attr(755,root,root) %dir %{_libdir}/squid | %attr(755,root,root) %dir %{_libdir}/squid | ||||||
| %attr(770,squid,root) %dir %{_localstatedir}/log/squid | %attr(770,squid,root) %dir %{_localstatedir}/log/squid | ||||||
| %attr(750,squid,squid) %dir %{_localstatedir}/spool/squid | %attr(750,squid,squid) %dir %{_localstatedir}/spool/squid | ||||||
| %attr(755,squid,squid) %dir %{_localstatedir}/run/squid | %attr(755,squid,squid) %dir /run/squid | ||||||
| 
 | 
 | ||||||
| %config(noreplace) %attr(644,root,root) %{_sysconfdir}/httpd/conf.d/squid.conf | %config(noreplace) %attr(644,root,root) %{_sysconfdir}/httpd/conf.d/squid.conf | ||||||
| %config(noreplace) %attr(640,root,squid) %{_sysconfdir}/squid/squid.conf | %config(noreplace) %attr(640,root,squid) %{_sysconfdir}/squid/squid.conf | ||||||
| @ -300,7 +250,7 @@ rm -f $RPM_BUILD_ROOT/squid.httpd.tmp | |||||||
| 
 | 
 | ||||||
| %dir %{_datadir}/squid | %dir %{_datadir}/squid | ||||||
| %attr(-,root,root) %{_datadir}/squid/errors | %attr(-,root,root) %{_datadir}/squid/errors | ||||||
| %attr(755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/20-squid | %{_prefix}/lib/NetworkManager | ||||||
| %{_datadir}/squid/icons | %{_datadir}/squid/icons | ||||||
| %{_sbindir}/squid | %{_sbindir}/squid | ||||||
| %{_bindir}/squidclient | %{_bindir}/squidclient | ||||||
| @ -310,15 +260,10 @@ rm -f $RPM_BUILD_ROOT/squid.httpd.tmp | |||||||
| %{_libdir}/squid/* | %{_libdir}/squid/* | ||||||
| %{_datadir}/snmp/mibs/SQUID-MIB.txt | %{_datadir}/snmp/mibs/SQUID-MIB.txt | ||||||
| %{_tmpfilesdir}/squid.conf | %{_tmpfilesdir}/squid.conf | ||||||
|  | %{_sysusersdir}/squid.conf | ||||||
| 
 | 
 | ||||||
| %pre | %pre | ||||||
| if ! getent group squid >/dev/null 2>&1; then | %sysusers_create_compat %{SOURCE9} | ||||||
|   /usr/sbin/groupadd -g 23 squid |  | ||||||
| fi |  | ||||||
| 
 |  | ||||||
| if ! getent passwd squid >/dev/null 2>&1 ; then |  | ||||||
|   /usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1  |  | ||||||
| fi |  | ||||||
| 
 | 
 | ||||||
| for i in /var/log/squid /var/spool/squid ; do | for i in /var/log/squid /var/spool/squid ; do | ||||||
|         if [ -d $i ] ; then |         if [ -d $i ] ; then | ||||||
| @ -331,6 +276,18 @@ done | |||||||
| exit 0 | exit 0 | ||||||
| 
 | 
 | ||||||
| %pretrans -p <lua> | %pretrans -p <lua> | ||||||
|  | -- temporarilly commented until https://bugzilla.redhat.com/show_bug.cgi?id=1936422 is resolved | ||||||
|  | -- | ||||||
|  | -- previously /usr/share/squid/errors/es-mx was symlink, now it is directory since squid v5 | ||||||
|  | -- see https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ | ||||||
|  | -- Define the path to the symlink being replaced below. | ||||||
|  | -- | ||||||
|  | -- path = "/usr/share/squid/errors/es-mx" | ||||||
|  | -- st = posix.stat(path) | ||||||
|  | -- if st and st.type == "link" then | ||||||
|  | --   os.remove(path) | ||||||
|  | -- end | ||||||
|  | 
 | ||||||
| -- Due to a bug #447156 | -- Due to a bug #447156 | ||||||
| paths = {"/usr/share/squid/errors/zh-cn", "/usr/share/squid/errors/zh-tw"} | paths = {"/usr/share/squid/errors/zh-cn", "/usr/share/squid/errors/zh-tw"} | ||||||
| for key,path in ipairs(paths) | for key,path in ipairs(paths) | ||||||
| @ -367,182 +324,238 @@ fi | |||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
| * Wed Nov 13 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.3 | * Mon Jul 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-1 | ||||||
| - Resolves: RHEL-22593 - CVE-2024-23638 squid:4/squid: vulnerable to | - new version 6.10 | ||||||
|   a Denial of Service attack against Cache Manager error responses | - Resolves: RHEL-45048 - squid: Out-of-bounds write error may lead to Denial of | ||||||
