diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc index 38b9307..e0278b7 100644 --- a/src/HttpRequest.cc +++ b/src/HttpRequest.cc @@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e) /* packs request-line and headers, appends terminator */ void -HttpRequest::pack(Packable * p) const +HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const { assert(p); /* pack request-line */ @@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()), http_ver.major, http_ver.minor); /* headers */ - header.packInto(p); - /* trailer */ + header.packInto(p, maskSensitiveInfo); + /* indicate the end of the header section */ p->append("\r\n", 2); } diff --git a/src/HttpRequest.h b/src/HttpRequest.h index fe706ef..4329d53 100644 --- a/src/HttpRequest.h +++ b/src/HttpRequest.h @@ -201,7 +201,7 @@ public: void swapOut(StoreEntry * e); - void pack(Packable * p) const; + void pack(Packable * p, bool maskSensitiveInfo = false) const; static void httpRequestPack(void *obj, Packable *p); diff --git a/src/cf.data.pre b/src/cf.data.pre index d55b870..7b18b0e 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -8319,12 +8319,18 @@ NAME: email_err_data COMMENT: on|off TYPE: onoff LOC: Config.onoff.emailErrData -DEFAULT: on +DEFAULT: off DOC_START If enabled, information about the occurred error will be included in the mailto links of the ERR pages (if %W is set) so that the email body contains the data. Syntax is %w + + SECURITY WARNING: + Request headers and other included facts may contain + sensitive information about transaction history, the + Squid instance, and its environment which would be + unavailable to error recipients otherwise. DOC_END NAME: deny_info diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc index fea5ecb..c7dc756 100644 --- a/src/client_side_reply.cc +++ b/src/client_side_reply.cc @@ -100,7 +100,7 @@ clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) : void clientReplyContext::setReplyToError( err_type err, Http::StatusCode status, const HttpRequestMethod& method, char const *uri, - Ip::Address &addr, HttpRequest * failedrequest, const char *unparsedrequest, + Ip::Address &addr, HttpRequest * failedrequest, const char *, #if USE_AUTH Auth::UserRequest::Pointer auth_user_request #else @@ -110,9 +110,6 @@ clientReplyContext::setReplyToError( { ErrorState *errstate = clientBuildError(err, status, uri, addr, failedrequest); - if (unparsedrequest) - errstate->request_hdrs = xstrdup(unparsedrequest); - #if USE_AUTH errstate->auth_user_request = auth_user_request; #endif @@ -1078,10 +1075,13 @@ clientReplyContext::traceReply() triggerInitialStoreRead(); http->storeEntry()->releaseRequest(); http->storeEntry()->buffer(); + MemBuf *content = new MemBuf; + content->init(); + http->request->pack(content, true /* hide authorization data */); HttpReply *rep = new HttpReply; - rep->setHeaders(Http::scOkay, NULL, "text/plain", http->request->prefixLen(), 0, squid_curtime); + rep->setHeaders(Http::scOkay, NULL, "message/http", content->contentSize(), 0, squid_curtime); + rep->body.setMb(content); http->storeEntry()->replaceHttpReply(rep); - http->request->swapOut(http->storeEntry()); http->storeEntry()->complete(); } diff --git a/src/errorpage.cc b/src/errorpage.cc index 72be100..c1f3b25 100644 --- a/src/errorpage.cc +++ b/src/errorpage.cc @@ -575,7 +575,6 @@ ErrorState::ErrorState(err_type t, Http::StatusCode status, HttpRequest * req) : redirect_url(NULL), callback(NULL), callback_data(NULL), - request_hdrs(NULL), err_msg(NULL), #if USE_OPENSSL detail(NULL), @@ -678,7 +677,6 @@ ErrorState::~ErrorState() HTTPMSGUNLOCK(request); safe_free(redirect_url); safe_free(url); - safe_free(request_hdrs); wordlistDestroy(&ftp.server_msg); safe_free(ftp.request); safe_free(ftp.reply); @@ -737,12 +735,10 @@ ErrorState::Dump(MemBuf * mb) /* - HTTP stuff */ str.append("HTTP Request:\r\n", 15); if (request) { - str.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n", - SQUIDSBUFPRINT(request->method.image()), - SQUIDSBUFPRINT(request->url.path()), - AnyP::ProtocolType_str[request->http_ver.protocol], - request->http_ver.major, request->http_ver.minor); - request->header.packInto(&str); + MemBuf r; + r.init(); + request->pack(&r, true /* hide authorization data */); + str.append(r.content(), r.contentSize()); } str.append("\r\n", 2); @@ -961,15 +957,8 @@ ErrorState::Convert(char token, bool building_deny_info_url, bool allowRecursion p = "[no request]"; break; } - if (request != NULL) { - mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n", - SQUIDSBUFPRINT(request->method.image()), - SQUIDSBUFPRINT(request->url.path()), - AnyP::ProtocolType_str[request->http_ver.protocol], - request->http_ver.major, request->http_ver.minor); + else if (request) { request->header.packInto(&mb, true); //hide authorization data - } else if (request_hdrs) { - p = request_hdrs; } else { p = "[no request]"; } diff --git a/src/errorpage.h b/src/errorpage.h index 332e507..bf61b4d 100644 --- a/src/errorpage.h +++ b/src/errorpage.h @@ -164,7 +164,6 @@ public: MemBuf *listing; } ftp; - char *request_hdrs; char *err_msg; /* Preformatted error message from the cache */ #if USE_OPENSSL diff --git a/src/tests/stub_HttpRequest.cc b/src/tests/stub_HttpRequest.cc index cd18d51..495d786 100644 --- a/src/tests/stub_HttpRequest.cc +++ b/src/tests/stub_HttpRequest.cc @@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod &, int64_t &) const STUB bool HttpRequest::bodyNibbled() const STUB_RETVAL(false) int HttpRequest::prefixLen() const STUB_RETVAL(0) void HttpRequest::swapOut(StoreEntry *) STUB -void HttpRequest::pack(Packable *) const STUB +void HttpRequest::pack(Packable *, bool) const STUB void HttpRequest::httpRequestPack(void *, Packable *) STUB HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)