import squid-5.5-5.el9

i9c-beta changed/i9c-beta/squid-5.5-5.el9
MSVSphere Packaging Team 2 years ago
commit 7d88bdcbc1

2
.gitignore vendored

@ -0,0 +1,2 @@
SOURCES/pgp.asc
SOURCES/squid-5.5.tar.xz

@ -0,0 +1,2 @@
8e3de63f3bef0c9c4edbcfe000c567119f687143 SOURCES/pgp.asc
42302bd9b8feff851a41420334cb8eaeab2806ab SOURCES/squid-5.5.tar.xz

@ -0,0 +1,21 @@
#!/bin/bash
if [ -f /etc/sysconfig/squid ]; then
. /etc/sysconfig/squid
fi
SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}
CACHE_SWAP=`awk '/^[[:blank:]]*cache_dir/ { print $3 }' "$SQUID_CONF"`
init_cache_dirs=0
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
init_cache_dirs=1
fi
done
if [ $init_cache_dirs -ne 0 ]; then
echo ""
squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1
fi

@ -0,0 +1,3 @@
#!/bin/sh
/usr/lib/rpm/perl.req $* | grep -v "Authen::Smb"

@ -0,0 +1,10 @@
diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl
index 4cb0480..4b89910 100755
--- a/contrib/url-normalizer.pl
+++ b/contrib/url-normalizer.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl -Tw
+#!/usr/bin/perl -Tw
#
# * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
# *

@ -0,0 +1,32 @@
diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART
--- squid-3.1.0.9/QUICKSTART.location 2009-06-26 12:35:27.000000000 +0200
+++ squid-3.1.0.9/QUICKSTART 2009-07-17 14:03:10.000000000 +0200
@@ -10,10 +10,9 @@ After you retrieved, compiled and instal
INSTALL in the same directory), you have to configure the squid.conf
file. This is the list of the values you *need* to change, because no
sensible defaults could be defined. Do not touch the other variables
-for now. We assume you have installed Squid in the default location:
-/usr/local/squid
+for now.
-Uncomment and edit the following lines in /usr/local/squid/etc/squid.conf:
+Uncomment and edit the following lines in /etc/squid/squid.conf:
==============================================================================
@@ -82,12 +81,12 @@ After editing squid.conf to your liking,
line TWICE:
To create any disk cache_dir configured:
- % /usr/local/squid/sbin/squid -z
+ % /usr/sbin/squid -z
To start squid:
- % /usr/local/squid/sbin/squid
+ % /usr/sbin/squid
-Check in the cache.log (/usr/local/squid/var/logs/cache.log) that
+Check in the cache.log (/var/log/squid/cache.log) that
everything is all right.
Once Squid created all its files (it can take several minutes on some

@ -0,0 +1,95 @@
------------------------------------------------------------
revno: 14311
revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
------------------------------------------------------------
revno: 14311
revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
author: Francesco Chemolli <kinkie@squid-cache.org>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: trunk
timestamp: Thu 2015-09-24 06:05:37 -0700
message:
Bug 4323: Netfilter broken cross-includes with Linux 4.2
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
# timestamp: 2015-09-24 13:06:33 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
# base_revision_id: squid3@treenet.co.nz-20150924032241-\
# 6cx3g6hwz9xfoybr
#
# Begin patch
=== modified file 'compat/os/linux.h'
--- compat/os/linux.h 2015-01-13 07:25:36 +0000
+++ compat/os/linux.h 2015-09-24 13:05:37 +0000
@@ -30,6 +30,21 @@
#endif
/*
+ * Netfilter header madness. (see Bug 4323)
+ *
+ * Netfilter have a history of defining their own versions of network protocol
+ * primitives without sufficient protection against the POSIX defines which are
+ * aways present in Linux.
+ *
+ * netinet/in.h must be included before any other sys header in order to properly
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
+ * to workaround it.
+ */
+#if HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+/*
* sys/capability.h is only needed in Linux apparently.
*
* HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
author: Francesco Chemolli <kinkie@squid-cache.org>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: trunk
timestamp: Thu 2015-09-24 06:05:37 -0700
message:
Bug 4323: Netfilter broken cross-includes with Linux 4.2
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
# timestamp: 2015-09-24 13:06:33 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
# base_revision_id: squid3@treenet.co.nz-20150924032241-\
# 6cx3g6hwz9xfoybr
#
# Begin patch
=== modified file 'compat/os/linux.h'
--- compat/os/linux.h 2015-01-13 07:25:36 +0000
+++ compat/os/linux.h 2015-09-24 13:05:37 +0000
@@ -30,6 +30,21 @@
#endif
/*
+ * Netfilter header madness. (see Bug 4323)
+ *
+ * Netfilter have a history of defining their own versions of network protocol
+ * primitives without sufficient protection against the POSIX defines which are
+ * aways present in Linux.
+ *
+ * netinet/in.h must be included before any other sys header in order to properly
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
+ * to workaround it.
+ */
+#if HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+/*
* sys/capability.h is only needed in Linux apparently.
*
* HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc

