Compare commits
No commits in common. 'c9' and 'c8-beta-stream-4' have entirely different histories.
c9
...
c8-beta-st
@ -1,2 +1 @@
|
|||||||
SOURCES/pgp.asc
|
SOURCES/squid-4.15.tar.xz
|
||||||
SOURCES/squid-5.5.tar.xz
|
|
||||||
|
@ -1,2 +1 @@
|
|||||||
8e3de63f3bef0c9c4edbcfe000c567119f687143 SOURCES/pgp.asc
|
60bda34ba39657e2d870c8c1d2acece8a69c3075 SOURCES/squid-4.15.tar.xz
|
||||||
42302bd9b8feff851a41420334cb8eaeab2806ab SOURCES/squid-5.5.tar.xz
|
|
||||||
|
@ -1,95 +0,0 @@
|
|||||||
------------------------------------------------------------
|
|
||||||
revno: 14311
|
|
||||||
revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
|
|
||||||
parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
|
|
||||||
------------------------------------------------------------
|
|
||||||
revno: 14311
|
|
||||||
revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
|
|
||||||
parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
|
|
||||||
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
|
|
||||||
author: Francesco Chemolli <kinkie@squid-cache.org>
|
|
||||||
committer: Amos Jeffries <squid3@treenet.co.nz>
|
|
||||||
branch nick: trunk
|
|
||||||
timestamp: Thu 2015-09-24 06:05:37 -0700
|
|
||||||
message:
|
|
||||||
Bug 4323: Netfilter broken cross-includes with Linux 4.2
|
|
||||||
------------------------------------------------------------
|
|
||||||
# Bazaar merge directive format 2 (Bazaar 0.90)
|
|
||||||
# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
|
|
||||||
# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
|
|
||||||
# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
|
|
||||||
# timestamp: 2015-09-24 13:06:33 +0000
|
|
||||||
# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
|
|
||||||
# base_revision_id: squid3@treenet.co.nz-20150924032241-\
|
|
||||||
# 6cx3g6hwz9xfoybr
|
|
||||||
#
|
|
||||||
# Begin patch
|
|
||||||
=== modified file 'compat/os/linux.h'
|
|
||||||
--- compat/os/linux.h 2015-01-13 07:25:36 +0000
|
|
||||||
+++ compat/os/linux.h 2015-09-24 13:05:37 +0000
|
|
||||||
@@ -30,6 +30,21 @@
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
+ * Netfilter header madness. (see Bug 4323)
|
|
||||||
+ *
|
|
||||||
+ * Netfilter have a history of defining their own versions of network protocol
|
|
||||||
+ * primitives without sufficient protection against the POSIX defines which are
|
|
||||||
+ * aways present in Linux.
|
|
||||||
+ *
|
|
||||||
+ * netinet/in.h must be included before any other sys header in order to properly
|
|
||||||
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
|
|
||||||
+ * to workaround it.
|
|
||||||
+ */
|
|
||||||
+#if HAVE_NETINET_IN_H
|
|
||||||
+#include <netinet/in.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
* sys/capability.h is only needed in Linux apparently.
|
|
||||||
*
|
|
||||||
* HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
|
|
||||||
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
|
|
||||||
author: Francesco Chemolli <kinkie@squid-cache.org>
|
|
||||||
committer: Amos Jeffries <squid3@treenet.co.nz>
|
|
||||||
branch nick: trunk
|
|
||||||
timestamp: Thu 2015-09-24 06:05:37 -0700
|
|
||||||
message:
|
|
||||||
Bug 4323: Netfilter broken cross-includes with Linux 4.2
|
|
||||||
------------------------------------------------------------
|
|
||||||
# Bazaar merge directive format 2 (Bazaar 0.90)
|
|
||||||
# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
|
|
||||||
# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
|
|
||||||
# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
|
|
||||||
# timestamp: 2015-09-24 13:06:33 +0000
|
|
||||||
# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
|
|
||||||
# base_revision_id: squid3@treenet.co.nz-20150924032241-\
|
|
||||||
# 6cx3g6hwz9xfoybr
|
|
||||||
#
|
|
||||||
# Begin patch
|
|
||||||
=== modified file 'compat/os/linux.h'
|
|
||||||
--- compat/os/linux.h 2015-01-13 07:25:36 +0000
|
|
||||||
+++ compat/os/linux.h 2015-09-24 13:05:37 +0000
|
|
||||||
@@ -30,6 +30,21 @@
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
+ * Netfilter header madness. (see Bug 4323)
|
|
||||||
+ *
|
|
||||||
+ * Netfilter have a history of defining their own versions of network protocol
|
|
||||||
+ * primitives without sufficient protection against the POSIX defines which are
|
|
||||||
+ * aways present in Linux.
|
|
||||||
+ *
|
|
||||||
+ * netinet/in.h must be included before any other sys header in order to properly
|
|
||||||
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
|
|
||||||
+ * to workaround it.
|
|
||||||
+ */
|
|
||||||
+#if HAVE_NETINET_IN_H
|
|
||||||
+#include <netinet/in.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
* sys/capability.h is only needed in Linux apparently.
|
|
||||||
*
|
|
||||||
* HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
|
|
||||||
|
|
@ -0,0 +1,143 @@
|
|||||||
|
From 771908d313ee9c255adfb5e4fdba4d6797c18409 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Amos Jeffries <yadij@users.noreply.github.com>
|
||||||
|
Date: Thu, 7 Mar 2019 13:50:38 +0000
|
||||||
|
Subject: [PATCH] Bug 4928: Cannot convert non-IPv4 to IPv4 (#379)
|
||||||
|
|
||||||
|
... when reaching client_ip_max_connections
|
||||||
|
|
||||||
|
The client_ip_max_connections limit is checked before the TCP dst-IP is located for the newly received TCP connection. This leaves Squid unable to fetch the NFMARK or similar
|
||||||
|
details later on (they do not exist for [::]).
|
||||||
|
|
||||||
|
Move client_ip_max_connections test later in the TCP accept process to ensure dst-IP is known when the error is produced.
|
||||||
|
---
|
||||||
|
src/comm/TcpAcceptor.cc | 82 ++++++++++++++++++++---------------------
|
||||||
|
1 file changed, 39 insertions(+), 43 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc
|
||||||
|
index d4b576d..936aa30 100644
|
||||||
|
--- a/src/comm/TcpAcceptor.cc
|
||||||
|
+++ b/src/comm/TcpAcceptor.cc
|
||||||
|
@@ -282,7 +282,16 @@ Comm::TcpAcceptor::acceptOne()
|
||||||
|
ConnectionPointer newConnDetails = new Connection();
|
||||||
|
const Comm::Flag flag = oldAccept(newConnDetails);
|
||||||
|
|
||||||
|
- if (flag == Comm::COMM_ERROR) {
|
||||||
|
+ /* Check for errors */
|
||||||
|
+ if (!newConnDetails->isOpen()) {
|
||||||
|
+
|
||||||
|
+ if (flag == Comm::NOMESSAGE) {
|
||||||
|
+ /* register interest again */
|
||||||
|
+ debugs(5, 5, HERE << "try later: " << conn << " handler Subscription: " << theCallSub);
|
||||||
|
+ SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
// A non-recoverable error; notify the caller */
|
||||||
|
debugs(5, 5, HERE << "non-recoverable error:" << status() << " handler Subscription: " << theCallSub);
|
||||||
|
if (intendedForUserConnections())
|
||||||
|
@@ -292,16 +301,12 @@ Comm::TcpAcceptor::acceptOne()
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (flag == Comm::NOMESSAGE) {
|
||||||
|
- /* register interest again */
|
||||||
|
- debugs(5, 5, "try later: " << conn << " handler Subscription: " << theCallSub);
|
||||||
|
- } else {
|
||||||
|
- debugs(5, 5, "Listener: " << conn <<
|
||||||
|
- " accepted new connection " << newConnDetails <<
|
||||||
|
- " handler Subscription: " << theCallSub);
|
||||||
|
- notify(flag, newConnDetails);
|
||||||
|
- }
|
||||||
|
+ newConnDetails->nfmark = Ip::Qos::getNfmarkFromConnection(newConnDetails, Ip::Qos::dirAccepted);
|
||||||
|
|
||||||
|
+ debugs(5, 5, HERE << "Listener: " << conn <<
|
||||||
|
+ " accepted new connection " << newConnDetails <<
|
||||||
|
+ " handler Subscription: " << theCallSub);
|
||||||
|
+ notify(flag, newConnDetails);
|
||||||
|
SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -341,8 +346,8 @@ Comm::TcpAcceptor::notify(const Comm::Flag flag, const Comm::ConnectionPointer &
|
||||||
|
*
|
||||||
|
* \retval Comm::OK success. details parameter filled.
|
||||||
|
* \retval Comm::NOMESSAGE attempted accept() but nothing useful came in.
|
||||||
|
- * Or this client has too many connections already.
|
||||||
|
* \retval Comm::COMM_ERROR an outright failure occurred.
|
||||||
|
+ * Or this client has too many connections already.
