Compare commits
No commits in common. "c8-stream-4" and "stream-squid-4-rhel-8.10.0" have entirely different histories.
c8-stream-
...
stream-squ
|
@ -1 +1,2 @@
|
|||
SOURCES/squid-4.15.tar.xz
|
||||
/squid-4.15.tar.xz
|
||||
|
|
|
@ -1 +1 @@
|
|||
60bda34ba39657e2d870c8c1d2acece8a69c3075 SOURCES/squid-4.15.tar.xz
|
||||
60bda34ba39657e2d870c8c1d2acece8a69c3075 squid-4.15.tar.xz
|
||||
|
|
|
@ -1,193 +0,0 @@
|
|||
diff --git a/src/http.cc b/src/http.cc
|
||||
index b006300..023e411 100644
|
||||
--- a/src/http.cc
|
||||
+++ b/src/http.cc
|
||||
@@ -52,6 +52,7 @@
|
||||
#include "rfc1738.h"
|
||||
#include "SquidConfig.h"
|
||||
#include "SquidTime.h"
|
||||
+#include "SquidMath.h"
|
||||
#include "StatCounters.h"
|
||||
#include "Store.h"
|
||||
#include "StrList.h"
|
||||
@@ -1150,18 +1151,26 @@ HttpStateData::readReply(const CommIoCbParams &io)
|
||||
* Plus, it breaks our lame *HalfClosed() detection
|
||||
*/
|
||||
|
||||
- Must(maybeMakeSpaceAvailable(true));
|
||||
- CommIoCbParams rd(this); // will be expanded with ReadNow results
|
||||
- rd.conn = io.conn;
|
||||
- rd.size = entry->bytesWanted(Range<size_t>(0, inBuf.spaceSize()));
|
||||
+ size_t moreDataPermission = 0;
|
||||
+ if ((!canBufferMoreReplyBytes(&moreDataPermission) || !moreDataPermission)) {
|
||||
+ abortTransaction("ready to read required data, but the read buffer is full and cannot be drained");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ const auto readSizeMax = maybeMakeSpaceAvailable(moreDataPermission);
|
||||
+ // TODO: Move this logic inside maybeMakeSpaceAvailable():
|
||||
+ const auto readSizeWanted = readSizeMax ? entry->bytesWanted(Range<size_t>(0, readSizeMax)) : 0;
|
||||
|
||||
- if (rd.size <= 0) {
|
||||
+ if (readSizeWanted <= 0) {
|
||||
assert(entry->mem_obj);
|
||||
AsyncCall::Pointer nilCall;
|
||||
entry->mem_obj->delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall)));
|
||||
return;
|
||||
}
|
||||
|
||||
+ CommIoCbParams rd(this); // will be expanded with ReadNow results
|
||||
+ rd.conn = io.conn;
|
||||
+ rd.size = readSizeWanted;
|
||||
switch (Comm::ReadNow(rd, inBuf)) {
|
||||
case Comm::INPROGRESS:
|
||||
if (inBuf.isEmpty())
|
||||
@@ -1520,8 +1529,11 @@ HttpStateData::maybeReadVirginBody()
|
||||
if (!Comm::IsConnOpen(serverConnection) || fd_table[serverConnection->fd].closing())
|
||||
return;
|
||||
|
||||
- if (!maybeMakeSpaceAvailable(false))
|
||||
+ size_t moreDataPermission = 0;
|
||||
+ if ((!canBufferMoreReplyBytes(&moreDataPermission)) || !moreDataPermission) {
|
||||
+ abortTransaction("more response bytes required, but the read buffer is full and cannot be drained");
|
||||
return;
|
||||
+ }
|
||||
|
||||
// XXX: get rid of the do_next_read flag
|
||||
// check for the proper reasons preventing read(2)
|
||||
@@ -1539,40 +1551,79 @@ HttpStateData::maybeReadVirginBody()
|
||||
Comm::Read(serverConnection, call);
|
||||
}
|
||||
|
||||
+/// Desired inBuf capacity based on various capacity preferences/limits:
|
||||
+/// * a smaller buffer may not hold enough for look-ahead header/body parsers;
|
||||
+/// * a smaller buffer may result in inefficient tiny network reads;
|
||||
+/// * a bigger buffer may waste memory;
|
||||
+/// * a bigger buffer may exceed SBuf storage capabilities (SBuf::maxSize);
|
||||
+size_t
|
||||
+HttpStateData::calcReadBufferCapacityLimit() const
|
||||
+{
|
||||
+ if (!flags.headers_parsed)
|
||||
+ return Config.maxReplyHeaderSize;
|
||||
+
|
||||
+ // XXX: Our inBuf is not used to maintain the read-ahead gap, and using
|
||||
+ // Config.readAheadGap like this creates huge read buffers for large
|
||||
+ // read_ahead_gap values. TODO: Switch to using tcp_recv_bufsize as the
|
||||
+ // primary read buffer capacity factor.
|
||||
+ //
|
||||
+ // TODO: Cannot reuse throwing NaturalCast() here. Consider removing
|
||||
+ // .value() dereference in NaturalCast() or add/use NaturalCastOrMax().
|
||||
+ const auto configurationPreferences = NaturalSum<size_t>(Config.readAheadGap).second ? NaturalSum<size_t>(Config.readAheadGap).first : SBuf::maxSize;
|
||||
+
|
||||
+ // TODO: Honor TeChunkedParser look-ahead and trailer parsing requirements
|
||||
+ // (when explicit configurationPreferences are set too low).
|
||||
+
|
||||
+ return std::min<size_t>(configurationPreferences, SBuf::maxSize);
|
||||
+}
|
||||
+
|
||||
+/// The maximum number of virgin reply bytes we may buffer before we violate
|
||||
+/// the currently configured response buffering limits.