@ -0,0 +1,26 @@
diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre
--- squid-4.0.11/src/cf.data.pre.config 2016-06-09 22:32:57.000000000 +0200
+++ squid-4.0.11/src/cf.data.pre 2016-07-11 21:08:35.090976840 +0200
@@ -4658,7 +4658,7 @@ DOC_END
NAME: logfile_rotate
TYPE: int
-DEFAULT: 10
+DEFAULT: 0
LOC: Config.Log.rotateNumber
DOC_START
Specifies the default number of logfile rotations to make when you
@@ -6444,11 +6444,11 @@ COMMENT_END
NAME: cache_mgr
TYPE: string
-DEFAULT: webmaster
+DEFAULT: root
LOC: Config.adminEmail
DOC_START
Email-address of local cache manager who will receive
- mail if the cache dies. The default is "webmaster".
+ mail if the cache dies. The default is "root".
DOC_END
NAME: mail_from

@ -0,0 +1,68 @@
From fc01451000eaa5592cd5afbd6aee14e53f7dd2c3 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <amosjeffries@squid-cache.org>
Date: Sun, 18 Oct 2020 20:23:10 +1300
Subject: [PATCH] Update translations integration
* Add credits for es-mx translation moderator
* Use es-mx for default of all Spanish (Central America) texts
* Update translation related .am files
---
doc/manuals/language.am | 2 +-
errors/TRANSLATORS | 1 +
errors/aliases | 3 ++-
errors/language.am | 3 ++-
errors/template.am | 2 +-
5 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/doc/manuals/language.am b/doc/manuals/language.am
index 7670c88380c..f03c4cf71b4 100644
--- a/doc/manuals/language.am
+++ b/doc/manuals/language.am
@@ -18,4 +18,4 @@ TRANSLATE_LANGUAGES = \
oc.lang \
pt.lang \
ro.lang \
- ru.lang
+ ru.lang
diff --git a/errors/aliases b/errors/aliases
index 36f17f4b80f..cf0116f297d 100644
--- a/errors/aliases
+++ b/errors/aliases
@@ -14,7 +14,8 @@ da da-dk
de de-at de-ch de-de de-li de-lu
el el-gr
en en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw
-es es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl
+es es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq
+es-mx es-bz es-cr es-gt es-hn es-ni es-pa es-sv
et et-ee
fa fa-fa fa-ir
fi fi-fi
diff --git a/errors/language.am b/errors/language.am
index 12b1b2b3b43..029e8c1eb2f 100644
--- a/errors/language.am
+++ b/errors/language.am
@@ -17,6 +17,7 @@ TRANSLATE_LANGUAGES = \
de.lang \
el.lang \
en.lang \
+ es-mx.lang \
es.lang \
et.lang \
fa.lang \
@@ -51,4 +52,4 @@ TRANSLATE_LANGUAGES = \
uz.lang \
vi.lang \
zh-hans.lang \
- zh-hant.lang
+ zh-hant.lang
diff --git a/errors/template.am b/errors/template.am
index 6c12781e6f4..715c65aa22b 100644
--- a/errors/template.am
+++ b/errors/template.am
@@ -48,4 +48,4 @@ ERROR_TEMPLATES = \
templates/ERR_UNSUP_REQ \
templates/ERR_URN_RESOLVE \
templates/ERR_WRITE_ERROR \
- templates/ERR_ZERO_SIZE_OBJECT
+ templates/ERR_ZERO_SIZE_OBJECT