|  |   Service (CVE-2024-37894) | ||||||
| 
 | 
 | ||||||
| * Thu Nov 07 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.2 | * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 7:6.7-2 | ||||||
| - Disable ESI support | - Bump release for June 2024 mass rebuild | ||||||
| - Resolves: RHEL-65075 - CVE-2024-45802 squid:4/squid: Denial of Service |  | ||||||
|   processing ESI response content |  | ||||||
| 
 | 
 | ||||||
| * Mon Oct 14 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.1 | * Mon Feb 12 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.7-1 | ||||||
| - Resolves: RHEL-56024 - (Regression) Transfer-encoding:chunked data is not sent | - new version 6.7 | ||||||
|   to the client in its complementary | - switch to autosetup | ||||||
|  | - fix FTBFS when using gcc14 | ||||||
| 
 | 
 | ||||||
| * Tue Mar 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10 | * Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.6-2 | ||||||
| - Resolves: RHEL-28529 - squid:4/squid: Denial of Service in HTTP Chunked | - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild | ||||||
|   Decoding (CVE-2024-25111) |  | ||||||
| - Resolves: RHEL-26088 - squid:4/squid: denial of service in HTTP header |  | ||||||
|   parser (CVE-2024-25617) |  | ||||||
| 
 | 
 | ||||||
| * Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-9 | * Wed Dec 13 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 7:6.6-1 | ||||||
| - Resolves: RHEL-19552 - squid:4/squid: denial of service in HTTP request  | - new version 6.6 | ||||||
|   parsing (CVE-2023-50269) |  | ||||||
| 
 | 
 | ||||||
| * Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-8 | * Tue Nov 07 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.5-1 | ||||||
| - Resolves: RHEL-18351 - squid:4/squid: Buffer over-read in the HTTP Message | - new version 6.5 | ||||||
|   processing feature (CVE-2023-49285) |  | ||||||
| - Resolves: RHEL-18342 - squid:4/squid: Incorrect Check of Function Return |  | ||||||
|   Value In Helper Process management (CVE-2023-49286) |  | ||||||
| - Resolves: RHEL-18230 - squid:4/squid: Denial of Service in SSL Certificate |  | ||||||
|   validation (CVE-2023-46724) |  | ||||||
| - Resolves: RHEL-15911 - squid:4/squid: NULL pointer dereference in the gopher |  | ||||||
|   protocol code (CVE-2023-46728) |  | ||||||
| - Resolves: RHEL-18251 - squid crashes in assertion when a parent peer exists |  | ||||||
| - Resolves: RHEL-14794 - squid: squid multiple issues in HTTP response caching |  | ||||||
|   (CVE-2023-5824) |  | ||||||
| - Resolves: RHEL-14803 - squid: squid: Denial of Service in HTTP Digest |  | ||||||
|   Authentication (CVE-2023-46847) |  | ||||||
| - Resolves: RHEL-14777 - squid: squid: Request/Response smuggling in HTTP/1.1 |  | ||||||
|   and ICAP (CVE-2023-46846) |  | ||||||
| 
 | 
 | ||||||
| * Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7 | * Tue Oct 24 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.4-1 | ||||||
| - Resolves: #2076717 - Crash with half_closed_client on | - new version 6.4 | ||||||
| 
 | 
 | ||||||
| * Thu Dec 08 2022 Tomas Korbar <tkorbar@redhat.com> - 4.15-6 | * Thu Sep 14 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.3-2 | ||||||
| - Resolves: #2072988 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT" | - SPDX migration | ||||||
|   flag to sockets created for outgoing connections in the squid source code. |  | ||||||
| 
 | 
 | ||||||
| * Wed Sep 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-5 | * Tue Sep 05 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.3-1 | ||||||