|
||||
+/// \retval std::nullopt means that no more virgin response bytes can be read
|
||||
+/// \retval 0 means that more virgin response bytes may be read later
|
||||
+/// \retval >0 is the number of bytes that can be read now (subject to other constraints)
|
||||
bool
|
||||
-HttpStateData::maybeMakeSpaceAvailable(bool doGrow)
|
||||
+HttpStateData::canBufferMoreReplyBytes(size_t *maxReadSize) const
|
||||
{
|
||||
- // how much we are allowed to buffer
|
||||
- const int limitBuffer = (flags.headers_parsed ? Config.readAheadGap : Config.maxReplyHeaderSize);
|
||||
-
|
||||
- if (limitBuffer < 0 || inBuf.length() >= (SBuf::size_type)limitBuffer) {
|
||||
- // when buffer is at or over limit already
|
||||
- debugs(11, 7, "will not read up to " << limitBuffer << ". buffer has (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
|
||||
- debugs(11, DBG_DATA, "buffer has {" << inBuf << "}");
|
||||
- // Process next response from buffer
|
||||
- processReply();
|
||||
- return false;
|
||||
+#if USE_ADAPTATION
|
||||
+ // If we do not check this now, we may say the final "no" prematurely below
|
||||
+ // because inBuf.length() will decrease as adaptation drains buffered bytes.
|
||||
+ if (responseBodyBuffer) {
|
||||
+ debugs(11, 3, "yes, but waiting for adaptation to drain read buffer");
|
||||
+ *maxReadSize = 0; // yes, we may be able to buffer more (but later)
|
||||
+ return true;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ const auto maxCapacity = calcReadBufferCapacityLimit();
|
||||
+ if (inBuf.length() >= maxCapacity) {
|
||||
+ debugs(11, 3, "no, due to a full buffer: " << inBuf.length() << '/' << inBuf.spaceSize() << "; limit: " << maxCapacity);
|
||||
+ return false; // no, configuration prohibits buffering more
|
||||
}
|
||||
|
||||
+ *maxReadSize = (maxCapacity - inBuf.length()); // positive
|
||||
+ debugs(11, 7, "yes, may read up to " << *maxReadSize << " into " << inBuf.length() << '/' << inBuf.spaceSize());
|
||||
+ return true; // yes, can read up to this many bytes (subject to other constraints)
|
||||
+}
|
||||
+
|
||||
+/// prepare read buffer for reading
|
||||
+/// \return the maximum number of bytes the caller should attempt to read
|
||||
+/// \retval 0 means that the caller should delay reading
|
||||
+size_t
|
||||
+HttpStateData::maybeMakeSpaceAvailable(const size_t maxReadSize)
|
||||
+{
|
||||
// how much we want to read
|
||||
- const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), (limitBuffer - inBuf.length()));
|
||||
+ const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), maxReadSize);
|
||||
|
||||
- if (!read_size) {
|
||||
+ if (read_size < 2) {
|
||||
debugs(11, 7, "will not read up to " << read_size << " into buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
|
||||
- return false;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
- // just report whether we could grow or not, do not actually do it
|
||||
- if (doGrow)
|
||||
- return (read_size >= 2);
|
||||
-
|
||||
// we may need to grow the buffer
|
||||
inBuf.reserveSpace(read_size);
|
||||
- debugs(11, 8, (!flags.do_next_read ? "will not" : "may") <<
|
||||
- " read up to " << read_size << " bytes info buf(" << inBuf.length() << "/" << inBuf.spaceSize() <<
|
||||
- ") from " << serverConnection);
|
||||
-
|
||||
- return (inBuf.spaceSize() >= 2); // only read if there is 1+ bytes of space available
|
||||
+ debugs(11, 7, "may read up to " << read_size << " bytes info buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
|
||||
+ return read_size;
|
||||
}
|
||||
|
||||
/// called after writing the very last request byte (body, last-chunk, etc)
|
||||
diff --git a/src/http.h b/src/http.h
|
||||
index 8965b77..007d2e6 100644
|
||||
--- a/src/http.h
|
||||
+++ b/src/http.h
|
||||
@@ -15,6 +15,8 @@
|
||||
#include "http/StateFlags.h"
|
||||
#include "sbuf/SBuf.h"
|
||||
|
||||
+#include <optional>
|
||||
+
|
||||
class FwdState;
|
||||
class HttpHeader;
|
||||
|
||||
@@ -107,16 +109,9 @@ private:
|
||||
|
||||
void abortTransaction(const char *reason) { abortAll(reason); } // abnormal termination
|
||||
|
||||
- /**
|
||||
- * determine if read buffer can have space made available
|
||||
- * for a read.
|
||||
- *
|
||||
- * \param grow whether to actually expand the buffer
|
||||
- *
|
||||
- * \return whether the buffer can be grown to provide space
|
||||
- * regardless of whether the grow actually happened.
|
||||
- */
|
||||
- bool maybeMakeSpaceAvailable(bool grow);
|
||||
+ size_t calcReadBufferCapacityLimit() const;
|
||||
+ bool canBufferMoreReplyBytes(size_t *maxReadSize) const;
|
||||
+ size_t maybeMakeSpaceAvailable(size_t maxReadSize);
|
||||
|
||||
// consuming request body
|
||||
virtual void handleMoreRequestBodyAvailable();
|
|
@ -1,105 +0,0 @@
|
|||
diff --git a/src/SquidString.h b/src/SquidString.h
|
||||
index a791885..b9aef38 100644
|
||||
--- a/src/SquidString.h
|
||||
+++ b/src/SquidString.h
|
||||
@@ -114,7 +114,16 @@ private:
|
||||
|
||||
size_type len_; /* current length */
|
||||
|
||||
- static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers
|
||||
+ /// An earlier 64KB limit was meant to protect some fixed-size buffers, but
|
||||
+ /// (a) we do not know where those buffers are (or whether they still exist)
|
||||
+ /// (b) too many String users unknowingly exceeded that limit and asserted.
|
||||
+ /// We are now using a larger limit to reduce the number of (b) cases,
|
||||
+ /// especially cases where "compact" lists of items grow 50% in size when we
|
||||
+ /// convert them to canonical form. The new limit is selected to withstand
|
||||
+ /// concatenation and ~50% expansion of two HTTP headers limited by default
|
||||
+ /// request_header_max_size and reply_header_max_size settings.