|
||||||
|
*/
|
||||||
|
Comm::Flag
|
||||||
|
Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
|
||||||
|
@@ -383,6 +388,15 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
|
||||||
|
|
||||||
|
details->remote = *gai;
|
||||||
|
|
||||||
|
+ if ( Config.client_ip_max_connections >= 0) {
|
||||||
|
+ if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) {
|
||||||
|
+ debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections.");
|
||||||
|
+ Ip::Address::FreeAddr(gai);
|
||||||
|
+ PROF_stop(comm_accept);
|
||||||
|
+ return Comm::COMM_ERROR;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
// lookup the local-end details of this new connection
|
||||||
|
Ip::Address::InitAddr(gai);
|
||||||
|
details->local.setEmpty();
|
||||||
|
@@ -396,6 +410,23 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
|
||||||
|
details->local = *gai;
|
||||||
|
Ip::Address::FreeAddr(gai);
|
||||||
|
|
||||||
|
+ /* fdstat update */
|
||||||
|
+ fdd_table[sock].close_file = NULL;
|
||||||
|
+ fdd_table[sock].close_line = 0;
|
||||||
|
+
|
||||||
|
+ fde *F = &fd_table[sock];
|
||||||
|
+ details->remote.toStr(F->ipaddr,MAX_IPSTRLEN);
|
||||||
|
+ F->remote_port = details->remote.port();
|
||||||
|
+ F->local_addr = details->local;
|
||||||
|
+ F->sock_family = details->local.isIPv6()?AF_INET6:AF_INET;
|
||||||
|
+
|
||||||
|
+ // set socket flags
|
||||||
|
+ commSetCloseOnExec(sock);
|
||||||
|
+ commSetNonBlocking(sock);
|
||||||
|
+
|
||||||
|
+ /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */
|
||||||
|
+ F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet?
|
||||||
|
+
|
||||||
|
// Perform NAT or TPROXY operations to retrieve the real client/dest IP addresses
|
||||||
|
if (conn->flags&(COMM_TRANSPARENT|COMM_INTERCEPTION) && !Ip::Interceptor.Lookup(details, conn)) {
|
||||||
|
debugs(50, DBG_IMPORTANT, "ERROR: NAT/TPROXY lookup failed to locate original IPs on " << details);
|
||||||
|
@@ -414,33 +445,6 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- details->nfmark = Ip::Qos::getNfmarkFromConnection(details, Ip::Qos::dirAccepted);
|
||||||
|
-
|
||||||
|
- if (Config.client_ip_max_connections >= 0) {
|
||||||
|
- if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) {
|
||||||
|
- debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections.");
|
||||||
|
- PROF_stop(comm_accept);
|
||||||
|
- return Comm::NOMESSAGE;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* fdstat update */
|
||||||
|
- fdd_table[sock].close_file = NULL;
|
||||||
|
- fdd_table[sock].close_line = 0;
|
||||||
|
-
|
||||||
|
- fde *F = &fd_table[sock];
|
||||||
|
- details->remote.toStr(F->ipaddr,MAX_IPSTRLEN);
|
||||||
|
- F->remote_port = details->remote.port();
|
||||||
|
- F->local_addr = details->local;
|
||||||
|
- F->sock_family = details->local.isIPv6()?AF_INET6:AF_INET;
|
||||||
|
-
|
||||||
|
- // set socket flags
|
||||||
|
- commSetCloseOnExec(sock);
|
||||||
|
- commSetNonBlocking(sock);
|
||||||
|
-
|
||||||
|
- /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */
|
||||||
|
- F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet?
|
||||||
|
-
|
||||||
|
PROF_stop(comm_accept);
|
||||||
|
return Comm::OK;
|
||||||
|
}
|
@ -0,0 +1,41 @@
|
|||||||
|
diff --git a/compat/os/linux.h b/compat/os/linux.h
|
||||||
|
index 0ff05c6..d51389b 100644
|
||||||
|
--- a/compat/os/linux.h
|
||||||
|
+++ b/compat/os/linux.h
|
||||||
|
@@ -44,6 +44,36 @@
|
||||||
|
#include <netinet/in.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Netfilter header madness. (see Bug 4323)
|
||||||
|
+ *
|
||||||
|
+ * Netfilter have a history of defining their own versions of network protocol
|
||||||
|
+ * primitives without sufficient protection against the POSIX defines which are
|
||||||
|
+ * aways present in Linux.
|
||||||
|
+ *
|
||||||
|
+ * netinet/in.h must be included before any other sys header in order to properly
|
||||||
|
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
|
||||||
|
+ * to workaround it.
|
||||||
|
+ */
|
||||||
|
+#if HAVE_NETINET_IN_H
|
||||||
|
+#include <netinet/in.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Netfilter header madness. (see Bug 4323)
|
||||||
|
+ *
|
||||||
|
+ * Netfilter have a history of defining their own versions of network protocol
|
||||||
|
+ * primitives without sufficient protection against the POSIX defines which are
|
||||||
|
+ * aways present in Linux.
|
||||||
|
+ *
|
||||||
|
+ * netinet/in.h must be included before any other sys header in order to properly
|
||||||
|
+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
|
||||||
|
+ * to workaround it.
|
||||||
|
+ */
|
||||||
|
+#if HAVE_NETINET_IN_H
|
||||||
|
+#include <netinet/in.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* sys/capability.h is only needed in Linux apparently.
|
||||||
|
*
|
@ -0,0 +1,178 @@
|
|||||||
|
diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc
|
||||||
|
index 01a4c12..b5c1679 100644
|
||||||
|
--- a/src/acl/RegexData.cc
|
||||||
|
+++ b/src/acl/RegexData.cc
|
||||||
|
@@ -22,6 +22,7 @@
|
||||||
|
#include "ConfigParser.h"
|
||||||
|
#include "Debug.h"
|
||||||
|
#include "sbuf/List.h"
|
||||||
|
+#include "sbuf/Algorithms.h"
|
||||||
|
|
||||||
|
ACLRegexData::~ACLRegexData()
|
||||||
|
{
|
||||||
|
@@ -129,6 +130,18 @@ compileRE(std::list<RegexPattern> &curlist, const char * RE, int flags)
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static bool
|
||||||
|
+compileRE(std::list<RegexPattern> &curlist, const SBufList &RE, int flags)
|
||||||
|
+{
|
||||||
|
+ if (RE.empty())
|
||||||
|
+ return curlist.empty(); // XXX: old code did this. It looks wrong.
|
||||||
|
+ SBuf regexp;
|
||||||
|
+ static const SBuf openparen("("), closeparen(")"), separator(")|(");
|
||||||
|
+ JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen,
|
||||||
|
+ closeparen);
|
||||||
|
+ return compileRE(curlist, regexp.c_str(), flags);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/** Compose and compile one large RE from a set of (small) REs.
|
||||||
|
* The ultimate goal is to have only one RE per ACL so that match() is
|
||||||
|
* called only once per ACL.
|
||||||
|
@@ -137,16 +150,11 @@ static int
|
||||||
|
compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
|
||||||
|
{
|
||||||
|
std::list<RegexPattern> newlist;
|
||||||
|
- int numREs = 0;
|
||||||
|
+ SBufList accumulatedRE;
|
||||||
|
+ int numREs = 0, reSize = 0;
|
||||||
|
int flags = REG_EXTENDED | REG_NOSUB;
|
||||||
|
- int largeREindex = 0;
|
||||||
|
- char largeRE[BUFSIZ];
|
||||||
|
- *largeRE = 0;
|
||||||
|
|
||||||
|
for (const SBuf & configurationLineWord : sl) {
|
||||||
|
- int RElen;
|
||||||
|
- RElen = configurationLineWord.length();
|
||||||
|
-
|
||||||
|
static const SBuf minus_i("-i");
|
||||||
|
static const SBuf plus_i("+i");
|
||||||
|
if (configurationLineWord == minus_i) {
|
||||||
|
@@ -155,10 +163,11 @@ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
|
||||||
|
debugs(28, 2, "optimisation of -i ... -i" );
|
||||||
|
} else {
|
||||||
|
debugs(28, 2, "-i" );
|
||||||
|
- if (!compileRE(newlist, largeRE, flags))
|
||||||
|
+ if (!compileRE(newlist, accumulatedRE, flags))
|
||||||
|
return 0;
|
||||||
|
flags |= REG_ICASE;
|
||||||
|
- largeRE[largeREindex=0] = '\0';
|
||||||
|
+ accumulatedRE.clear();
|
||||||
|
+ reSize = 0;
|
||||||
|
}
|
||||||
|
} else if (configurationLineWord == plus_i) {
|
||||||
|
if ((flags & REG_ICASE) == 0) {
|
||||||
|
@@ -166,37 +175,34 @@ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
|
||||||
|
debugs(28, 2, "optimisation of +i ... +i");
|
||||||
|
} else {
|
||||||
|
debugs(28, 2, "+i");
|
||||||
|
- if (!compileRE(newlist, largeRE, flags))
|
||||||
|
+ if (!compileRE(newlist, accumulatedRE, flags))
|
||||||
|
return 0;
|
||||||
|
flags &= ~REG_ICASE;
|
||||||
|
- largeRE[largeREindex=0] = '\0';
|
||||||
|
+ accumulatedRE.clear();
|
||||||
|
+ reSize = 0;
|
||||||
|
}
|
||||||
|