@ -0,0 +1,127 @@
diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc
index 747ed35..f2b7126 100644
--- a/src/clients/FtpClient.cc
+++ b/src/clients/FtpClient.cc
@@ -795,7 +795,8 @@ Ftp::Client::connectDataChannel()
bool
Ftp::Client::openListenSocket()
{
- return false;
+ debugs(9, 3, HERE);
+ return false;
}
/// creates a data channel Comm close callback
diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h
index eb5ea1b..e92c007 100644
--- a/src/clients/FtpClient.h
+++ b/src/clients/FtpClient.h
@@ -137,7 +137,7 @@ public:
bool sendPort();
bool sendPassive();
void connectDataChannel();
- bool openListenSocket();
+ virtual bool openListenSocket();
void switchTimeoutToDataChannel();
CtrlChannel ctrl; ///< FTP control channel state
diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
index 05db817..2989cd2 100644
--- a/src/clients/FtpGateway.cc
+++ b/src/clients/FtpGateway.cc
@@ -86,6 +86,13 @@ struct GatewayFlags {
class Gateway;
typedef void (StateMethod)(Ftp::Gateway *);
+} // namespace FTP
+
+static void ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback);
+
+namespace Ftp
+{
+
/// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI,
/// converts it into one or more FTP commands, and then
/// converts one or more FTP responses into the final HTTP response.
@@ -136,7 +143,11 @@ public:
/// create a data channel acceptor and start listening.
void listenForDataChannel(const Comm::ConnectionPointer &conn);
-
+ virtual bool openListenSocket() {
+ debugs(9, 3, HERE);
+ ftpOpenListenSocket(this, 0);
+ return Comm::IsConnOpen(data.conn);
+ }
int checkAuth(const HttpHeader * req_hdr);
void checkUrlpath();
void buildTitleUrl();
@@ -1786,6 +1797,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
}
ftpState->listenForDataChannel(temp);
+ ftpState->data.listenConn = temp;
}
static void
@@ -1821,13 +1833,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
// pull out the internal IP address bytes to send in PORT command...
// source them from the listen_conn->local
+ struct sockaddr_in addr;
+ socklen_t addrlen = sizeof(addr);
+ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
+ unsigned char port_high = ntohs(addr.sin_port) >> 8;
+ unsigned char port_low = ntohs(addr.sin_port) & 0xff;
+
struct addrinfo *AI = NULL;
ftpState->data.listenConn->local.getAddrInfo(AI, AF_INET);
unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr;
- unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
+ // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n",
addrptr[0], addrptr[1], addrptr[2], addrptr[3],
- portptr[0], portptr[1]);
+ port_high, port_low);
ftpState->writeCommand(cbuf);
ftpState->state = Ftp::Client::SENT_PORT;
@@ -1880,14 +1898,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
return;
}
+
+ unsigned int port;
+ struct sockaddr_storage addr;
+ socklen_t addrlen = sizeof(addr);
+ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
+ if (addr.ss_family == AF_INET) {
+ struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr;
+ port = ntohs( addr4->sin_port );
+ } else {
+ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr;
+ port = ntohs( addr6->sin6_port );
+ }
+
char buf[MAX_IPSTRLEN];
/* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */
/* Which can be used by EITHER protocol. */
- snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n",
+ snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n",
( ftpState->data.listenConn->local.isIPv6() ? 2 : 1 ),
ftpState->data.listenConn->local.toStr(buf,MAX_IPSTRLEN),
- ftpState->data.listenConn->local.port() );
+ port);
ftpState->writeCommand(cbuf);
ftpState->state = Ftp::Client::SENT_EPRT;
@@ -1906,7 +1937,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
ftpSendPORT(ftpState);
return;
}
-
+ ftpState->ctrl.message = NULL;
ftpRestOrList(ftpState);
}