| - Resolves: #2130260 - CVE-2022-41318 squid:4/squid: buffer-over-read in SSPI and SMB | - new version 6.3 | ||||||
|   authentication |  | ||||||
| 
 | 
 | ||||||
| * Tue Jun 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-4 | * Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.2-1 | ||||||
| - Resolves: #2100783 - CVE-2021-46784 squid:4/squid: DoS when processing gopher | - new version 6.2 | ||||||
|   server responses |  | ||||||
| 
 | 
 | ||||||
| * Wed Feb 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3 | * Fri Aug 04 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.1-3 | ||||||
| - Resolves: #1941506 - CVE-2021-28116 squid:4/squid: out-of-bounds read in WCCP | - Fix "!commHasHalfClosedMonitor(fd)" assertion | ||||||
|   protocol data may lead to information disclosure |  | ||||||
| 
 | 
 | ||||||
| * Tue Jan 25 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-2 | * Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.1-2 | ||||||
| - Resolves: #2006121 - SQUID shortens FTP Link wrong that contains a semi-colon | - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild | ||||||
|   and as a result is not able to download zip file.CODE 404 TO CLIENT) |  | ||||||
| 
 | 
 | ||||||
| * Fri Jun 18 2021 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-1 | * Tue Jul 11 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.1-1 | ||||||
| - new version 4.15 | - new version 6.1 | ||||||
| - Resolves: #1964384 - squid:4 rebase to 4.15 |  | ||||||
| 
 | 
 | ||||||
| * Wed Mar 31 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-5 | * Tue May 09 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:5.9-1 | ||||||
| - Resolves: #1944261 - CVE-2020-25097 squid:4/squid: improper input validation | - new version 5.9 | ||||||
|   may allow a trusted client to perform HTTP Request Smuggling |  | ||||||
| 
 | 
 | ||||||
| * Mon Oct 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-4 | * Tue Feb 28 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:5.8-1 | ||||||
| - Resolves: #1890606 - Fix for CVE 2019-13345 breaks authentication in | - new version 5.8 | ||||||
|   cachemgr.cgi |  | ||||||
| 
 | 
 | ||||||
| * Wed Aug 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-3 | * Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 7:5.7-4 | ||||||
| - Resolves: #1871705 - CVE-2020-24606 squid: Improper Input Validation could | - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild | ||||||
|   result in a DoS |  | ||||||
| - Resolves: #1871702 - CVE-2020-15811 squid: HTTP Request Splitting could result |  | ||||||
|   in cache poisoning |  | ||||||
| - Resolves: #1871700 - CVE-2020-15810 squid: HTTP Request Smuggling could result |  | ||||||
|   in cache poisoning |  | ||||||
| 
 | 
 | ||||||
| * Thu Jul 02 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-2 | * Mon Dec 05 2022 Tomas Korbar <tkorbar@redhat.com> - 7:5.7-3 | ||||||
| - Resolves: #1853130 - CVE-2020-15049 squid:4/squid: request smuggling and | - Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections | ||||||
|   poisoning attack against the HTTP cache | 
 | ||||||
| - Resolves: #1853136 - CVE-2020-14058 squid:4/squid: DoS in TLS handshake | * Wed Oct 12 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.7-2 | ||||||
|  | - Provide a sysusers.d file to get user() and group() provides (#2134071) | ||||||
|  | 
 | ||||||
|  | * Tue Sep 06 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.7-1 | ||||||
|  | - new version 5.7 | ||||||
|  | 
 | ||||||
|  | * Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 7:5.6-2 | ||||||
|  | - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild | ||||||
|  | 
 | ||||||