|
||||
+ static const size_type SizeMax_ = 3*64*1024 - 1;
|
||||
+
|
||||
/// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_
|
||||
static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; }
|
||||
|
||||
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
|
||||
index a9c1b7e..46f07bb 100644
|
||||
--- a/src/cache_cf.cc
|
||||
+++ b/src/cache_cf.cc
|
||||
@@ -935,6 +935,18 @@ configDoConfigure(void)
|
||||
(uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
|
||||
}
|
||||
|
||||
+ // Warn about the dangers of exceeding String limits when manipulating HTTP
|
||||
+ // headers. Technically, we do not concatenate _requests_, so we could relax
|
||||
+ // their check, but we keep the two checks the same for simplicity sake.
|
||||
+ const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3;
|
||||
+ // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings
|
||||
+ if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax)
|
||||
+ debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax <<
|
||||
+ " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes");
|
||||
+ if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax)
|
||||
+ debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax <<
|
||||
+ " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes");
|
||||
+
|
||||
/*
|
||||
* Disable client side request pipelining if client_persistent_connections OFF.
|
||||
* Waste of resources queueing any pipelined requests when the first will close the connection.
|
||||
diff --git a/src/cf.data.pre b/src/cf.data.pre
|
||||
index bc2ddcd..d55b870 100644
|
||||
--- a/src/cf.data.pre
|
||||
+++ b/src/cf.data.pre
|
||||
@@ -6196,11 +6196,14 @@ TYPE: b_size_t
|
||||
DEFAULT: 64 KB
|
||||
LOC: Config.maxRequestHeaderSize
|
||||
DOC_START
|
||||
- This specifies the maximum size for HTTP headers in a request.
|
||||
- Request headers are usually relatively small (about 512 bytes).
|
||||
- Placing a limit on the request header size will catch certain
|
||||
- bugs (for example with persistent connections) and possibly
|
||||
- buffer-overflow or denial-of-service attacks.
|
||||
+ This directives limits the header size of a received HTTP request
|
||||
+ (including request-line). Increasing this limit beyond its 64 KB default
|
||||
+ exposes certain old Squid code to various denial-of-service attacks. This
|
||||
+ limit also applies to received FTP commands.
|
||||
+
|
||||
+ This limit has no direct affect on Squid memory consumption.
|
||||
+
|
||||
+ Squid does not check this limit when sending requests.
|
||||
DOC_END
|
||||
|
||||
NAME: reply_header_max_size
|
||||
@@ -6209,11 +6212,14 @@ TYPE: b_size_t
|
||||
DEFAULT: 64 KB
|
||||
LOC: Config.maxReplyHeaderSize
|
||||
DOC_START
|
||||
- This specifies the maximum size for HTTP headers in a reply.
|
||||
- Reply headers are usually relatively small (about 512 bytes).
|
||||
- Placing a limit on the reply header size will catch certain
|
||||
- bugs (for example with persistent connections) and possibly
|
||||
- buffer-overflow or denial-of-service attacks.
|
||||
+ This directives limits the header size of a received HTTP response
|
||||
+ (including status-line). Increasing this limit beyond its 64 KB default
|
||||
+ exposes certain old Squid code to various denial-of-service attacks. This
|
||||
+ limit also applies to FTP command responses.
|
||||
+
|
||||
+ Squid also checks this limit when loading hit responses from disk cache.
|
||||
+
|
||||
+ Squid does not check this limit when sending responses.
|
||||
DOC_END
|
||||
|
||||
NAME: request_body_max_size
|
||||
diff --git a/src/http.cc b/src/http.cc
|
||||
index 877172d..b006300 100644
|
||||
--- a/src/http.cc
|
||||
+++ b/src/http.cc
|
||||
@@ -1820,8 +1820,9 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
|
||||
|
||||
String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR);
|
||||
|
||||
- // if we cannot double strFwd size, then it grew past 50% of the limit
|
||||
- if (!strFwd.canGrowBy(strFwd.size())) {
|
||||
+ // Detect unreasonably long header values. And paranoidly check String
|
||||
+ // limits: a String ought to accommodate two reasonable-length values.
|
||||
+ if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) {
|
||||
// There is probably a forwarding loop with Via detection disabled.
|
||||
// If we do nothing, String will assert on overflow soon.
|
||||
// TODO: Terminate all transactions with huge XFF?
|
|
@ -0,0 +1,9 @@
|
|||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier2.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier3.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}
|
|
@ -0,0 +1 @@
|
|||
SHA512 (squid-4.15.tar.xz) = 8f0ce6e30dd9173927e8133618211ffb865fb5dde4c63c2fb465e2efccda4a6efb33f2c0846870c9b915340aff5f59461a60171882bcc0c890336b846fe60bd1
|
|
@ -0,0 +1,10 @@
|
|||
diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl
|
||||
index 4cb0480..4b89910 100755
|
||||
--- a/contrib/url-normalizer.pl
|
||||
+++ b/contrib/url-normalizer.pl
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/local/bin/perl -Tw
|
||||
+#!/usr/bin/perl -Tw
|
||||
#
|
||||
# * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
|
||||
# *
|
|
@ -0,0 +1,32 @@
|
|||
diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART
|
||||
--- squid-3.1.0.9/QUICKSTART.location 2009-06-26 12:35:27.000000000 +0200
|
||||
+++ squid-3.1.0.9/QUICKSTART 2009-07-17 14:03:10.000000000 +0200
|
||||
@@ -10,10 +10,9 @@ After you retrieved, compiled and instal
|
||||
INSTALL in the same directory), you have to configure the squid.conf
|
||||
file. This is the list of the values you *need* to change, because no
|
||||
sensible defaults could be defined. Do not touch the other variables
|
||||
-for now. We assume you have installed Squid in the default location:
|
||||
-/usr/local/squid
|
||||
+for now.
|
||||
|
||||
-Uncomment and edit the following lines in /usr/local/squid/etc/squid.conf:
|
||||
+Uncomment and edit the following lines in /etc/squid/squid.conf:
|
||||
|
||||
==============================================================================
|
||||
|
||||
@@ -82,12 +81,12 @@ After editing squid.conf to your liking,
|
||||
line TWICE:
|
||||
|
||||
To create any disk cache_dir configured:
|
||||
- % /usr/local/squid/sbin/squid -z
|
||||
+ % /usr/sbin/squid -z
|
||||
|
||||
To start squid:
|
||||
- % /usr/local/squid/sbin/squid
|
||||
+ % /usr/sbin/squid
|
||||
|
||||
-Check in the cache.log (/usr/local/squid/var/logs/cache.log) that
|
||||
+Check in the cache.log (/var/log/squid/cache.log) that
|
||||
everything is all right.