@ -0,0 +1,185 @@
diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 3ad135d..73912ce 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn)
}
// "dup" function for SSL_get_ex_new_index("cert_err_check")
-#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
+#if OPENSSL_VERSION_MAJOR >= 3
+static int
+ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **,
+ int, long, void *)
+#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
static int
ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,
int, long, void *)
diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index cf1d4ba..4346ba5 100644
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -297,130 +297,130 @@ static struct ssl_option {
} ssl_options[] = {
-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
{
"NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
},
#endif
-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
{
"SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
},
#endif
-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
{
"MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
},
#endif
-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
{
"SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
},
#endif
-#if SSL_OP_TLS_D5_BUG
+#ifdef SSL_OP_TLS_D5_BUG
{
"TLS_D5_BUG", SSL_OP_TLS_D5_BUG
},
#endif
-#if SSL_OP_TLS_BLOCK_PADDING_BUG
+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
{
"TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG
},
#endif
-#if SSL_OP_TLS_ROLLBACK_BUG
+#ifdef SSL_OP_TLS_ROLLBACK_BUG
{
"TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG
},
#endif
-#if SSL_OP_ALL
+#ifdef SSL_OP_ALL
{
"ALL", (long)SSL_OP_ALL
},
#endif
-#if SSL_OP_SINGLE_DH_USE
+#ifdef SSL_OP_SINGLE_DH_USE
{
"SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE
},
#endif
-#if SSL_OP_EPHEMERAL_RSA
+#ifdef SSL_OP_EPHEMERAL_RSA
{
"EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA
},
#endif
-#if SSL_OP_PKCS1_CHECK_1
+#ifdef SSL_OP_PKCS1_CHECK_1
{
"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1
},
#endif
-#if SSL_OP_PKCS1_CHECK_2
+#ifdef SSL_OP_PKCS1_CHECK_2
{
"PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2
},
#endif
-#if SSL_OP_NETSCAPE_CA_DN_BUG
+#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
{
"NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG
},
#endif
-#if SSL_OP_NON_EXPORT_FIRST
+#ifdef SSL_OP_NON_EXPORT_FIRST
{
"NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST
},
#endif
-#if SSL_OP_CIPHER_SERVER_PREFERENCE
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
{
"CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE
},
#endif
-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
+#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
{
"NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
},
#endif
-#if SSL_OP_NO_SSLv3
+#ifdef SSL_OP_NO_SSLv3
{
"NO_SSLv3", SSL_OP_NO_SSLv3
},
#endif
-#if SSL_OP_NO_TLSv1
+#ifdef SSL_OP_NO_TLSv1
{
"NO_TLSv1", SSL_OP_NO_TLSv1
},
#else
{ "NO_TLSv1", 0 },
#endif
-#if SSL_OP_NO_TLSv1_1
+#ifdef SSL_OP_NO_TLSv1_1
{
"NO_TLSv1_1", SSL_OP_NO_TLSv1_1
},
#else
{ "NO_TLSv1_1", 0 },
#endif
-#if SSL_OP_NO_TLSv1_2
+#ifdef SSL_OP_NO_TLSv1_2
{
"NO_TLSv1_2", SSL_OP_NO_TLSv1_2
},
#else
{ "NO_TLSv1_2", 0 },
#endif
-#if SSL_OP_NO_TLSv1_3
+#ifdef SSL_OP_NO_TLSv1_3
{
"NO_TLSv1_3", SSL_OP_NO_TLSv1_3
},
#else
{ "NO_TLSv1_3", 0 },
#endif
-#if SSL_OP_NO_COMPRESSION
+#ifdef SSL_OP_NO_COMPRESSION
{
"No_Compression", SSL_OP_NO_COMPRESSION
},
#endif
-#if SSL_OP_NO_TICKET
+#ifdef SSL_OP_NO_TICKET
{
"NO_TICKET", SSL_OP_NO_TICKET
},
#endif
-#if SSL_OP_SINGLE_ECDH_USE
+#ifdef SSL_OP_SINGLE_ECDH_USE
{
"SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE
},
@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions()
}
-#if SSL_OP_NO_SSLv2
+#ifdef SSL_OP_NO_SSLv2
// compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
op = op | SSL_OP_NO_SSLv2;
#endif