|  | * Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.6-1 | ||||||
|  | - new version 5.6 | ||||||
|  | 
 | ||||||
|  | * Wed Apr 20 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-1 | ||||||
|  | - new version 5.5 | ||||||
|  | - Resolves: #2053799 - squid-5.5 is available | ||||||
|  | 
 | ||||||
|  | * Wed Feb 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.4-1 | ||||||
|  | - new version 5.4 | ||||||
|  | 
 | ||||||
|  | * Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 7:5.2-2 | ||||||
|  | - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild | ||||||
|  | 
 | ||||||
|  | * Tue Oct 05 2021 Luboš Uhliarik <luhliari@redhat.com> - 7:5.2-1 | ||||||
|  | - new version 5.2 (#2010109) | ||||||
|  | - Resolves: #1934559 - squid: out-of-bounds read in WCCP protocol | ||||||
|  | 
 | ||||||
|  | * Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 7:5.1-2 | ||||||
|  | - Rebuilt with OpenSSL 3.0.0 | ||||||
|  | 
 | ||||||
|  | * Thu Aug 05 2021 Luboš Uhliarik <luhliari@redhat.com> - 7:5.1-1 | ||||||
|  | - new version 5.1 | ||||||
|  | 
 | ||||||
|  | * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7:5.0.6-2 | ||||||
|  | - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild | ||||||
|  | 
 | ||||||
|  | * Mon May 17 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:5.0.6-1 | ||||||
|  | - new version 5.0.6 | ||||||
|  | 
 | ||||||
|  | * Fri Apr 23 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:5.0.5-4 | ||||||
|  | - Related: #1934919 - squid update attempts fail with file conflicts | ||||||
|  | 
 | ||||||
|  | * Fri Mar 05 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:5.0.5-3 | ||||||
|  | - Resolves: #1934919 - squid update attempts fail with file conflicts | ||||||
|  | 
 | ||||||
|  | * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7:5.0.5-2 | ||||||
|  | - Rebuilt for updated systemd-rpm-macros | ||||||
|  |   See https://pagure.io/fesco/issue/2583. | ||||||
|  | 
 | ||||||
|  | * Wed Feb 10 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:5.0.5-1 | ||||||
|  | - new version 5.0.5 | ||||||
|  | 
 | ||||||
|  | * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.13-3 | ||||||
|  | - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild | ||||||
|  | 
 | ||||||
|  | * Sat Oct 17 2020 Jeff Law <law@redhat.com> - 7:4.13-2 | ||||||
|  | - Fix missing #includes for gcc-11 | ||||||
|  | 
 | ||||||
|  | * Tue Aug 25 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.13-1 | ||||||
|  | - new version 4.13 | ||||||
|  | 
 | ||||||
|  | * Fri Aug 07 2020 Jeff law <law@redhat.com> - 7:4.12-4 | ||||||
|  | - Disable LTO | ||||||
|  | 
 | ||||||
|  | * Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.12-3 | ||||||
|  | - Second attempt - Rebuilt for | ||||||
|  |   https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild | ||||||
|  | 
 | ||||||
|  | * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.12-2 | ||||||
|  | - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild | ||||||
|  | 
 | ||||||
|  | * Mon Jun 15 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.12-1 | ||||||
|  | - new version 4.12 | ||||||
| 
 | 
 | ||||||
| * Thu May 07 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-1 | * Thu May 07 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-1 | ||||||
| - new version 4.11 | - new version 4.11 | ||||||
| - libsystemd integration | - libsystemd integration | ||||||
| - Resolves: #1829467 - squid:4 rebase | - Resolves: #1827564 - CVE-2020-11945 squid: improper access restriction upon | ||||||
| - Resolves: #1828378 - CVE-2019-12521 squid:4/squid: off-by-one error in |  | ||||||