- } else if (RElen + largeREindex + 3 < BUFSIZ-1) {
|
||||||
|
+ } else if (reSize < 1024) {
|
||||||
|
debugs(28, 2, "adding RE '" << configurationLineWord << "'");
|
||||||
|
- if (largeREindex > 0) {
|
||||||
|
- largeRE[largeREindex] = '|';
|
||||||
|
- ++largeREindex;
|
||||||
|
- }
|
||||||
|
- largeRE[largeREindex] = '(';
|
||||||
|
- ++largeREindex;
|
||||||
|
- configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex);
|
||||||
|
- largeREindex += configurationLineWord.length();
|
||||||
|
- largeRE[largeREindex] = ')';
|
||||||
|
- ++largeREindex;
|
||||||
|
- largeRE[largeREindex] = '\0';
|
||||||
|
+ accumulatedRE.push_back(configurationLineWord);
|
||||||
|
++numREs;
|
||||||
|
+ reSize += configurationLineWord.length();
|
||||||
|
} else {
|
||||||
|
debugs(28, 2, "buffer full, generating new optimised RE..." );
|
||||||
|
- if (!compileRE(newlist, largeRE, flags))
|
||||||
|
+ accumulatedRE.push_back(configurationLineWord);
|
||||||
|
+ if (!compileRE(newlist, accumulatedRE, flags))
|
||||||
|
return 0;
|
||||||
|
- largeRE[largeREindex=0] = '\0';
|
||||||
|
+ accumulatedRE.clear();
|
||||||
|
+ reSize = 0;
|
||||||
|
continue; /* do the loop again to add the RE to largeRE */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!compileRE(newlist, largeRE, flags))
|
||||||
|
+ if (!compileRE(newlist, accumulatedRE, flags))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
+ accumulatedRE.clear();
|
||||||
|
+ reSize = 0;
|
||||||
|
+
|
||||||
|
/* all was successful, so put the new list at the tail */
|
||||||
|
curlist.splice(curlist.end(), newlist);
|
||||||
|
|
||||||
|
diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h
|
||||||
|
index 21ee889..338e9c0 100644
|
||||||
|
--- a/src/sbuf/Algorithms.h
|
||||||
|
+++ b/src/sbuf/Algorithms.h
|
||||||
|
@@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator)
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/** Join container of SBufs and append to supplied target
|
||||||
|
+ *
|
||||||
|
+ * append to the target SBuf all elements in the [begin,end) range from
|
||||||
|
+ * an iterable container, prefixed by prefix, separated by separator and
|
||||||
|
+ * followed by suffix. Prefix and suffix are added also in case of empty
|
||||||
|
+ * iterable
|
||||||
|
+ *
|
||||||
|
+ * \return the modified dest
|
||||||
|
+ */
|
||||||
|
+template <class ContainerIterator>
|
||||||
|
+SBuf&
|
||||||
|
+JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin,
|
||||||
|
+ const ContainerIterator &end, const SBuf& separator,
|
||||||
|
+ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf())
|
||||||
|
+{
|
||||||
|
+ if (begin == end) {
|
||||||
|
+ dest.append(prefix).append(suffix);
|
||||||
|
+ return dest;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // optimization: pre-calculate needed storage
|
||||||
|
+ const SBuf::size_type totalContainerSize =
|
||||||
|
+ std::accumulate(begin, end, 0, SBufAddLength(separator)) +
|
||||||
|
+ dest.length() + prefix.length() + suffix.length();
|
||||||
|
+ SBufReservationRequirements req;
|
||||||
|
+ req.minSpace = totalContainerSize;
|
||||||
|
+ dest.reserve(req);
|
||||||
|
+
|
||||||
|
+ auto i = begin;
|
||||||
|
+ dest.append(prefix);
|
||||||
|
+ dest.append(*i);
|
||||||
|
+ ++i;
|
||||||
|
+ for (; i != end; ++i)
|
||||||
|
+ dest.append(separator).append(*i);
|
||||||
|
+ dest.append(suffix);
|
||||||
|
+ return dest;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf
|
||||||
|
+template <class ContainerIterator>
|
||||||
|
+SBuf
|
||||||
|
+JoinContainerToSBuf(const ContainerIterator &begin,
|
||||||
|
+ const ContainerIterator &end, const SBuf& separator,
|
||||||
|
+ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf())
|
||||||
|
+{
|
||||||
|
+ SBuf rv;
|
||||||
|
+ return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
namespace std {
|
||||||
|
/// default hash functor to support std::unordered_map<SBuf,*>
|
||||||
|
template <>
|
@ -1,10 +1,10 @@
|
|||||||
diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl
|
diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl
|
||||||
index 4cb0480..4b89910 100755
|
index 90ac6a4..8dbed90 100755
|
||||||
--- a/contrib/url-normalizer.pl
|
--- a/contrib/url-normalizer.pl
|
||||||
+++ b/contrib/url-normalizer.pl
|
+++ b/contrib/url-normalizer.pl
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
-#!/usr/local/bin/perl -Tw
|
-#!/usr/local/bin/perl -Tw
|
||||||
+#!/usr/bin/perl -Tw
|
+#!/usr/bin/perl -Tw
|
||||||
#
|
#
|
||||||
# * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
|
# * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
|
||||||
# *
|
# *
|
@ -0,0 +1,424 @@
|
|||||||
|
commit b003a0da7865caa25b5d1e70c79329b32409b02a (HEAD -> refs/heads/v4, refs/remotes/origin/v4)
|
||||||
|
Author: Amos Jeffries <yadij@users.noreply.github.com>
|
||||||
|
Date: 2021-09-24 21:53:11 +0000
|
||||||
|
|
||||||
|
WCCP: Validate packets better (#899)
|
||||||
|
|
||||||
|
Update WCCP to support exception based error handling for
|
||||||
|
parsing and processing we are moving Squid to for protocol
|
||||||
|
handling.
|
||||||
|
|
||||||
|
Update the main WCCPv2 parsing checks to throw meaningful
|
||||||
|
exceptions when detected.
|
||||||
|
|
||||||
|
diff --git a/src/wccp2.cc b/src/wccp2.cc
|
||||||
|
index ee592449c..6ef469e91 100644
|
||||||
|
--- a/src/wccp2.cc
|
||||||
|
+++ b/src/wccp2.cc
|
||||||
|
@@ -1108,6 +1108,59 @@ wccp2ConnectionClose(void)
|
||||||
|
* Functions for handling the requests.
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/// Checks that the given area section ends inside the given (whole) area.
|
||||||
|
+/// \param error the message to throw when the section does not fit
|
||||||
|
+static void
|
||||||
|
+CheckSectionLength(const void *sectionStart, const size_t sectionLength, const void *wholeStart, const size_t wholeSize, const char *error)
|
||||||
|
+{
|
||||||
|
+ assert(sectionStart);
|
||||||
|
+ assert(wholeStart);
|
||||||
|
+
|
||||||
|
+ const auto wholeEnd = static_cast<const char*>(wholeStart) + wholeSize;
|
||||||
|
+ assert(sectionStart >= wholeStart && "we never go backwards");
|
||||||
|
+ assert(sectionStart <= wholeEnd && "we never go beyond our whole (but zero-sized fields are OK)");
|
||||||
|
+ static_assert(sizeof(wccp2_i_see_you_t) <= PTRDIFF_MAX, "paranoid: no UB when subtracting in-whole pointers");
|
||||||
|
+ // subtraction safe due to the three assertions above
|
||||||
|
+ const auto remainderDiff = wholeEnd - static_cast<const char*>(sectionStart);
|
||||||
|
+
|
||||||
|
+ // casting safe due to the assertions above (and size_t definition)
|
||||||
|
+ assert(remainderDiff >= 0);
|
||||||
|
+ const auto remainderSize = static_cast<size_t>(remainderDiff);
|
||||||
|
+
|
||||||
|
+ if (sectionLength <= remainderSize)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ throw TextException(error, Here());
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/// Checks that the area contains at least dataLength bytes after the header.
|
||||||
|
+/// The size of the field header itself is not included in dataLength.
|
||||||
|
+/// \returns the total field size -- the field header and field data combined
|
||||||
|
+template<class FieldHeader>
|
||||||
|
+static size_t
|
||||||
|
+CheckFieldDataLength(const FieldHeader *header, const size_t dataLength, const void *areaStart, const size_t areaSize, const char *error)
|
||||||
|
+{
|
||||||
|
+ assert(header);
|
||||||
|
+ const auto dataStart = reinterpret_cast<const char*>(header) + sizeof(header);
|
||||||
|
+ CheckSectionLength(dataStart, dataLength, areaStart, areaSize, error);
|
||||||
|
+ return sizeof(header) + dataLength; // no overflow after CheckSectionLength()
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/// Positions the given field at a given start within a given packet area.
|
||||||
|
+/// The Field type determines the correct field size (used for bounds checking).