|
||||
|
||||
Once Squid created all its files (it can take several minutes on some
|
|
@ -0,0 +1,95 @@
|
|||
------------------------------------------------------------
|
||||
revno: 14311
|
||||
revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
|
||||
parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
|
||||
------------------------------------------------------------
|
||||
revno: 14311
|
||||
revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
|
||||
parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
|
||||
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
|
||||
author: Francesco Chemolli <kinkie@squid-cache.org>
|
||||
committer: Amos Jeffries <squid3@treenet.co.nz>
|
||||
branch nick: trunk
|
||||
timestamp: Thu 2015-09-24 06:05:37 -0700
|
||||
message:
|
||||
Bug 4323: Netfilter broken cross-includes with Linux 4.2
|
||||
------------------------------------------------------------
|
||||
# Bazaar merge directive format 2 (Bazaar 0.90)
|
||||
# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
|
||||
# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
|
||||
# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
|
||||
# timestamp: 2015-09-24 13:06:33 +0000
|
||||
# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
|
||||
# base_revision_id: squid3@treenet.co.nz-20150924032241-\
|
||||
# 6cx3g6hwz9xfoybr
|
||||
#
|
||||
# Begin patch
|
||||
=== modified file 'compat/os/linux.h'
|
||||
--- compat/os/linux.h 2015-01-13 07:25:36 +0000
|
||||
+++ compat/os/linux.h 2015-09-24 13:05:37 +0000
|
||||
@@ -30,6 +30,21 @@
|
||||
#endif
|
||||
|
||||
/*
|
||||
+ * Netfilter header madness. (see Bug 4323)
|
||||
+ *
|
||||
+ * Netfilter have a history of defining their own versions of network protocol
|
||||
+ * primitives without sufficient protection against the POSIX defines which are
|
||||
+ * aways present in Linux.
|
||||
+ *
|
||||
+ * netinet/in.h must be included before any other sys header in order to properly
|
||||
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
|
||||
+ * to workaround it.
|
||||
+ */
|
||||
+#if HAVE_NETINET_IN_H
|
||||
+#include <netinet/in.h>
|
||||
+#endif
|
||||
+
|
||||
+/*
|
||||
* sys/capability.h is only needed in Linux apparently.
|
||||
*
|
||||
* HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
|
||||
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
|
||||
author: Francesco Chemolli <kinkie@squid-cache.org>
|
||||
committer: Amos Jeffries <squid3@treenet.co.nz>
|
||||
branch nick: trunk
|
||||
timestamp: Thu 2015-09-24 06:05:37 -0700
|
||||
message:
|
||||
Bug 4323: Netfilter broken cross-includes with Linux 4.2
|
||||
------------------------------------------------------------
|
||||
# Bazaar merge directive format 2 (Bazaar 0.90)
|
||||
# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
|
||||
# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
|
||||
# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
|
||||
# timestamp: 2015-09-24 13:06:33 +0000
|
||||
# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
|
||||
# base_revision_id: squid3@treenet.co.nz-20150924032241-\
|
||||
# 6cx3g6hwz9xfoybr
|
||||
#
|
||||
# Begin patch
|
||||
=== modified file 'compat/os/linux.h'
|
||||
--- compat/os/linux.h 2015-01-13 07:25:36 +0000
|
||||
+++ compat/os/linux.h 2015-09-24 13:05:37 +0000
|
||||
@@ -30,6 +30,21 @@
|
||||
#endif
|
||||
|
||||
/*
|
||||
+ * Netfilter header madness. (see Bug 4323)
|
||||
+ *
|
||||
+ * Netfilter have a history of defining their own versions of network protocol
|
||||
+ * primitives without sufficient protection against the POSIX defines which are
|
||||
+ * aways present in Linux.
|
||||
+ *
|
||||
+ * netinet/in.h must be included before any other sys header in order to properly
|
||||
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
|
||||
+ * to workaround it.
|
||||
+ */
|
||||
+#if HAVE_NETINET_IN_H
|
||||
+#include <netinet/in.h>
|
||||
+#endif
|
||||
+
|
||||
+/*
|
||||
* sys/capability.h is only needed in Linux apparently.
|
||||
*
|
||||
* HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre
|
||||
--- squid-4.0.11/src/cf.data.pre.config 2016-06-09 22:32:57.000000000 +0200
|
||||
+++ squid-4.0.11/src/cf.data.pre 2016-07-11 21:08:35.090976840 +0200
|
||||
@@ -4658,7 +4658,7 @@ DOC_END
|
||||
|
||||
NAME: logfile_rotate
|
||||
TYPE: int
|
||||
-DEFAULT: 10
|
||||
+DEFAULT: 0
|
||||
LOC: Config.Log.rotateNumber
|
||||
DOC_START
|
||||
Specifies the default number of logfile rotations to make when you
|
||||
@@ -6444,11 +6444,11 @@ COMMENT_END
|
||||
|
||||
NAME: cache_mgr
|
||||
TYPE: string
|
||||
-DEFAULT: webmaster
|
||||
+DEFAULT: root
|
||||
LOC: Config.adminEmail
|
||||
DOC_START
|
||||
Email-address of local cache manager who will receive
|
||||
- mail if the cache dies. The default is "webmaster".
|
||||
+ mail if the cache dies. The default is "root".