|   addStackElement allows for a heap buffer overflow and a crash |  | ||||||
| - Resolves: #1828377 - CVE-2019-12520 squid:4/squid: improper input validation |  | ||||||
|   in request allows for proxy manipulation |  | ||||||
| - Resolves: #1828375 - CVE-2019-12524 squid:4/squid: improper access restriction |  | ||||||
|   in url_regex may lead to security bypass |  | ||||||
| - Resolves: #1820664 - CVE-2019-18860 squid: mishandles HTML in the host |  | ||||||
|   parameter to cachemgr.cgi which could result in squid behaving in unsecure way |  | ||||||
| - Resolves: #1802514 - CVE-2020-8449 squid:4/squid: Improper input validation |  | ||||||
|   issues in HTTP Request processing |  | ||||||
| - Resolves: #1802513 - CVE-2020-8450 squid:4/squid: Buffer overflow in a Squid |  | ||||||
|   acting as reverse-proxy |  | ||||||
| - Resolves: #1802512 - CVE-2019-12528 squid:4/squid: Information Disclosure |  | ||||||
|   issue in FTP Gateway |  | ||||||
| - Resolves: #1771288 - CVE-2019-18678 squid:4/squid: HTTP Request Splitting |  | ||||||
|   issue in HTTP message processing |  | ||||||
| - Resolves: #1771283 - CVE-2019-18679 squid:4/squid: Information Disclosure |  | ||||||
|   issue in HTTP Digest Authentication |  | ||||||
| - Resolves: #1771280 - CVE-2019-18677 squid:4/squid: Cross-Site Request Forgery |  | ||||||
|   issue in HTTP Request processing |  | ||||||
| - Resolves: #1771275 - CVE-2019-12523 squid:4/squid: Improper input validation |  | ||||||
|   in URI processor |  | ||||||
| - Resolves: #1771272 - CVE-2019-18676 squid:4/squid: Buffer overflow in URI |  | ||||||
|   processor |  | ||||||
| - Resolves: #1771264 - CVE-2019-12526 squid:4/squid: Heap overflow issue in URN |  | ||||||
|   processing |  | ||||||
| - Resolves: #1738581 - CVE-2019-12529 squid: OOB read in Proxy-Authorization |  | ||||||
|   header causes DoS |  | ||||||
| 
 |  | ||||||
| * Tue Apr 28 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-9 |  | ||||||
| - Resolves: #1738583 - CVE-2019-12525 squid:4/squid: parsing of header |  | ||||||
|   Proxy-Authentication leads to memory corruption |  | ||||||
| - Resolves: #1828369 - CVE-2020-11945 squid: improper access restriction upon |  | ||||||
|   Digest Authentication nonce replay could lead to remote code execution |   Digest Authentication nonce replay could lead to remote code execution | ||||||
| - Resolves: #1828370 - CVE-2019-12519 squid: improper check for new member in |  | ||||||
|   ESIExpression::Evaluate allows for stack buffer overflow |  | ||||||
| 
 | 
 | ||||||
| * Fri Aug 23 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-8 | * Thu Mar 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.10-4 | ||||||
| - Resolves: # 1738485 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow | - Resolves: #1817208 - More cache_swap.sh optimizations | ||||||
|   in HttpHeader::getAuth |  | ||||||
| 
 | 
 | ||||||
| * Wed Jul 31 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-7 | * Wed Mar 25 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.10-3 | ||||||
| - Resolves: #1729436 - CVE-2019-13345 squid: XSS via user_name or auth parameter | - Resolves: #1786485 - squid.service: use ${SQUID_CONF} rather than $SQUID_CONF | ||||||
|   in cachemgr.cgi | - Resolves: #1798535 - CVE-2019-12528 squid: Information Disclosure issue in | ||||||
|  |   FTP Gateway | ||||||
|  | - Resolves: #1798554 - CVE-2020-8450 squid: Buffer overflow in a Squid acting | ||||||
|  |   as reverse-proxy | ||||||
|  | - Resolves: #1798541 - CVE-2020-8449 squid: Improper input validation issues  | ||||||
|  |   in HTTP Request processing | ||||||
| 
 | 
 | ||||||