|
||||||
|
+/// \param field the field pointer the function should set
|
||||||
|
+/// \param areaStart the start of a packet (sub)structure containing the field
|
||||||
|
+/// \param areaSize the size of the packet (sub)structure starting at areaStart
|
||||||
|
+/// \param fieldStart the start of a field within the given area
|
||||||
|
+/// \param error the message to throw when the field does not fit the area
|
||||||
|
+template<class Field>
|
||||||
|
+static void
|
||||||
|
+SetField(Field *&field, const void *fieldStart, const void *areaStart, const size_t areaSize, const char *error)
|
||||||
|
+{
|
||||||
|
+ CheckSectionLength(fieldStart, sizeof(Field), areaStart, areaSize, error);
|
||||||
|
+ field = static_cast<Field*>(const_cast<void*>(fieldStart));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Accept the UDP packet
|
||||||
|
*/
|
||||||
|
@@ -1124,8 +1177,6 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
|
||||||
|
/* These structs form the parts of the packet */
|
||||||
|
|
||||||
|
- struct wccp2_item_header_t *header = NULL;
|
||||||
|
-
|
||||||
|
struct wccp2_security_none_t *security_info = NULL;
|
||||||
|
|
||||||
|
struct wccp2_service_info_t *service_info = NULL;
|
||||||
|
@@ -1141,14 +1192,13 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
struct wccp2_cache_identity_info_t *cache_identity = NULL;
|
||||||
|
|
||||||
|
struct wccp2_capability_info_header_t *router_capability_header = NULL;
|
||||||
|
+ char *router_capability_data_start = nullptr;
|
||||||
|
|
||||||
|
struct wccp2_capability_element_t *router_capability_element;
|
||||||
|
|
||||||
|
struct sockaddr_in from;
|
||||||
|
|
||||||
|
struct in_addr cache_address;
|
||||||
|
- int len, found;
|
||||||
|
- short int data_length, offset;
|
||||||
|
uint32_t tmp;
|
||||||
|
char *ptr;
|
||||||
|
int num_caches;
|
||||||
|
@@ -1161,20 +1211,18 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
Ip::Address from_tmp;
|
||||||
|
from_tmp.setIPv4();
|
||||||
|
|
||||||
|
- len = comm_udp_recvfrom(sock,
|
||||||
|
- &wccp2_i_see_you,
|
||||||
|
- WCCP_RESPONSE_SIZE,
|
||||||
|
- 0,
|
||||||
|
- from_tmp);
|
||||||
|
+ const auto lenOrError = comm_udp_recvfrom(sock, &wccp2_i_see_you, WCCP_RESPONSE_SIZE, 0, from_tmp);
|
||||||
|
|
||||||
|
- if (len < 0)
|
||||||
|
+ if (lenOrError < 0)
|
||||||
|
return;
|
||||||
|
+ const auto len = static_cast<size_t>(lenOrError);
|
||||||
|
|
||||||
|
- if (ntohs(wccp2_i_see_you.version) != WCCP2_VERSION)
|
||||||
|
- return;
|
||||||
|
-
|
||||||
|
- if (ntohl(wccp2_i_see_you.type) != WCCP2_I_SEE_YOU)
|
||||||
|
- return;
|
||||||
|
+ try {
|
||||||
|
+ // TODO: Remove wccp2_i_see_you.data and use a buffer to read messages.
|
||||||
|
+ const auto message_header_size = sizeof(wccp2_i_see_you) - sizeof(wccp2_i_see_you.data);
|
||||||
|
+ Must2(len >= message_header_size, "incomplete WCCP message header");
|
||||||
|
+ Must2(ntohs(wccp2_i_see_you.version) == WCCP2_VERSION, "WCCP version unsupported");
|
||||||
|
+ Must2(ntohl(wccp2_i_see_you.type) == WCCP2_I_SEE_YOU, "WCCP packet type unsupported");
|
||||||
|
|
||||||
|
/* FIXME INET6 : drop conversion boundary */
|
||||||
|
from_tmp.getSockAddr(from);
|
||||||
|
@@ -1182,73 +1230,60 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
debugs(80, 3, "Incoming WCCPv2 I_SEE_YOU length " << ntohs(wccp2_i_see_you.length) << ".");
|
||||||
|
|
||||||
|
/* Record the total data length */
|
||||||
|
- data_length = ntohs(wccp2_i_see_you.length);
|
||||||
|
+ const auto data_length = ntohs(wccp2_i_see_you.length);
|
||||||
|
+ Must2(data_length <= len - message_header_size,
|
||||||
|
+ "malformed packet claiming it's bigger than received data");
|
||||||
|
|
||||||
|
- offset = 0;
|
||||||
|
-
|
||||||
|
- if (data_length > len) {
|
||||||
|
- debugs(80, DBG_IMPORTANT, "ERROR: Malformed WCCPv2 packet claiming it's bigger than received data");
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
+ size_t offset = 0;
|
||||||
|
|
||||||
|
/* Go through the data structure */
|
||||||
|
- while (data_length > offset) {
|
||||||
|
+ while (offset + sizeof(struct wccp2_item_header_t) <= data_length) {
|
||||||
|
|
||||||
|
char *data = wccp2_i_see_you.data;
|
||||||
|
|
||||||
|
- header = (struct wccp2_item_header_t *) &data[offset];
|
||||||
|
+ const auto itemHeader = reinterpret_cast<const wccp2_item_header_t*>(&data[offset]);
|
||||||
|
+ const auto itemSize = CheckFieldDataLength(itemHeader, ntohs(itemHeader->length),
|
||||||
|
+ data, data_length, "truncated record");
|
||||||
|
+ // XXX: Check "The specified length must be a multiple of 4 octets"
|
||||||
|
+ // requirement to avoid unaligned memory reads after the first item.
|
||||||
|
|
||||||
|
- switch (ntohs(header->type)) {
|
||||||
|
+ switch (ntohs(itemHeader->type)) {
|
||||||
|
|
||||||
|
case WCCP2_SECURITY_INFO:
|
||||||
|
-
|
||||||
|
- if (security_info != NULL) {
|
||||||
|
- debugs(80, DBG_IMPORTANT, "Duplicate security definition");
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- security_info = (struct wccp2_security_none_t *) &wccp2_i_see_you.data[offset];
|
||||||
|
+ Must2(!security_info, "duplicate security definition");
|
||||||
|
+ SetField(security_info, itemHeader, itemHeader, itemSize,
|
||||||
|
+ "security definition truncated");
|
||||||
|
break;
|
||||||
|
|
||||||
|
case WCCP2_SERVICE_INFO:
|
||||||
|
-
|
||||||
|
- if (service_info != NULL) {
|
||||||
|
- debugs(80, DBG_IMPORTANT, "Duplicate service_info definition");
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- service_info = (struct wccp2_service_info_t *) &wccp2_i_see_you.data[offset];
|
||||||
|
+ Must2(!service_info, "duplicate service_info definition");
|
||||||
|
+ SetField(service_info, itemHeader, itemHeader, itemSize,
|
||||||
|
+ "service_info definition truncated");
|
||||||
|
break;
|
||||||
|
|
||||||
|
case WCCP2_ROUTER_ID_INFO:
|
||||||
|
-
|
||||||
|
- if (router_identity_info != NULL) {
|
||||||
|
- debugs(80, DBG_IMPORTANT, "Duplicate router_identity_info definition");
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- router_identity_info = (struct router_identity_info_t *) &wccp2_i_see_you.data[offset];
|
||||||
|
+ Must2(!router_identity_info, "duplicate router_identity_info definition");
|
||||||
|
+ SetField(router_identity_info, itemHeader, itemHeader, itemSize,
|
||||||
|
+ "router_identity_info definition truncated");
|
||||||
|
break;
|
||||||
|
|
||||||
|
case WCCP2_RTR_VIEW_INFO:
|
||||||
|
-
|
||||||
|
- if (router_view_header != NULL) {
|
||||||
|
- debugs(80, DBG_IMPORTANT, "Duplicate router_view definition");
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- router_view_header = (struct router_view_t *) &wccp2_i_see_you.data[offset];
|
||||||
|
+ Must2(!router_view_header, "duplicate router_view definition");
|
||||||
|
+ SetField(router_view_header, itemHeader, itemHeader, itemSize,
|
||||||
|
+ "router_view definition truncated");
|
||||||
|
break;
|
||||||
|
|
||||||
|
- case WCCP2_CAPABILITY_INFO:
|
||||||
|
-
|
||||||
|
- if (router_capability_header != NULL) {
|
||||||
|
- debugs(80, DBG_IMPORTANT, "Duplicate router_capability definition");
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
+ case WCCP2_CAPABILITY_INFO: {
|
||||||
|
+ Must2(!router_capability_header, "duplicate router_capability definition");
|
||||||
|
+ SetField(router_capability_header, itemHeader, itemHeader, itemSize,
|
||||||
|
+ "router_capability definition truncated");
|
||||||
|
|
||||||
|
- router_capability_header = (struct wccp2_capability_info_header_t *) &wccp2_i_see_you.data[offset];
|
||||||
|
+ CheckFieldDataLength(router_capability_header, ntohs(router_capability_header->capability_info_length),
|
||||||
|
+ itemHeader, itemSize, "capability info truncated");
|
||||||
|
+ router_capability_data_start = reinterpret_cast<char*>(router_capability_header) +
|
||||||
|
+ sizeof(*router_capability_header);
|
||||||
|
break;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* Nothing to do for the types below */
|
||||||
|
|
||||||
|
@@ -1257,22 +1292,17 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
- debugs(80, DBG_IMPORTANT, "Unknown record type in WCCPv2 Packet (" << ntohs(header->type) << ").");
|
||||||
|
+ debugs(80, DBG_IMPORTANT, "Unknown record type in WCCPv2 Packet (" << ntohs(itemHeader->type) << ").");
|
||||||
|
}
|
||||||
|
|
||||||
|
- offset += sizeof(struct wccp2_item_header_t);
|
||||||
|
- offset += ntohs(header->length);
|
||||||
|
-
|
||||||
|
- if (offset > data_length) {
|
||||||
|
- debugs(80, DBG_IMPORTANT, "Error: WCCPv2 packet tried to tell us there is data beyond the end of the packet");
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
+ offset += itemSize;
|
||||||
|
+ assert(offset <= data_length && "CheckFieldDataLength(itemHeader...) established that");
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ((security_info == NULL) || (service_info == NULL) || (router_identity_info == NULL) || (router_view_header == NULL)) {
|
||||||
|
- debugs(80, DBG_IMPORTANT, "Incomplete WCCPv2 Packet");
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
+ Must2(security_info, "packet missing security definition");
|
||||||
|
+ Must2(service_info, "packet missing service_info definition");
|
||||||
|
+ Must2(router_identity_info, "packet missing router_identity_info definition");
|
||||||
|
+ Must2(router_view_header, "packet missing router_view definition");
|