@ -0,0 +1,24 @@
diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc
index 0564380..fcd60b9 100644
--- a/src/tests/testStoreHashIndex.cc
+++ b/src/tests/testStoreHashIndex.cc
@@ -102,6 +102,8 @@ void commonInit()
if (inited)
return;
+ inited = true;
+
Mem::Init();
Config.Store.avgObjectSize = 1024;
@@ -109,6 +111,10 @@ void commonInit()
Config.Store.objectsPerBucket = 20;
Config.Store.maxObjectSize = 2048;
+
+ Config.memShared.defaultTo(false);
+
+ Config.store_dir_select_algorithm = xstrdup("round-robin");
}
/* TODO make this a cbdata class */

@ -0,0 +1,120 @@
diff --git a/src/gopher.cc b/src/gopher.cc
index 576a3f7..2645b6b 100644
--- a/src/gopher.cc
+++ b/src/gopher.cc
@@ -364,7 +364,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
char *lpos = NULL;
char *tline = NULL;
LOCAL_ARRAY(char, line, TEMP_BUF_SIZE);
- LOCAL_ARRAY(char, tmpbuf, TEMP_BUF_SIZE);
char *name = NULL;
char *selector = NULL;
char *host = NULL;
@@ -374,7 +373,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
char gtype;
StoreEntry *entry = NULL;
- memset(tmpbuf, '\0', TEMP_BUF_SIZE);
memset(line, '\0', TEMP_BUF_SIZE);
entry = gopherState->entry;
@@ -409,7 +407,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
return;
}
- String outbuf;
+ SBuf outbuf;
if (!gopherState->HTML_header_added) {
if (gopherState->conversion == GopherStateData::HTML_CSO_RESULT)
@@ -577,34 +575,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
break;
}
- memset(tmpbuf, '\0', TEMP_BUF_SIZE);
-
if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) {
if (strlen(escaped_selector) != 0)
- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
- icon_url, escaped_selector, rfc1738_escape_part(host),
- *port ? ":" : "", port, html_quote(name));
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
+ icon_url, escaped_selector, rfc1738_escape_part(host),
+ *port ? ":" : "", port, html_quote(name));
else
- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
- icon_url, rfc1738_escape_part(host), *port ? ":" : "",
- port, html_quote(name));
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
+ icon_url, rfc1738_escape_part(host), *port ? ":" : "",
+ port, html_quote(name));
} else if (gtype == GOPHER_INFO) {
- snprintf(tmpbuf, TEMP_BUF_SIZE, "\t%s\n", html_quote(name));
+ outbuf.appendf("\t%s\n", html_quote(name));
} else {
if (strncmp(selector, "GET /", 5) == 0) {
/* WWW link */
- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
- icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
+ icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
+ } else if (gtype == GOPHER_WWW) {
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
+ icon_url, rfc1738_escape_unescaped(selector), html_quote(name));
} else {
/* Standard link */
- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
- icon_url, host, gtype, escaped_selector, html_quote(name));
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
+ icon_url, host, gtype, escaped_selector, html_quote(name));
}
}
safe_free(escaped_selector);
- outbuf.append(tmpbuf);
} else {
memset(line, '\0', TEMP_BUF_SIZE);
continue;
@@ -637,13 +635,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
break;
if (gopherState->cso_recno != recno) {
- snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
+ outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
gopherState->cso_recno = recno;
} else {
- snprintf(tmpbuf, TEMP_BUF_SIZE, "%s\n", html_quote(result));
+ outbuf.appendf("%s\n", html_quote(result));
}
- outbuf.append(tmpbuf);
break;
} else {
int code;
@@ -671,8 +668,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
case 502: { /* Too Many Matches */
/* Print the message the server returns */
- snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
- outbuf.append(tmpbuf);
+ outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
break;
}
@@ -688,13 +684,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
} /* while loop */
- if (outbuf.size() > 0) {
- entry->append(outbuf.rawBuf(), outbuf.size());
+ if (outbuf.length() > 0) {
+ entry->append(outbuf.rawContent(), outbuf.length());
/* now let start sending stuff to client */
entry->flush();
}
- outbuf.clean();
return;
}