|
||||
DOC_END
|
||||
|
||||
NAME: mail_from
|
|
@ -0,0 +1,68 @@
|
|||
From fc01451000eaa5592cd5afbd6aee14e53f7dd2c3 Mon Sep 17 00:00:00 2001
|
||||
From: Amos Jeffries <amosjeffries@squid-cache.org>
|
||||
Date: Sun, 18 Oct 2020 20:23:10 +1300
|
||||
Subject: [PATCH] Update translations integration
|
||||
|
||||
* Add credits for es-mx translation moderator
|
||||
* Use es-mx for default of all Spanish (Central America) texts
|
||||
* Update translation related .am files
|
||||
---
|
||||
doc/manuals/language.am | 2 +-
|
||||
errors/TRANSLATORS | 1 +
|
||||
errors/aliases | 3 ++-
|
||||
errors/language.am | 3 ++-
|
||||
errors/template.am | 2 +-
|
||||
5 files changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/doc/manuals/language.am b/doc/manuals/language.am
|
||||
index 7670c88380c..f03c4cf71b4 100644
|
||||
--- a/doc/manuals/language.am
|
||||
+++ b/doc/manuals/language.am
|
||||
@@ -18,4 +18,4 @@ TRANSLATE_LANGUAGES = \
|
||||
oc.lang \
|
||||
pt.lang \
|
||||
ro.lang \
|
||||
- ru.lang
|
||||
+ ru.lang
|
||||
diff --git a/errors/aliases b/errors/aliases
|
||||
index 36f17f4b80f..cf0116f297d 100644
|
||||
--- a/errors/aliases
|
||||
+++ b/errors/aliases
|
||||
@@ -14,7 +14,8 @@ da da-dk
|
||||
de de-at de-ch de-de de-li de-lu
|
||||
el el-gr
|
||||
en en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw
|
||||
-es es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl
|
||||
+es es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq
|
||||
+es-mx es-bz es-cr es-gt es-hn es-ni es-pa es-sv
|
||||
et et-ee
|
||||
fa fa-fa fa-ir
|
||||
fi fi-fi
|
||||
diff --git a/errors/language.am b/errors/language.am
|
||||
index 12b1b2b3b43..029e8c1eb2f 100644
|
||||
--- a/errors/language.am
|
||||
+++ b/errors/language.am
|
||||
@@ -17,6 +17,7 @@ TRANSLATE_LANGUAGES = \
|
||||
de.lang \
|
||||
el.lang \
|
||||
en.lang \
|
||||
+ es-mx.lang \
|
||||
es.lang \
|
||||
et.lang \
|
||||
fa.lang \
|
||||
@@ -51,4 +52,4 @@ TRANSLATE_LANGUAGES = \
|
||||
uz.lang \
|
||||
vi.lang \
|
||||
zh-hans.lang \
|
||||
- zh-hant.lang
|
||||
+ zh-hant.lang
|
||||
diff --git a/errors/template.am b/errors/template.am
|
||||
index 6c12781e6f4..715c65aa22b 100644
|
||||
--- a/errors/template.am
|
||||
+++ b/errors/template.am
|
||||
@@ -48,4 +48,4 @@ ERROR_TEMPLATES = \
|
||||
templates/ERR_UNSUP_REQ \
|
||||
templates/ERR_URN_RESOLVE \
|
||||
templates/ERR_WRITE_ERROR \
|
||||
- templates/ERR_ZERO_SIZE_OBJECT
|
||||
+ templates/ERR_ZERO_SIZE_OBJECT
|
|
@ -0,0 +1,127 @@
|
|||
diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc
|
||||
index 747ed35..f2b7126 100644
|
||||
--- a/src/clients/FtpClient.cc
|
||||
+++ b/src/clients/FtpClient.cc
|
||||
@@ -795,7 +795,8 @@ Ftp::Client::connectDataChannel()
|
||||
bool
|
||||
Ftp::Client::openListenSocket()
|
||||
{
|
||||
- return false;
|
||||
+ debugs(9, 3, HERE);
|
||||
+ return false;
|
||||
}
|
||||
|
||||
/// creates a data channel Comm close callback
|
||||
diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h
|
||||
index eb5ea1b..e92c007 100644
|
||||
--- a/src/clients/FtpClient.h
|
||||
+++ b/src/clients/FtpClient.h
|
||||
@@ -137,7 +137,7 @@ public:
|
||||
bool sendPort();
|
||||
bool sendPassive();
|
||||
void connectDataChannel();
|
||||
- bool openListenSocket();
|
||||
+ virtual bool openListenSocket();
|
||||
void switchTimeoutToDataChannel();
|
||||
|
||||
CtrlChannel ctrl; ///< FTP control channel state
|
||||
diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
|
||||
index 05db817..2989cd2 100644
|
||||
--- a/src/clients/FtpGateway.cc
|
||||
+++ b/src/clients/FtpGateway.cc
|
||||
@@ -86,6 +86,13 @@ struct GatewayFlags {
|
||||
class Gateway;
|
||||
typedef void (StateMethod)(Ftp::Gateway *);
|
||||
|
||||
+} // namespace FTP
|
||||
+
|
||||
+static void ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback);
|
||||
+
|
||||
+namespace Ftp
|
||||
+{
|
||||
+
|
||||
/// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI,
|
||||
/// converts it into one or more FTP commands, and then
|
||||
/// converts one or more FTP responses into the final HTTP response.
|
||||
@@ -136,7 +143,11 @@ public:
|
||||
|
||||
/// create a data channel acceptor and start listening.
|
||||
void listenForDataChannel(const Comm::ConnectionPointer &conn);
|
||||
-
|
||||
+ virtual bool openListenSocket() {
|
||||
+ debugs(9, 3, HERE);
|
||||
+ ftpOpenListenSocket(this, 0);
|
||||
+ return Comm::IsConnOpen(data.conn);
|
||||
+ }
|
||||
int checkAuth(const HttpHeader * req_hdr);
|
||||
void checkUrlpath();
|
||||
void buildTitleUrl();
|
||||
@@ -1786,6 +1797,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
|
||||
}
|
||||
|
||||
ftpState->listenForDataChannel(temp);
|
||||
+ ftpState->data.listenConn = temp;
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -1821,13 +1833,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
|
||||
// pull out the internal IP address bytes to send in PORT command...