||||||
|
|
||||||
|
debugs(80, 5, "Complete packet received");
|
||||||
|
|
||||||
|
@@ -1308,10 +1338,7 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (router_list_ptr->next == NULL) {
|
||||||
|
- debugs(80, DBG_IMPORTANT, "WCCPv2 Packet received from unknown router");
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
+ Must2(router_list_ptr->next, "packet received from unknown router");
|
||||||
|
|
||||||
|
/* Set the router id */
|
||||||
|
router_list_ptr->info->router_address = router_identity_info->router_id_element.router_address;
|
||||||
|
@@ -1331,11 +1358,20 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
|
||||||
|
- char *end = ((char *) router_capability_header) + sizeof(*router_capability_header) + ntohs(router_capability_header->capability_info_length) - sizeof(struct wccp2_capability_info_header_t);
|
||||||
|
-
|
||||||
|
- router_capability_element = (struct wccp2_capability_element_t *) (((char *) router_capability_header) + sizeof(*router_capability_header));
|
||||||
|
-
|
||||||
|
- while ((char *) router_capability_element <= end) {
|
||||||
|
+ const auto router_capability_data_length = ntohs(router_capability_header->capability_info_length);
|
||||||
|
+ assert(router_capability_data_start);
|
||||||
|
+ const auto router_capability_data_end = router_capability_data_start +
|
||||||
|
+ router_capability_data_length;
|
||||||
|
+ for (auto router_capability_data_current = router_capability_data_start;
|
||||||
|
+ router_capability_data_current < router_capability_data_end;) {
|
||||||
|
+
|
||||||
|
+ SetField(router_capability_element, router_capability_data_current,
|
||||||
|
+ router_capability_data_start, router_capability_data_length,
|
||||||
|
+ "capability element header truncated");
|
||||||
|
+ const auto elementSize = CheckFieldDataLength(
|
||||||
|
+ router_capability_element, ntohs(router_capability_element->capability_length),
|
||||||
|
+ router_capability_data_start, router_capability_data_length,
|
||||||
|
+ "capability element truncated");
|
||||||
|
|
||||||
|
switch (ntohs(router_capability_element->capability_type)) {
|
||||||
|
|
||||||
|
@@ -1377,7 +1413,7 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
debugs(80, DBG_IMPORTANT, "Unknown capability type in WCCPv2 Packet (" << ntohs(router_capability_element->capability_type) << ").");
|
||||||
|
}
|
||||||
|
|
||||||
|
- router_capability_element = (struct wccp2_capability_element_t *) (((char *) router_capability_element) + sizeof(struct wccp2_item_header_t) + ntohs(router_capability_element->capability_length));
|
||||||
|
+ router_capability_data_current += elementSize;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1396,23 +1432,34 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
num_caches = 0;
|
||||||
|
|
||||||
|
/* Check to see if we're the master cache and update the cache list */
|
||||||
|
- found = 0;
|
||||||
|
+ bool found = false;
|
||||||
|
service_list_ptr->lowest_ip = 1;
|
||||||
|
cache_list_ptr = &router_list_ptr->cache_list_head;
|
||||||
|
|
||||||
|
/* to find the list of caches, we start at the end of the router view header */
|
||||||
|
|
||||||
|
ptr = (char *) (router_view_header) + sizeof(struct router_view_t);
|
||||||
|
+ const auto router_view_size = sizeof(struct router_view_t) +
|
||||||
|
+ ntohs(router_view_header->header.length);
|
||||||
|
|
||||||
|
/* Then we read the number of routers */
|
||||||
|
- memcpy(&tmp, ptr, sizeof(tmp));
|
||||||
|
+ const uint32_t *routerCountRaw = nullptr;
|
||||||
|
+ SetField(routerCountRaw, ptr, router_view_header, router_view_size,
|
||||||
|
+ "malformed packet (truncated router view info w/o number of routers)");
|
||||||
|
|
||||||
|
/* skip the number plus all the ip's */
|
||||||
|
-
|
||||||
|
- ptr += sizeof(tmp) + (ntohl(tmp) * sizeof(struct in_addr));
|
||||||
|
+ ptr += sizeof(*routerCountRaw);
|
||||||
|
+ const auto ipCount = ntohl(*routerCountRaw);
|
||||||
|
+ const auto ipsSize = ipCount * sizeof(struct in_addr); // we check for unsigned overflow below
|
||||||
|
+ Must2(ipsSize / sizeof(struct in_addr) != ipCount, "huge IP address count");
|
||||||
|
+ CheckSectionLength(ptr, ipsSize, router_view_header, router_view_size, "invalid IP address count");
|
||||||
|
+ ptr += ipsSize;
|
||||||
|
|
||||||
|
/* Then read the number of caches */
|
||||||
|
- memcpy(&tmp, ptr, sizeof(tmp));
|
||||||
|
+ const uint32_t *cacheCountRaw = nullptr;
|
||||||
|
+ SetField(cacheCountRaw, ptr, router_view_header, router_view_size,
|
||||||
|
+ "malformed packet (truncated router view info w/o cache count)");
|
||||||
|
+ memcpy(&tmp, cacheCountRaw, sizeof(tmp)); // TODO: Replace tmp with cacheCount
|
||||||
|
ptr += sizeof(tmp);
|
||||||
|
|
||||||
|
if (ntohl(tmp) != 0) {
|
||||||
|
@@ -1426,7 +1473,8 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
|
||||||
|
case WCCP2_ASSIGNMENT_METHOD_HASH:
|
||||||
|
|
||||||
|
- cache_identity = (struct wccp2_cache_identity_info_t *) ptr;
|
||||||
|
+ SetField(cache_identity, ptr, router_view_header, router_view_size,
|
||||||
|
+ "malformed packet (truncated router view info cache w/o assignment hash)");
|
||||||
|
|
||||||
|
ptr += sizeof(struct wccp2_cache_identity_info_t);
|
||||||
|
|
||||||
|
@@ -1437,13 +1485,15 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
|
||||||
|
case WCCP2_ASSIGNMENT_METHOD_MASK:
|
||||||
|
|
||||||
|
- cache_mask_info = (struct cache_mask_info_t *) ptr;
|
||||||
|
+ SetField(cache_mask_info, ptr, router_view_header, router_view_size,
|
||||||
|
+ "malformed packet (truncated router view info cache w/o assignment mask)");
|
||||||
|
|
||||||
|
/* The mask assignment has an undocumented variable length entry here */
|
||||||
|
|
||||||
|
if (ntohl(cache_mask_info->num1) == 3) {
|
||||||
|
|
||||||
|
- cache_mask_identity = (struct wccp2_cache_mask_identity_info_t *) ptr;
|
||||||
|
+ SetField(cache_mask_identity, ptr, router_view_header, router_view_size,
|
||||||
|
+ "malformed packet (truncated router view info cache w/o assignment mask identity)");
|
||||||
|
|
||||||
|
ptr += sizeof(struct wccp2_cache_mask_identity_info_t);
|
||||||
|
|
||||||
|
@@ -1474,10 +1524,7 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
debugs (80, 5, "checking cache list: (" << std::hex << cache_address.s_addr << ":" << router_list_ptr->local_ip.s_addr << ")");
|
||||||
|
|
||||||
|
/* Check to see if it's the master, or us */
|
||||||
|
-
|
||||||
|
- if (cache_address.s_addr == router_list_ptr->local_ip.s_addr) {
|
||||||
|
- found = 1;
|
||||||
|
- }
|
||||||
|
+ found = found || (cache_address.s_addr == router_list_ptr->local_ip.s_addr);
|
||||||
|
|
||||||
|
if (cache_address.s_addr < router_list_ptr->local_ip.s_addr) {
|
||||||
|
service_list_ptr->lowest_ip = 0;
|
||||||
|
@@ -1494,7 +1541,7 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
cache_list_ptr->next = NULL;
|
||||||
|
|
||||||
|
service_list_ptr->lowest_ip = 1;
|
||||||
|
- found = 1;
|
||||||
|
+ found = true;
|
||||||
|
num_caches = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1502,7 +1549,7 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
|
||||||
|
router_list_ptr->num_caches = htonl(num_caches);
|
||||||
|
|
||||||
|
- if ((found == 1) && (service_list_ptr->lowest_ip == 1)) {
|
||||||
|
+ if (found && (service_list_ptr->lowest_ip == 1)) {
|
||||||
|
if (ntohl(router_view_header->change_number) != router_list_ptr->member_change) {
|
||||||
|
debugs(80, 4, "Change detected - queueing up new assignment");
|
||||||
|
router_list_ptr->member_change = ntohl(router_view_header->change_number);
|
||||||
|
@@ -1515,6 +1562,10 @@ wccp2HandleUdp(int sock, void *)
|
||||||
|
eventDelete(wccp2AssignBuckets, NULL);
|
||||||
|
debugs(80, 5, "I am not the lowest ip cache - not assigning buckets");
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ } catch (...) {
|
||||||
|
+ debugs(80, DBG_IMPORTANT, "ERROR: Ignoring WCCPv2 message: " << CurrentException);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,32 @@
|
|||||||
|
diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
|
||||||
|
index da9867f..e992638 100644
|
||||||
|
--- a/src/clients/FtpGateway.cc
|
||||||
|
+++ b/src/clients/FtpGateway.cc
|
||||||
|
@@ -1084,16 +1084,17 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr)
|
||||||
|
void
|
||||||
|
Ftp::Gateway::checkUrlpath()
|
||||||
|
{
|
||||||
|
- static SBuf str_type_eq("type=");
|
||||||
|
- auto t = request->url.path().rfind(';');
|
||||||
|
-
|
||||||
|
- if (t != SBuf::npos) {
|
||||||
|
- auto filenameEnd = t-1;
|
||||||
|
- if (request->url.path().substr(++t).cmp(str_type_eq, str_type_eq.length()) == 0) {
|
||||||
|
- t += str_type_eq.length();
|
||||||
|
- typecode = (char)xtoupper(request->url.path()[t]);
|
||||||
|
- request->url.path(request->url.path().substr(0,filenameEnd));
|
||||||
|
- }
|
||||||
|
+ // If typecode was specified, extract it and leave just the filename in
|
||||||
|
+ // url.path. Tolerate trailing garbage or missing typecode value. Roughly:
|
||||||
|
+ // [filename] ;type=[typecode char] [trailing garbage]
|
||||||
|
+ static const SBuf middle(";type=");
|
||||||
|
+ const auto typeSpecStart = request->url.path().find(middle);
|
||||||
|
+ if (typeSpecStart != SBuf::npos) {
|
||||||
|
+ const auto fullPath = request->url.path();
|
||||||
|
+ const auto typecodePos = typeSpecStart + middle.length();
|
||||||
|
+ typecode = (typecodePos < fullPath.length()) ?