@ -0,0 +1,38 @@
commit 4031c6c2b004190fdffbc19dab7cd0305a2025b7 (refs/remotes/origin/v4, refs/remotes/github/v4, refs/heads/v4)
Author: Amos Jeffries <yadij@users.noreply.github.com>
Date: 2022-08-09 23:34:54 +0000
Bug 3193 pt2: NTLM decoder truncating strings (#1114)
The initial bug fix overlooked large 'offset' causing integer
wrap to extract a too-short length string.
Improve debugs and checks sequence to clarify cases and ensure
that all are handled correctly.
diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
index 5d9637290..f00fd51f8 100644
--- a/lib/ntlmauth/ntlmauth.cc
+++ b/lib/ntlmauth/ntlmauth.cc
@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
int32_t o = le32toh(str->offset);
// debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
- if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
- debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+ if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
+ debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
return rv;
}
+ else if (o <= 0 || o > packet_size) {
+ debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+ return rv;
+ }
+ else if (l > packet_size - o) {
+ debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+ return rv;
+ }
+
rv.str = (char *)packet + o;
rv.l = 0;
if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {

@ -0,0 +1,156 @@
commit c54122584d175cf1d292b239a5b70f2d1aa77c3a
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Mon Dec 5 15:03:07 2022 +0100
Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections
diff --git a/src/comm.cc b/src/comm.cc
index b4818f3..b18d175 100644
--- a/src/comm.cc
+++ b/src/comm.cc
@@ -59,6 +59,7 @@
*/
static IOCB commHalfClosedReader;
+static int comm_openex(int sock_type, int proto, Ip::Address &, int flags, const char *note);
static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI);
static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI);
@@ -76,6 +77,7 @@ static EVH commHalfClosedCheck;
static void commPlanHalfClosedCheck();
static Comm::Flag commBind(int s, struct addrinfo &);
+static void commSetBindAddressNoPort(int);
static void commSetReuseAddr(int);
static void commSetNoLinger(int);
#ifdef TCP_NODELAY
@@ -202,6 +204,22 @@ comm_local_port(int fd)
return F->local_addr.port();
}
+/// sets the IP_BIND_ADDRESS_NO_PORT socket option to optimize ephemeral port
+/// reuse by outgoing TCP connections that must bind(2) to a source IP address
+static void
+commSetBindAddressNoPort(const int fd)
+{
+#if defined(IP_BIND_ADDRESS_NO_PORT)
+ int flag = 1;
+ if (setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, reinterpret_cast<char*>(&flag), sizeof(flag)) < 0) {
+ const auto savedErrno = errno;
+ debugs(50, DBG_IMPORTANT, "ERROR: setsockopt(IP_BIND_ADDRESS_NO_PORT) failure: " << xstrerr(savedErrno));
+ }
+#else
+ (void)fd;
+#endif
+}
+
static Comm::Flag
commBind(int s, struct addrinfo &inaddr)
{
@@ -228,6 +246,10 @@ comm_open(int sock_type,
int flags,
const char *note)
{
+ // assume zero-port callers do not need to know the assigned port right away
+ if (sock_type == SOCK_STREAM && addr.port() == 0 && ((flags & COMM_DOBIND) || !addr.isAnyAddr()))
+ flags |= COMM_DOBIND_PORT_LATER;
+
return comm_openex(sock_type, proto, addr, flags, note);
}
@@ -329,7 +351,7 @@ comm_set_transparent(int fd)