| * Fri Jun 21 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-6 | * Tue Jan 28 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.10-1 | ||||||
| - Resolves: #1679526 - Missing detailed configuration file | - new version 4.10 | ||||||
| - Resolves: #1703117 - RHEL 7 to 8 fails with squid installed because dirs |  | ||||||
|   changed to symlinks |  | ||||||
| - Resolves: #1691741 - Squid cache_peer DNS lookup failed when not all lower |  | ||||||
|   case |  | ||||||
| - Resolves: #1683527 - "Reloading" message on a fresh reboot after enabling |  | ||||||
|   squid |  | ||||||
| 
 | 
 | ||||||
| * Tue Dec 11 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-4 | * Tue Dec 17 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.9-3 | ||||||
| - Resolves: #1612524 - Man page scan results for squid  | - Resolves: #1784383 - Add BuildRequires: systemd-rpm-macros | ||||||
|  | - Resolves: #1783757 - Build with ./configure --with-pidfile=/run/squid.pid | ||||||
|  | - Resolves: #1783768 - Optimize cache_swap.sh cache_dir search | ||||||
| 
 | 
 | ||||||
| * Tue Dec 11 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-3 | * Mon Nov 11 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.9-2 | ||||||
| - Resolves: #1642384 - squid doesn't work with active ftp | - new version 4.9 | ||||||
|  | - verify src taball signature by default in prep section | ||||||
| 
 | 
 | ||||||
| * Tue Dec 11 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-2 | * Tue Oct 08 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.8-6 | ||||||
| - Resolves: #1657847 - Unable to start Squid in Selinux Enforcing mode | - Resolves: #1741342 - Do not call autoconf at build time | ||||||
|  | 
 | ||||||
|  | * Tue Oct 08 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.8-5 | ||||||
|  | - Resolves: #1716950 - Drop "sleep 1" from logrotate fragment | ||||||
|  | 
 | ||||||
|  | * Thu Aug 22 2019 Lubomir Rintel <lkundrak@v3.sk> - 7:4.8-4 | ||||||
|  | - Move the NetworkManager dispatcher script out of /etc | ||||||
|  | 
 | ||||||
|  | * Mon Aug 05 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.8-3 | ||||||
|  | - Resolves: #1737030 - depend on httpd-filesystem | ||||||
|  | 
 | ||||||
|  | * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.8-2 | ||||||
|  | - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild | ||||||
|  | 
 | ||||||
|  | * Wed Jul 10 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.8-1 | ||||||
|  | - new version 4.8 | ||||||
|  | - Resolves: #1727745 - squid: CVe-2019-13345 squid: XSS via user_name or auth | ||||||
|  |   parameter in cachemgr.cgi | ||||||
|  | 
 | ||||||
|  | * Tue Jul 02 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.7-6 | ||||||
|  | - fix filepath to squid.conf.documented in squid's manpage | ||||||
|  | - fix path to systemctl in nm script | ||||||
|  | 
 | ||||||
|  | * Wed May 22 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.7-5 | ||||||
|  | - Related: #1709299 - Use upstream squid.service | ||||||
|  | 
 | ||||||
|  | * Fri May 17 2019 Luboš Uhliarik <luhliari@redhat.com> - 7:4.7-1 | ||||||
|  | - new version 4.7 | ||||||
|  | 
 | ||||||
|  | * Fri May 17 2019 Luboš Uhliarik <luhliari@redhat.com> - 7:4.6-3 | ||||||
|  | - Resolves: #1709299 - Use upstream squid.service | ||||||
|  | 
 | ||||||
|  | * Mon Apr 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.6-2 | ||||||
|  | - Resolves: #1599074 - squid: 3 coredumps every day | ||||||
|  | 
 | ||||||
|  | * Wed Apr 24 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.6-1 | ||||||
|  | - new version 4.6 | ||||||
|  | - disabled strict checking due to gcc warnings | ||||||
|  | 
 | ||||||
|  | * Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.4-3 | ||||||