|
||||||
|
+ static_cast<char>(xtoupper(fullPath[typecodePos])) : '\0';
|
||||||
|
+ request->url.path(fullPath.substr(0, typeSpecStart));
|
||||||
|
}
|
||||||
|
|
||||||
|
int l = request->url.path().length();
|
@ -0,0 +1,25 @@
|
|||||||
|
File: squid-4.15.tar.xz
|
||||||
|
Date: Mon 10 May 2021 10:50:22 UTC
|
||||||
|
Size: 2454176
|
||||||
|
MD5 : a593de9dc888dfeca4f1f7db2cd7d3b9
|
||||||
|
SHA1: 60bda34ba39657e2d870c8c1d2acece8a69c3075
|
||||||
|
Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
|
||||||
|
B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E
|
||||||
|
keyring = http://www.squid-cache.org/pgp.asc
|
||||||
|
keyserver = pool.sks-keyservers.net
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAmCZD/UACgkQzW2/jvOx
|
||||||
|
fT6zZg/+N8JMIYpmVJ7jm4lF0Ub2kEHGTOrc+tnlA3LGnlMQuTm61+BYk58g0SKW
|
||||||
|
96NbJ0cycW215Q34L+Y0tWuxEbIU01vIc3AA7rQd0LKy+fQU0OtBuhk5Vf4bKilW
|
||||||
|
uHEVIQZs9HmY6bqC+kgtCf49tVZvR8FZYNuilg/68+i/pQdwaDDmVb+j2oF7w+y2
|
||||||
|
dgkTFWtM5NTL6bqUVC0E7lLFPjzMefKfxkkpWFdV/VrAhU25jN24kpnjcfotQhdW
|
||||||
|
LDFy5okduz3ljso9pBYJfLeMXM1FZPpceC91zj32x3tcUyrD3yIoXob58rEKvfe4
|
||||||
|
RDXN4SuClsNe4UQ4oNoGIES9XtaYlOzPR1PlbqPUrdp1cDnhgLJ+1fkAixlMqCml
|
||||||
|
wuI1VIKSEY+nvRzQzFHnXJK9otV8QwMF76AHaytO9y+X6JuZmu/CcV1pq61qY9qv
|
||||||
|
t1/8z99wWSxpu17zthZgq64J225GF/hkBedaFlYoS5k5YUMDLPlRSCC0yPmb8JBF
|
||||||
|
Cns5i/aq2PmOx2ZhQ2RQIF416J3HK8Galw8ytFOjnEcn4ux9yzKNjL38p4+PJJA0
|
||||||
|
7GCMAqYYNjok3LSkGbiR7cPgbHnkqRfYbPFLMj4FtruoFlZ9L5MIU3oFvqA3ZR6l
|
||||||
|
Az6LaKLsAYPUmukAOPUSIrqpKXZHc7hdBWkT+7RYA4qaoU+9oIo=
|
||||||
|
=1Re1
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,68 +0,0 @@
|
|||||||
From fc01451000eaa5592cd5afbd6aee14e53f7dd2c3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Amos Jeffries <amosjeffries@squid-cache.org>
|
|
||||||
Date: Sun, 18 Oct 2020 20:23:10 +1300
|
|
||||||
Subject: [PATCH] Update translations integration
|
|
||||||
|
|
||||||
* Add credits for es-mx translation moderator
|
|
||||||
* Use es-mx for default of all Spanish (Central America) texts
|
|
||||||
* Update translation related .am files
|
|
||||||
---
|
|
||||||
doc/manuals/language.am | 2 +-
|
|
||||||
errors/TRANSLATORS | 1 +
|
|
||||||
errors/aliases | 3 ++-
|
|
||||||
errors/language.am | 3 ++-
|
|
||||||
errors/template.am | 2 +-
|
|
||||||
5 files changed, 7 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/manuals/language.am b/doc/manuals/language.am
|
|
||||||
index 7670c88380c..f03c4cf71b4 100644
|
|
||||||
--- a/doc/manuals/language.am
|
|
||||||
+++ b/doc/manuals/language.am
|
|
||||||
@@ -18,4 +18,4 @@ TRANSLATE_LANGUAGES = \
|
|
||||||
oc.lang \
|
|
||||||
pt.lang \
|
|
||||||
ro.lang \
|
|
||||||
- ru.lang
|
|
||||||
+ ru.lang
|
|
||||||
diff --git a/errors/aliases b/errors/aliases
|
|
||||||
index 36f17f4b80f..cf0116f297d 100644
|
|
||||||
--- a/errors/aliases
|
|
||||||
+++ b/errors/aliases
|
|
||||||
@@ -14,7 +14,8 @@ da da-dk
|
|
||||||
de de-at de-ch de-de de-li de-lu
|
|
||||||
el el-gr
|
|
||||||
en en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw
|
|
||||||
-es es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl
|
|
||||||
+es es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq
|
|
||||||
+es-mx es-bz es-cr es-gt es-hn es-ni es-pa es-sv
|
|
||||||
et et-ee
|
|
||||||
fa fa-fa fa-ir
|
|
||||||
fi fi-fi
|
|
||||||
diff --git a/errors/language.am b/errors/language.am
|
|
||||||
index 12b1b2b3b43..029e8c1eb2f 100644
|
|
||||||
--- a/errors/language.am
|
|
||||||
+++ b/errors/language.am
|
|
||||||
@@ -17,6 +17,7 @@ TRANSLATE_LANGUAGES = \
|
|
||||||
de.lang \
|
|
||||||
el.lang \
|
|
||||||
en.lang \
|
|
||||||
+ es-mx.lang \
|
|
||||||
es.lang \
|
|
||||||
et.lang \
|
|
||||||
fa.lang \
|
|
||||||
@@ -51,4 +52,4 @@ TRANSLATE_LANGUAGES = \
|
|
||||||
uz.lang \
|
|
||||||
vi.lang \
|
|
||||||
zh-hans.lang \
|
|
||||||
- zh-hant.lang
|
|
||||||
+ zh-hant.lang
|
|
||||||
diff --git a/errors/template.am b/errors/template.am
|
|
||||||
index 6c12781e6f4..715c65aa22b 100644
|
|
||||||
--- a/errors/template.am
|
|
||||||
+++ b/errors/template.am
|
|
||||||
@@ -48,4 +48,4 @@ ERROR_TEMPLATES = \
|
|
||||||
templates/ERR_UNSUP_REQ \
|
|
||||||
templates/ERR_URN_RESOLVE \
|
|
||||||
templates/ERR_WRITE_ERROR \
|
|
||||||
- templates/ERR_ZERO_SIZE_OBJECT
|
|
||||||
+ templates/ERR_ZERO_SIZE_OBJECT
|
|
@ -1,185 +0,0 @@
|
|||||||
diff --git a/src/ssl/support.cc b/src/ssl/support.cc
|
|
||||||
index 3ad135d..73912ce 100644
|
|
||||||
--- a/src/ssl/support.cc
|
|
||||||
+++ b/src/ssl/support.cc
|
|
||||||
@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn)
|
|
||||||
}
|
|
||||||
|
|
||||||
// "dup" function for SSL_get_ex_new_index("cert_err_check")
|
|
||||||
-#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
|
|
||||||
+#if OPENSSL_VERSION_MAJOR >= 3
|
|
||||||
+static int
|
|
||||||
+ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **,
|
|
||||||
+ int, long, void *)
|
|
||||||
+#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
|
|
||||||
static int
|
|
||||||
ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,
|
|
||||||
int, long, void *)
|
|
||||||
diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
|
|
||||||
index cf1d4ba..4346ba5 100644
|
|
||||||
--- a/src/security/PeerOptions.cc
|
|
||||||
+++ b/src/security/PeerOptions.cc
|
|
||||||
@@ -297,130 +297,130 @@ static struct ssl_option {
|
|
||||||
|
|
||||||
} ssl_options[] = {
|
|
||||||
|
|
||||||
-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
|
|
||||||
+#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
|
|
||||||
{
|
|
||||||
"NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
|
|
||||||
+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
|
|
||||||
{
|
|
||||||
"SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
|
|
||||||
+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
|
|
||||||
{
|
|
||||||
"MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG
|
|
||||||
+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
|
|
||||||
{
|
|
||||||
"SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_TLS_D5_BUG
|
|
||||||
+#ifdef SSL_OP_TLS_D5_BUG
|
|
||||||
{
|
|
||||||
"TLS_D5_BUG", SSL_OP_TLS_D5_BUG
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_TLS_BLOCK_PADDING_BUG
|
|
||||||
+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
|
|
||||||
{
|
|
||||||
"TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_TLS_ROLLBACK_BUG
|
|
||||||
+#ifdef SSL_OP_TLS_ROLLBACK_BUG
|
|
||||||
{
|
|
||||||
"TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_ALL
|
|
||||||
+#ifdef SSL_OP_ALL
|
|
||||||
{
|
|
||||||
"ALL", (long)SSL_OP_ALL
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_SINGLE_DH_USE
|
|
||||||
+#ifdef SSL_OP_SINGLE_DH_USE
|
|
||||||
{
|
|
||||||
"SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_EPHEMERAL_RSA