|
||||
// source them from the listen_conn->local
|
||||
|
||||
+ struct sockaddr_in addr;
|
||||
+ socklen_t addrlen = sizeof(addr);
|
||||
+ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
|
||||
+ unsigned char port_high = ntohs(addr.sin_port) >> 8;
|
||||
+ unsigned char port_low = ntohs(addr.sin_port) & 0xff;
|
||||
+
|
||||
struct addrinfo *AI = NULL;
|
||||
ftpState->data.listenConn->local.getAddrInfo(AI, AF_INET);
|
||||
unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr;
|
||||
- unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
|
||||
+ // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
|
||||
snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n",
|
||||
addrptr[0], addrptr[1], addrptr[2], addrptr[3],
|
||||
- portptr[0], portptr[1]);
|
||||
+ port_high, port_low);
|
||||
ftpState->writeCommand(cbuf);
|
||||
ftpState->state = Ftp::Client::SENT_PORT;
|
||||
|
||||
@@ -1880,14 +1898,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
|
||||
return;
|
||||
}
|
||||
|
||||
+
|
||||
+ unsigned int port;
|
||||
+ struct sockaddr_storage addr;
|
||||
+ socklen_t addrlen = sizeof(addr);
|
||||
+ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
|
||||
+ if (addr.ss_family == AF_INET) {
|
||||
+ struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr;
|
||||
+ port = ntohs( addr4->sin_port );
|
||||
+ } else {
|
||||
+ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr;
|
||||
+ port = ntohs( addr6->sin6_port );
|
||||
+ }
|
||||
+
|
||||
char buf[MAX_IPSTRLEN];
|
||||
|
||||
/* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */
|
||||
/* Which can be used by EITHER protocol. */
|
||||
- snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n",
|
||||
+ snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n",
|
||||
( ftpState->data.listenConn->local.isIPv6() ? 2 : 1 ),
|
||||
ftpState->data.listenConn->local.toStr(buf,MAX_IPSTRLEN),
|
||||
- ftpState->data.listenConn->local.port() );
|
||||
+ port);
|
||||
|
||||
ftpState->writeCommand(cbuf);
|
||||
ftpState->state = Ftp::Client::SENT_EPRT;
|
||||
@@ -1906,7 +1937,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
|
||||
ftpSendPORT(ftpState);
|
||||
return;
|
||||
}
|
||||
-
|
||||
+ ftpState->ctrl.message = NULL;
|
||||
ftpRestOrList(ftpState);
|
||||
}
|
||||
|
|
@ -0,0 +1,185 @@
|
|||
diff --git a/src/ssl/support.cc b/src/ssl/support.cc
|
||||
index 3ad135d..73912ce 100644
|
||||
--- a/src/ssl/support.cc
|
||||
+++ b/src/ssl/support.cc
|
||||
@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn)
|
||||
}
|
||||
|
||||
// "dup" function for SSL_get_ex_new_index("cert_err_check")
|
||||
-#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
|
||||
+#if OPENSSL_VERSION_MAJOR >= 3
|
||||
+static int
|
||||
+ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **,
|
||||
+ int, long, void *)
|
||||
+#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
|
||||
static int
|
||||
ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,
|
||||
int, long, void *)
|
||||
diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
|
||||
index cf1d4ba..4346ba5 100644
|
||||
--- a/src/security/PeerOptions.cc
|
||||
+++ b/src/security/PeerOptions.cc
|
||||
@@ -297,130 +297,130 @@ static struct ssl_option {
|
||||
|
||||
} ssl_options[] = {
|
||||
|
||||
-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
|
||||
+#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
|
||||
{
|
||||
"NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
|
||||
+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
|
||||
{
|
||||
"SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
|
||||
+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
|
||||
{
|
||||
"MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG
|
||||
+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
|
||||
{
|
||||
"SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_TLS_D5_BUG
|
||||
+#ifdef SSL_OP_TLS_D5_BUG
|
||||
{
|
||||
"TLS_D5_BUG", SSL_OP_TLS_D5_BUG
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_TLS_BLOCK_PADDING_BUG
|
||||
+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
|
||||
{
|
||||
"TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_TLS_ROLLBACK_BUG
|
||||
+#ifdef SSL_OP_TLS_ROLLBACK_BUG
|
||||
{
|
||||
"TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_ALL
|
||||
+#ifdef SSL_OP_ALL
|
||||
{
|
||||
"ALL", (long)SSL_OP_ALL
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_SINGLE_DH_USE
|
||||
+#ifdef SSL_OP_SINGLE_DH_USE
|
||||
{
|
||||
"SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_EPHEMERAL_RSA
|
||||
+#ifdef SSL_OP_EPHEMERAL_RSA
|
||||
{
|
||||
"EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_PKCS1_CHECK_1
|
||||
+#ifdef SSL_OP_PKCS1_CHECK_1
|
||||
{
|
||||
"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_PKCS1_CHECK_2
|
||||
+#ifdef SSL_OP_PKCS1_CHECK_2
|
||||
{
|
||||
"PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_NETSCAPE_CA_DN_BUG
|
||||
+#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
|
||||
{
|
||||
"NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_NON_EXPORT_FIRST
|
||||
+#ifdef SSL_OP_NON_EXPORT_FIRST
|
||||
{
|
||||
"NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_CIPHER_SERVER_PREFERENCE
|
||||
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
|
||||
{
|
||||
"CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
|
||||
+#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
|
||||
{
|
||||
"NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_NO_SSLv3
|
||||
+#ifdef SSL_OP_NO_SSLv3
|
||||
{
|
||||
"NO_SSLv3", SSL_OP_NO_SSLv3