|  | - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild | ||||||
|  | 
 | ||||||
|  | * Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 7:4.4-2 | ||||||
|  | - Rebuilt for libcrypt.so.2 (#1666033) | ||||||
| 
 | 
 | ||||||
| * Mon Dec 10 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-1 | * Mon Dec 10 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-1 | ||||||
| - Resolves: #1656871 - squid rebase to 4.4 | - new version 4.4 | ||||||
| - Resolves: #1645148 - CVE-2018-19131 squid: Cross-Site Scripting when |  | ||||||
|   generating HTTPS response messages about TLS errors |  | ||||||
| - Resolves: #1645156 - CVE-2018-19132 squid: Memory leak in SNMP query |  | ||||||
|   rejection code |  | ||||||
| 
 | 
 | ||||||
| * Mon Aug 06 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.2-1 | * Sun Oct 14 2018 Peter Robinson <pbrobinson@fedoraproject.org> 7:4.2-3 | ||||||
|  | - Drop obsolete legacy sys-v remanents | ||||||
|  | 
 | ||||||
|  | * Mon Aug 20 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.2-2 | ||||||
|  | - Resolves: #1618790 - SELinux 'dac_override' denial for cache_swap.sh | ||||||
|  | 
 | ||||||
|  | * Mon Aug 06 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.2-1 | ||||||
| - new version 4.2 | - new version 4.2 | ||||||
| - enable back strict error checking | - enable back strict error checking | ||||||
| 
 | 
 | ||||||
| * Wed Aug 01 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.1-1 | * Wed Aug 01 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.1-1 | ||||||
| - new version 4.1 | - new version 4.1 | ||||||
| 
 | 
 | ||||||
| * Mon Jun 04 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.0.23-5 | * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.0.25-2 | ||||||
| - Resolves: #1585617 - Build against libdb only instead of libdb4 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild | ||||||
| - disabled strict checking for now (squid can not be built with GCC8) |  | ||||||
| 
 | 
 | ||||||
| * Mon Apr 16 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.0.23-4 | * Thu Jun 28 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.0.25-1 | ||||||
| - Resolves: #1566055 - module squid cannot be installed due to missing | - new version 4.0.25 | ||||||
|   perl(Crypt::OpenSSL::X509) | 
 | ||||||
|  | * Mon Jun 04 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.0.24-2 | ||||||
|  | - removed obsolete BuildRequires (libdb4-devel) | ||||||
|  | 
 | ||||||
|  | * Thu Mar 08 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.0.24-1 | ||||||
|  | - new version 4.0.24 | ||||||
|  | - disabled strict checking (removed -Werror) | ||||||
| 
 | 
 | ||||||
| * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.0.23-3 | * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.0.23-3 | ||||||
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | ||||||
							
								
								
									
										5
									
								
								squid.sysconfig
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								squid.sysconfig
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,5 @@ | |||||||
|  | # default squid options | ||||||
|  | SQUID_OPTS="" | ||||||
|  | 
 | ||||||
|  | # default squid conf file | ||||||
|  | SQUID_CONF="/etc/squid/squid.conf" | ||||||
							
								
								
									
										2
									
								
								squid.sysusers
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								squid.sysusers
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,2 @@ | |||||||
|  | g squid 23 - | ||||||
|  | u squid 23 "Squid proxy user" /var/spool/squid /sbin/nologin | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user