|
|
||||||
+#ifdef SSL_OP_EPHEMERAL_RSA
|
|
||||||
{
|
|
||||||
"EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_PKCS1_CHECK_1
|
|
||||||
+#ifdef SSL_OP_PKCS1_CHECK_1
|
|
||||||
{
|
|
||||||
"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_PKCS1_CHECK_2
|
|
||||||
+#ifdef SSL_OP_PKCS1_CHECK_2
|
|
||||||
{
|
|
||||||
"PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_NETSCAPE_CA_DN_BUG
|
|
||||||
+#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
|
|
||||||
{
|
|
||||||
"NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_NON_EXPORT_FIRST
|
|
||||||
+#ifdef SSL_OP_NON_EXPORT_FIRST
|
|
||||||
{
|
|
||||||
"NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_CIPHER_SERVER_PREFERENCE
|
|
||||||
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
|
|
||||||
{
|
|
||||||
"CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
|
|
||||||
+#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
|
|
||||||
{
|
|
||||||
"NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_NO_SSLv3
|
|
||||||
+#ifdef SSL_OP_NO_SSLv3
|
|
||||||
{
|
|
||||||
"NO_SSLv3", SSL_OP_NO_SSLv3
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_NO_TLSv1
|
|
||||||
+#ifdef SSL_OP_NO_TLSv1
|
|
||||||
{
|
|
||||||
"NO_TLSv1", SSL_OP_NO_TLSv1
|
|
||||||
},
|
|
||||||
#else
|
|
||||||
{ "NO_TLSv1", 0 },
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_NO_TLSv1_1
|
|
||||||
+#ifdef SSL_OP_NO_TLSv1_1
|
|
||||||
{
|
|
||||||
"NO_TLSv1_1", SSL_OP_NO_TLSv1_1
|
|
||||||
},
|
|
||||||
#else
|
|
||||||
{ "NO_TLSv1_1", 0 },
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_NO_TLSv1_2
|
|
||||||
+#ifdef SSL_OP_NO_TLSv1_2
|
|
||||||
{
|
|
||||||
"NO_TLSv1_2", SSL_OP_NO_TLSv1_2
|
|
||||||
},
|
|
||||||
#else
|
|
||||||
{ "NO_TLSv1_2", 0 },
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_NO_TLSv1_3
|
|
||||||
+#ifdef SSL_OP_NO_TLSv1_3
|
|
||||||
{
|
|
||||||
"NO_TLSv1_3", SSL_OP_NO_TLSv1_3
|
|
||||||
},
|
|
||||||
#else
|
|
||||||
{ "NO_TLSv1_3", 0 },
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_NO_COMPRESSION
|
|
||||||
+#ifdef SSL_OP_NO_COMPRESSION
|
|
||||||
{
|
|
||||||
"No_Compression", SSL_OP_NO_COMPRESSION
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_NO_TICKET
|
|
||||||
+#ifdef SSL_OP_NO_TICKET
|
|
||||||
{
|
|
||||||
"NO_TICKET", SSL_OP_NO_TICKET
|
|
||||||
},
|
|
||||||
#endif
|
|
||||||
-#if SSL_OP_SINGLE_ECDH_USE
|
|
||||||
+#ifdef SSL_OP_SINGLE_ECDH_USE
|
|
||||||
{
|
|
||||||
"SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE
|
|
||||||
},
|
|
||||||
@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions()
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
-#if SSL_OP_NO_SSLv2
|
|
||||||
+#ifdef SSL_OP_NO_SSLv2
|
|
||||||
// compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
|
|
||||||
op = op | SSL_OP_NO_SSLv2;
|
|
||||||
#endif
|
|
@ -1,24 +0,0 @@
|
|||||||
diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc
|
|
||||||
index 0564380..fcd60b9 100644
|
|
||||||
--- a/src/tests/testStoreHashIndex.cc
|
|
||||||
+++ b/src/tests/testStoreHashIndex.cc
|
|
||||||
@@ -102,6 +102,8 @@ void commonInit()
|
|
||||||
if (inited)
|
|
||||||
return;
|
|
||||||
|
|
||||||
+ inited = true;
|
|
||||||
+
|
|
||||||
Mem::Init();
|
|
||||||
|
|
||||||
Config.Store.avgObjectSize = 1024;
|
|
||||||
@@ -109,6 +111,10 @@ void commonInit()
|
|
||||||
Config.Store.objectsPerBucket = 20;
|
|
||||||
|
|
||||||
Config.Store.maxObjectSize = 2048;
|
|
||||||
+
|
|
||||||
+ Config.memShared.defaultTo(false);
|
|
||||||
+
|
|
||||||
+ Config.store_dir_select_algorithm = xstrdup("round-robin");
|
|
||||||
}
|
|
||||||
|
|
||||||
/* TODO make this a cbdata class */
|
|
@ -1,178 +0,0 @@
|
|||||||
From 05f6af2f4c85cc99323cfff6149c3d74af661b6d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Amos Jeffries <yadij@users.noreply.github.com>
|
|
||||||
Date: Fri, 13 Oct 2023 08:44:16 +0000
|
|
||||||
Subject: [PATCH] RFC 9112: Improve HTTP chunked encoding compliance (#1498)
|
|
||||||
|
|
||||||
---
|
|
||||||
src/http/one/Parser.cc | 8 +-------
|
|
||||||
src/http/one/Parser.h | 4 +---
|
|
||||||
src/http/one/TeChunkedParser.cc | 23 ++++++++++++++++++-----
|
|
||||||
src/parser/Tokenizer.cc | 12 ++++++++++++
|
|
||||||
src/parser/Tokenizer.h | 7 +++++++
|
|
||||||
5 files changed, 39 insertions(+), 15 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
|
|
||||||
index c78ddd7f0..291ae39f0 100644
|
|
||||||
--- a/src/http/one/Parser.cc
|
|
||||||
+++ b/src/http/one/Parser.cc
|
|
||||||
@@ -65,16 +65,10 @@ Http::One::Parser::DelimiterCharacters()
|
|
||||||
void
|
|
||||||
Http::One::Parser::skipLineTerminator(Tokenizer &tok) const
|
|
||||||
{
|
|
||||||
- if (tok.skip(Http1::CrLf()))
|
|
||||||
- return;
|
|
||||||
-
|
|
||||||
if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF))
|
|
||||||
return;
|
|
||||||
|
|
||||||
- if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r'))
|
|
||||||
- throw InsufficientInput();
|
|
||||||
-
|
|
||||||
- throw TexcHere("garbage instead of CRLF line terminator");
|
|
||||||
+ tok.skipRequired("line-terminating CRLF", Http1::CrLf());
|
|
||||||
}
|
|
||||||
|
|
||||||
/// all characters except the LF line terminator
|
|
||||||
diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
|
|
||||||
index f83c01a9a..aab895583 100644
|
|
||||||
--- a/src/http/one/Parser.h
|
|
||||||
+++ b/src/http/one/Parser.h
|
|
||||||
@@ -124,9 +124,7 @@ protected:
|
|
||||||
* detect and skip the CRLF or (if tolerant) LF line terminator
|
|
||||||
* consume from the tokenizer.
|
|
||||||
*
|
|
||||||
- * \throws exception on bad or InsuffientInput.
|
|
||||||
- * \retval true only if line terminator found.
|
|
||||||
- * \retval false incomplete or missing line terminator, need more data.
|
|
||||||
+ * \throws exception on bad or InsufficientInput
|
|
||||||
*/
|
|
||||||
void skipLineTerminator(Tokenizer &) const;
|
|
||||||
|
|
||||||
diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
|
|
||||||
index 1434100b6..8bdb65abb 100644
|
|
||||||
--- a/src/http/one/TeChunkedParser.cc
|
|
||||||
+++ b/src/http/one/TeChunkedParser.cc
|
|
||||||
@@ -91,6 +91,11 @@ Http::One::TeChunkedParser::parseChunkSize(Tokenizer &tok)
|
|
||||||
{
|
|
||||||
Must(theChunkSize <= 0); // Should(), really
|
|
||||||
|
|
||||||
+ static const SBuf bannedHexPrefixLower("0x");
|
|
||||||
+ static const SBuf bannedHexPrefixUpper("0X");
|
|
||||||
+ if (tok.skip(bannedHexPrefixLower) || tok.skip(bannedHexPrefixUpper))
|
|
||||||
+ throw TextException("chunk starts with 0x", Here());
|
|
||||||
+
|
|
||||||
int64_t size = -1;
|
|
||||||
if (tok.int64(size, 16, false) && !tok.atEnd()) {
|
|
||||||
if (size < 0)
|
|
||||||
@@ -121,7 +126,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
|
|
||||||
// bad or insufficient input, like in the code below. TODO: Expand up.