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_NO_TLSv1
|
||||
+#ifdef SSL_OP_NO_TLSv1
|
||||
{
|
||||
"NO_TLSv1", SSL_OP_NO_TLSv1
|
||||
},
|
||||
#else
|
||||
{ "NO_TLSv1", 0 },
|
||||
#endif
|
||||
-#if SSL_OP_NO_TLSv1_1
|
||||
+#ifdef SSL_OP_NO_TLSv1_1
|
||||
{
|
||||
"NO_TLSv1_1", SSL_OP_NO_TLSv1_1
|
||||
},
|
||||
#else
|
||||
{ "NO_TLSv1_1", 0 },
|
||||
#endif
|
||||
-#if SSL_OP_NO_TLSv1_2
|
||||
+#ifdef SSL_OP_NO_TLSv1_2
|
||||
{
|
||||
"NO_TLSv1_2", SSL_OP_NO_TLSv1_2
|
||||
},
|
||||
#else
|
||||
{ "NO_TLSv1_2", 0 },
|
||||
#endif
|
||||
-#if SSL_OP_NO_TLSv1_3
|
||||
+#ifdef SSL_OP_NO_TLSv1_3
|
||||
{
|
||||
"NO_TLSv1_3", SSL_OP_NO_TLSv1_3
|
||||
},
|
||||
#else
|
||||
{ "NO_TLSv1_3", 0 },
|
||||
#endif
|
||||
-#if SSL_OP_NO_COMPRESSION
|
||||
+#ifdef SSL_OP_NO_COMPRESSION
|
||||
{
|
||||
"No_Compression", SSL_OP_NO_COMPRESSION
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_NO_TICKET
|
||||
+#ifdef SSL_OP_NO_TICKET
|
||||
{
|
||||
"NO_TICKET", SSL_OP_NO_TICKET
|
||||
},
|
||||
#endif
|
||||
-#if SSL_OP_SINGLE_ECDH_USE
|
||||
+#ifdef SSL_OP_SINGLE_ECDH_USE
|
||||
{
|
||||
"SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE
|
||||
},
|
||||
@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions()
|
||||
|
||||
}
|
||||
|
||||
-#if SSL_OP_NO_SSLv2
|
||||
+#ifdef SSL_OP_NO_SSLv2
|
||||
// compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
|
||||
op = op | SSL_OP_NO_SSLv2;
|
||||
#endif
|
|
@ -0,0 +1,24 @@
|
|||
diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc
|
||||
index 0564380..fcd60b9 100644
|
||||
--- a/src/tests/testStoreHashIndex.cc
|
||||
+++ b/src/tests/testStoreHashIndex.cc
|
||||
@@ -102,6 +102,8 @@ void commonInit()
|
||||
if (inited)
|
||||
return;
|
||||
|
||||
+ inited = true;
|
||||
+
|
||||
Mem::Init();
|
||||
|
||||
Config.Store.avgObjectSize = 1024;
|
||||
@@ -109,6 +111,10 @@ void commonInit()
|
||||
Config.Store.objectsPerBucket = 20;
|
||||
|
||||
Config.Store.maxObjectSize = 2048;
|
||||
+
|
||||
+ Config.memShared.defaultTo(false);
|
||||
+
|
||||
+ Config.store_dir_select_algorithm = xstrdup("round-robin");
|
||||
}
|
||||
|
||||
/* TODO make this a cbdata class */
|
|
@ -0,0 +1,120 @@
|
|||
diff --git a/src/gopher.cc b/src/gopher.cc
|
||||
index 576a3f7..2645b6b 100644
|
||||
--- a/src/gopher.cc
|
||||
+++ b/src/gopher.cc
|
||||
@@ -364,7 +364,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
char *lpos = NULL;
|
||||
char *tline = NULL;
|
||||
LOCAL_ARRAY(char, line, TEMP_BUF_SIZE);
|
||||
- LOCAL_ARRAY(char, tmpbuf, TEMP_BUF_SIZE);
|
||||
char *name = NULL;
|
||||
char *selector = NULL;
|
||||
char *host = NULL;
|
||||
@@ -374,7 +373,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
char gtype;
|
||||
StoreEntry *entry = NULL;
|
||||
|
||||
- memset(tmpbuf, '\0', TEMP_BUF_SIZE);
|
||||
memset(line, '\0', TEMP_BUF_SIZE);
|
||||
|
||||
entry = gopherState->entry;
|
||||
@@ -409,7 +407,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
return;
|
||||
}
|
||||
|
||||
- String outbuf;
|
||||
+ SBuf outbuf;
|
||||
|
||||
if (!gopherState->HTML_header_added) {
|
||||
if (gopherState->conversion == GopherStateData::HTML_CSO_RESULT)
|
||||
@@ -577,34 +575,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
break;
|
||||
}
|
||||
|
||||
- memset(tmpbuf, '\0', TEMP_BUF_SIZE);
|
||||
-
|
||||
if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) {
|
||||
if (strlen(escaped_selector) != 0)
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
|
||||
- icon_url, escaped_selector, rfc1738_escape_part(host),
|
||||
- *port ? ":" : "", port, html_quote(name));
|
||||
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
|
||||
+ icon_url, escaped_selector, rfc1738_escape_part(host),
|
||||
+ *port ? ":" : "", port, html_quote(name));
|
||||
else
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
|
||||
- icon_url, rfc1738_escape_part(host), *port ? ":" : "",
|
||||
- port, html_quote(name));
|
||||
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
|
||||
+ icon_url, rfc1738_escape_part(host), *port ? ":" : "",
|
||||
+ port, html_quote(name));
|
||||
|
||||
} else if (gtype == GOPHER_INFO) {
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "\t%s\n", html_quote(name));
|
||||
+ outbuf.appendf("\t%s\n", html_quote(name));
|
||||
} else {
|
||||
if (strncmp(selector, "GET /", 5) == 0) {
|
||||
/* WWW link */
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
|
||||
- icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
|
||||
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
|
||||
+ icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
|
||||
+ } else if (gtype == GOPHER_WWW) {
|
||||
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
|
||||
+ icon_url, rfc1738_escape_unescaped(selector), html_quote(name));
|
||||
} else {
|
||||
/* Standard link */
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
|
||||
- icon_url, host, gtype, escaped_selector, html_quote(name));
|
||||
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
|
||||
+ icon_url, host, gtype, escaped_selector, html_quote(name));
|
||||
}
|
||||
}
|
||||
|
||||
safe_free(escaped_selector);
|
||||
- outbuf.append(tmpbuf);
|
||||
} else {
|
||||
memset(line, '\0', TEMP_BUF_SIZE);
|
||||
continue;
|
||||
@@ -637,13 +635,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
break;
|
||||
|
||||
if (gopherState->cso_recno != recno) {
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
|
||||
+ outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
|
||||
gopherState->cso_recno = recno;
|
||||
} else {