* Create a socket. Default is blocking, stream (TCP) socket. IO_TYPE
* is OR of flags specified in defines.h:COMM_*
*/
-int
+static int
comm_openex(int sock_type,
int proto,
Ip::Address &addr,
@@ -488,6 +510,9 @@ comm_apply_flags(int new_socket,
}
}
#endif
+ if ((flags & COMM_DOBIND_PORT_LATER))
+ commSetBindAddressNoPort(new_socket);
+
if (commBind(new_socket, *AI) != Comm::OK) {
comm_close(new_socket);
return -1;
diff --git a/src/comm.h b/src/comm.h
index 5a1a7c2..a9f33db 100644
--- a/src/comm.h
+++ b/src/comm.h
@@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
/**
* Open a port specially bound for listening or sending through a specific port.
- * This is a wrapper providing IPv4/IPv6 failover around comm_openex().
* Please use for all listening sockets and bind() outbound sockets.
*
* It will open a socket bound for:
@@ -59,7 +58,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note);
void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note);
-int comm_openex(int, int, Ip::Address &, int, const char *);
unsigned short comm_local_port(int fd);
int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen);
diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc
index 19c1237..79fa2ed 100644
--- a/src/comm/ConnOpener.cc
+++ b/src/comm/ConnOpener.cc
@@ -285,7 +285,7 @@ Comm::ConnOpener::createFd()
if (callback_ == NULL || callback_->canceled())
return false;
- temporaryFd_ = comm_openex(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
+ temporaryFd_ = comm_open(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
if (temporaryFd_ < 0) {
sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd");
return false;
diff --git a/src/comm/Connection.h b/src/comm/Connection.h
index 40c2249..2641f4e 100644
--- a/src/comm/Connection.h
+++ b/src/comm/Connection.h
@@ -52,6 +52,8 @@ namespace Comm
#define COMM_REUSEPORT 0x40 //< needs SO_REUSEPORT
/// not registered with Comm and not owned by any connection-closing code
#define COMM_ORPHANED 0x40
+/// Internal Comm optimization: Keep the source port unassigned until connect(2)
+#define COMM_DOBIND_PORT_LATER 0x100
/**
* Store data about the physical and logical attributes of a connection.
diff --git a/src/ipc.cc b/src/ipc.cc
index 45cab52..42e11e6 100644
--- a/src/ipc.cc
+++ b/src/ipc.cc
@@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
} else void(0)
if (type == IPC_TCP_SOCKET) {
- crfd = cwfd = comm_open(SOCK_STREAM,
+ crfd = cwfd = comm_open_listener(SOCK_STREAM,
0,
local_addr,
COMM_NOCLOEXEC,
name);
- prfd = pwfd = comm_open(SOCK_STREAM,
+ prfd = pwfd = comm_open_listener(SOCK_STREAM,
0, /* protocol */
local_addr,
0, /* blocking */
diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc
index a1d33d6..bf4bea6 100644
--- a/src/tests/stub_comm.cc
+++ b/src/tests/stub_comm.cc
@@ -48,7 +48,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags)
void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB
int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1)
void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB
-int comm_openex(int, int, Ip::Address &, int, tos_t tos, nfmark_t nfmark, const char *) STUB_RETVAL(-1)
unsigned short comm_local_port(int fd) STUB_RETVAL(0)
int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen) STUB_RETVAL(-1)
void commCallCloseHandlers(int fd) STUB

@ -0,0 +1,25 @@
File: squid-5.5.tar.xz
Date: Wed 13 Apr 2022 08:45:42 UTC
Size: 2565732
MD5 : 83ccc2d86ca0966e3555a3b78f5afd14
SHA1: 42302bd9b8feff851a41420334cb8eaeab2806ab
Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E
keyring = http://www.squid-cache.org/pgp.asc
keyserver = pool.sks-keyservers.net
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAmJWjb4ACgkQzW2/jvOx
fT7t0A/9GjAdINfSP4gQyUr+Uvakz9O6fA9Jo3F30VafYimrSGm+VdGWntTsrOaP
VcsCdG3/Dvrhnqtu9+hwfKKQ61lmmUC7KVycx3whEUepQbZu5kd05csD7nwQ+AFe
7eJr0IwbRI4XdUhNW4AB52i/+hpHs/YSrSokumx5NVhwAUvT81TToUNzUjfKuXyy
U+w6GQ9kJbVW1UgFYZGZdJwCmD5Z7fNdUllKZhLj4I5GZ+5Zz5+lJP3ZBC6qavde
34hbpHbt+/lqz337eNoxwlyPNKPDiGIUEY9T4cdzA0BiLggTmlukDFErlYuHgCMX
BmQ9elJtdRaCD2YD+U1H9J+2wqt9O01gdyFU1V3RnNLZphgWur9X808rujuE46+Q
sxyV6SjeBh6Xs/I7wA9utX0pbVD+nLvna6Be49M1yAghBwTjiYN9fGC3ufj4St3k
PCvkTkBUOop3m4aBCRtUVO6w4Y/YmF71qAHIiSLe1i6xoztEDTVI0CA+vfrwwu2G
rFP5wuKsaYfBjkhQw4Jv6X30vnnOVqlxITGXcOnPXrHoD5KuYXv/Xsobqf8XsFdl
3qyXUe8lSI5idCg+Ajj9m0IqGWA50iFBs28Ca7GDacl9KApGn4O7kPLQY+7nN5cz
Nv3k8lYPh4KvRI1b2hcuoe3K63rEzty0e2vqG9zqxkpxOt20E/U=
=9xr/
-----END PGP SIGNATURE-----

@ -0,0 +1,15 @@
/var/log/squid/*.log {
weekly
rotate 5
compress
delaycompress
notifempty
missingok
nocreate
sharedscripts
postrotate
# Asks squid to reopen its logs. (logfile_rotate 0 is set in squid.conf)
# errors redirected to make it silent if squid is not running
/usr/sbin/squid -k rotate 2>/dev/null
endscript
}

@ -0,0 +1,7 @@
#!/bin/sh
case "$2" in
up|down|vpn-up|vpn-down)
/usr/bin/systemctl -q reload squid.service || :
;;
esac

@ -0,0 +1,3 @@
#%PAM-1.0
auth include password-auth
account include password-auth

@ -0,0 +1,18 @@
[Unit]
Description=Squid caching proxy
Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target
[Service]
Type=notify
LimitNOFILE=16384
PIDFile=/run/squid.pid
EnvironmentFile=/etc/sysconfig/squid
ExecStartPre=/usr/libexec/squid/cache_swap.sh
ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
ExecReload=/usr/bin/kill -HUP $MAINPID
KillMode=mixed
NotifyAccess=all
[Install]
WantedBy=multi-user.target

@ -0,0 +1,5 @@
# default squid options
SQUID_OPTS=""
# default squid conf file
SQUID_CONF="/etc/squid/squid.conf"

@ -0,0 +1,2 @@
g squid 23 -
u squid 23 "Squid proxy user" /var/spool/squid /sbin/nologin

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save