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "%s\n", html_quote(result));
|
||||
+ outbuf.appendf("%s\n", html_quote(result));
|
||||
}
|
||||
|
||||
- outbuf.append(tmpbuf);
|
||||
break;
|
||||
} else {
|
||||
int code;
|
||||
@@ -671,8 +668,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
|
||||
case 502: { /* Too Many Matches */
|
||||
/* Print the message the server returns */
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
|
||||
- outbuf.append(tmpbuf);
|
||||
+ outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -688,13 +684,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
|
||||
} /* while loop */
|
||||
|
||||
- if (outbuf.size() > 0) {
|
||||
- entry->append(outbuf.rawBuf(), outbuf.size());
|
||||
+ if (outbuf.length() > 0) {
|
||||
+ entry->append(outbuf.rawContent(), outbuf.length());
|
||||
/* now let start sending stuff to client */
|
||||
entry->flush();
|
||||
}
|
||||
|
||||
- outbuf.clean();
|
||||
return;
|
||||
}
|
||||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
Name: squid
|
||||
Version: 4.15
|
||||
Release: 7%{?dist}.10
|
||||
Release: 9%{?dist}
|
||||
Summary: The Squid proxy caching server
|
||||
Epoch: 7
|
||||
# See CREDITS for breakdown of non GPLv2+ code
|
||||
|
@ -63,12 +63,9 @@ Patch307: squid-4.15-CVE-2023-46724.patch
|
|||
Patch308: squid-4.15-CVE-2023-49285.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2252923
|
||||
Patch309: squid-4.15-CVE-2023-49286.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2264309
|
||||
Patch310: squid-4.15-CVE-2024-25617.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2268366
|
||||
Patch311: squid-4.15-CVE-2024-25111.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2254663
|
||||
Patch312: squid-4.15-CVE-2023-50269.patch
|
||||
Patch310: squid-4.15-CVE-2023-50269.patch
|
||||
|
||||
|
||||
Requires: bash >= 2.0
|
||||
Requires(pre): shadow-utils
|
||||
|
@ -143,9 +140,8 @@ lookup program (dnsserver), a program for retrieving FTP data
|
|||
%patch307 -p1 -b .CVE-2023-46724
|
||||
%patch308 -p1 -b .CVE-2023-49285
|
||||
%patch309 -p1 -b .CVE-2023-49286
|
||||
%patch310 -p1 -b .CVE-2024-25617
|
||||
%patch311 -p1 -b .CVE-2024-25111
|
||||
%patch312 -p1 -b .CVE-2023-50269
|
||||
%patch310 -p1 -b .CVE-2023-50269
|
||||
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
|
||||
# Patch in the vendor documentation and used different location for documentation
|
||||
|
@ -362,43 +358,26 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Mar 14 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7.10
|
||||
- Resolves: RHEL-19551 - squid:4/squid: denial of service in HTTP request
|
||||
* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-9
|
||||
- Resolves: RHEL-19552 - squid:4/squid: denial of service in HTTP request
|
||||
parsing (CVE-2023-50269)
|
||||
|
||||
* Fri Mar 08 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7.9
|
||||
- Resolves: RHEL-28611 - squid:4/squid: Denial of Service in HTTP Chunked
|
||||
Decoding (CVE-2024-25111)
|
||||
|
||||
* Mon Feb 26 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7.6
|
||||
- Resolves: RHEL-26087 - squid:4/squid: denial of service in HTTP header
|
||||
parser (CVE-2024-25617)
|
||||
|
||||
* Thu Dec 07 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7.5
|
||||
- Resolves: RHEL-18483 - squid:4/squid: Buffer over-read in the HTTP Message
|
||||
* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-8
|
||||
- Resolves: RHEL-18351 - squid:4/squid: Buffer over-read in the HTTP Message
|
||||
processing feature (CVE-2023-49285)
|
||||
- Resolves: RHEL-18485 - squid:4/squid: Incorrect Check of Function Return
|
||||
- Resolves: RHEL-18342 - squid:4/squid: Incorrect Check of Function Return
|
||||
Value In Helper Process management (CVE-2023-49286)
|
||||
|
||||
* Wed Dec 06 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7.4
|
||||
- Resolves: RHEL-16764 - squid:4/squid: Denial of Service in SSL Certificate
|
||||
- Resolves: RHEL-18230 - squid:4/squid: Denial of Service in SSL Certificate
|
||||
validation (CVE-2023-46724)
|
||||
- Resolves: RHEL-16775 - squid:4/squid: NULL pointer dereference in the gopher
|
||||
- Resolves: RHEL-15911 - squid:4/squid: NULL pointer dereference in the gopher
|
||||
protocol code (CVE-2023-46728)
|
||||
- Resolves: RHEL-18257 - squid crashes in assertion when a parent peer exists
|
||||
|
||||
* Thu Nov 30 2023 Tomas Korbar <tkorbar@redhat.com> - 7:4.15-7.3
|
||||
- Related: RHEL-14792 - squid: squid multiple issues in HTTP response caching
|
||||
- Fix mistake in the patch
|
||||
|
||||
* Tue Nov 21 2023 Tomas Korbar <tkorbar@redhat.com> - 7:4.15-7.2
|
||||
- Resolves: RHEL-14792 - squid: squid multiple issues in HTTP response caching
|
||||
|
||||
* Mon Oct 30 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7.1
|
||||
- Resolves: RHEL-14801 - squid: squid: Denial of Service in HTTP Digest
|
||||
Authentication
|
||||
- Resolves: RHEL-14776 - squid: squid: Request/Response smuggling in HTTP/1.1
|
||||
and ICAP
|
||||
- Resolves: RHEL-18251 - squid crashes in assertion when a parent peer exists
|
||||
- Resolves: RHEL-14794 - squid: squid multiple issues in HTTP response caching
|
||||
(CVE-2023-5824)
|
||||
- Resolves: RHEL-14803 - squid: squid: Denial of Service in HTTP Digest
|
||||
Authentication (CVE-2023-46847)
|
||||
- Resolves: RHEL-14777 - squid: squid: Request/Response smuggling in HTTP/1.1
|
||||
and ICAP (CVE-2023-46846)
|
||||
|
||||
* Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7
|
||||
- Resolves: #2076717 - Crash with half_closed_client on
|
Loading…
Reference in New Issue