|
|
||||||
try {
|
|
||||||
parseChunkExtensions(tok); // a possibly empty chunk-ext list
|
|
||||||
- skipLineTerminator(tok);
|
|
||||||
+ tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf());
|
|
||||||
buf_ = tok.remaining();
|
|
||||||
parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME;
|
|
||||||
return true;
|
|
||||||
@@ -132,12 +137,14 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
|
|
||||||
// other exceptions bubble up to kill message parsing
|
|
||||||
}
|
|
||||||
|
|
||||||
-/// Parses the chunk-ext list (RFC 7230 section 4.1.1 and its Errata #4667):
|
|
||||||
+/// Parses the chunk-ext list (RFC 9112 section 7.1.1:
|
|
||||||
/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
|
|
||||||
void
|
|
||||||
-Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok)
|
|
||||||
+Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok)
|
|
||||||
{
|
|
||||||
do {
|
|
||||||
+ auto tok = callerTok;
|
|
||||||
+
|
|
||||||
ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
|
|
||||||
|
|
||||||
if (!tok.skip(';'))
|
|
||||||
@@ -145,6 +152,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok)
|
|
||||||
|
|
||||||
parseOneChunkExtension(tok);
|
|
||||||
buf_ = tok.remaining(); // got one extension
|
|
||||||
+ callerTok = tok;
|
|
||||||
} while (true);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -158,11 +166,14 @@ Http::One::ChunkExtensionValueParser::Ignore(Tokenizer &tok, const SBuf &extName
|
|
||||||
/// Parses a single chunk-ext list element:
|
|
||||||
/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
|
|
||||||
void
|
|
||||||
-Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok)
|
|
||||||
+Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &callerTok)
|
|
||||||
{
|
|
||||||
+ auto tok = callerTok;
|
|
||||||
+
|
|
||||||
ParseBws(tok); // Bug 4492: ICAP servers send SP before chunk-ext-name
|
|
||||||
|
|
||||||
const auto extName = tok.prefix("chunk-ext-name", CharacterSet::TCHAR);
|
|
||||||
+ callerTok = tok; // in case we determine that this is a valueless chunk-ext
|
|
||||||
|
|
||||||
ParseBws(tok);
|
|
||||||
|
|
||||||
@@ -176,6 +187,8 @@ Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok)
|
|
||||||
customExtensionValueParser->parse(tok, extName);
|
|
||||||
else
|
|
||||||
ChunkExtensionValueParser::Ignore(tok, extName);
|
|
||||||
+
|
|
||||||
+ callerTok = tok;
|
|
||||||
}
|
|
||||||
|
|
||||||
bool
|
|
||||||
@@ -209,7 +222,7 @@ Http::One::TeChunkedParser::parseChunkEnd(Tokenizer &tok)
|
|
||||||
Must(theLeftBodySize == 0); // Should(), really
|
|
||||||
|
|
||||||
try {
|
|
||||||
- skipLineTerminator(tok);
|
|
||||||
+ tok.skipRequired("chunk CRLF", Http1::CrLf());
|
|
||||||
buf_ = tok.remaining(); // parse checkpoint
|
|
||||||
theChunkSize = 0; // done with the current chunk
|
|
||||||
parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ;
|
|
||||||
diff --git a/src/parser/Tokenizer.cc b/src/parser/Tokenizer.cc
|
|
||||||
index edaffd8d3..15df793b8 100644
|
|
||||||
--- a/src/parser/Tokenizer.cc
|
|
||||||
+++ b/src/parser/Tokenizer.cc
|
|
||||||
@@ -147,6 +147,18 @@ Parser::Tokenizer::skipAll(const CharacterSet &tokenChars)
|
|
||||||
return success(prefixLen);
|
|
||||||
}
|
|
||||||
|
|
||||||
+void
|
|
||||||
+Parser::Tokenizer::skipRequired(const char *description, const SBuf &tokenToSkip)
|
|
||||||
+{
|
|
||||||
+ if (skip(tokenToSkip) || tokenToSkip.isEmpty())
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ if (tokenToSkip.startsWith(buf_))
|
|
||||||
+ throw InsufficientInput();
|
|
||||||
+
|
|
||||||
+ throw TextException(ToSBuf("cannot skip ", description), Here());
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
bool
|
|
||||||
Parser::Tokenizer::skipOne(const CharacterSet &chars)
|
|
||||||
{
|
|
||||||
diff --git a/src/parser/Tokenizer.h b/src/parser/Tokenizer.h
|
|
||||||
index 7bae1ccbb..3cfa7dd6c 100644
|
|
||||||
--- a/src/parser/Tokenizer.h
|
|
||||||
+++ b/src/parser/Tokenizer.h
|
|
||||||
@@ -115,6 +115,13 @@ public:
|
|
||||||
*/
|
|
||||||
SBuf::size_type skipAll(const CharacterSet &discardables);
|
|
||||||
|
|
||||||
+ /** skips a given character sequence (string);
|
|
||||||
+ * does nothing if the sequence is empty
|
|
||||||
+ *
|
|
||||||
+ * \throws exception on mismatching prefix or InsufficientInput
|
|
||||||
+ */
|
|
||||||
+ void skipRequired(const char *description, const SBuf &tokenToSkip);
|
|
||||||
+
|
|
||||||
/** Removes a single trailing character from the set.
|
|
||||||
*
|
|
||||||
* \return whether a character was removed
|
|
||||||
--
|
|
||||||
2.25.1
|
|
||||||
|
|
@ -1,46 +0,0 @@
|
|||||||
From c67bf049871a49e9871efe50b230a7f37b7039f6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alex Rousskov <rousskov@measurement-factory.com>
|
|
||||||
Date: Thu, 25 May 2023 02:10:28 +0000
|
|
||||||
Subject: [PATCH] Fix userinfo percent-encoding (#1367)
|
|
||||||
|
|
||||||
%X expects an unsigned int, and that is what we were giving it. However,
|
|
||||||
to get to the correct unsigned int value from a (signed) char, one has
|
|
||||||
to cast to an unsigned char (or equivalent) first.
|
|
||||||
|
|
||||||
Broken since inception in commit 7b75100.
|
|
||||||
|
|
||||||
Also adjusted similar (commented out) ext_edirectory_userip_acl code.
|
|
||||||
---
|
|
||||||
src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc | 2 +-
|
|
||||||
src/anyp/Uri.cc | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc b/src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc
|
|
||||||
index dbc20ae54..9028d1562 100644
|
|
||||||
--- a/src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc
|
|
||||||
+++ b/src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc
|
|
||||||
@@ -1612,7 +1612,7 @@ MainSafe(int argc, char **argv)
|
|
||||||
/* BINARY DEBUGGING *
|
|
||||||
local_printfx("while() -> bufa[%" PRIuSIZE "]: %s", k, bufa);
|
|
||||||
for (i = 0; i < k; ++i)
|
|
||||||
- local_printfx("%02X", bufa[i]);
|
|
||||||
+ local_printfx("%02X", static_cast<unsigned int>(static_cast<unsigned char>(bufa[i])));
|
|
||||||
local_printfx("\n");
|
|
||||||
* BINARY DEBUGGING */
|
|
||||||
/* Check for CRLF */
|
|
||||||
diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
|
|
||||||
index a6a5d5d9e..3d19188e9 100644
|
|
||||||
--- a/src/anyp/Uri.cc
|
|
||||||
+++ b/src/anyp/Uri.cc
|
|
||||||
@@ -70,7 +70,7 @@ AnyP::Uri::Encode(const SBuf &buf, const CharacterSet &ignore)
|
|
||||||
while (!tk.atEnd()) {
|
|
||||||
// TODO: Add Tokenizer::parseOne(void).
|
|
||||||
const auto ch = tk.remaining()[0];
|
|
||||||
- output.appendf("%%%02X", static_cast<unsigned int>(ch)); // TODO: Optimize using a table
|
|
||||||
+ output.appendf("%%%02X", static_cast<unsigned int>(static_cast<unsigned char>(ch))); // TODO: Optimize using a table
|
|
||||||
(void)tk.skip(ch);
|
|
||||||
|
|
||||||
if (tk.prefix(goodSection, ignore))
|
|
||||||
--
|
|
||||||
2.25.1
|
|
||||||
|
|
@ -1,30 +0,0 @@
|
|||||||
commit 8fcff9c09824b18628f010d26a04247f6a6cbcb8
|
|
||||||
Author: Alex Rousskov <rousskov@measurement-factory.com>
|
|
||||||
Date: Sun Nov 12 09:33:20 2023 +0000
|
|
||||||
|
|
||||||
Do not update StoreEntry expiration after errorAppendEntry() (#1580)
|
|
||||||
|
|
||||||
errorAppendEntry() is responsible for setting entry expiration times,
|
|
||||||
which it does by calling StoreEntry::storeErrorResponse() that calls
|
|
||||||
StoreEntry::negativeCache().
|
|
||||||
|
|
||||||
This change was triggered by a vulnerability report by Joshua Rogers at
|
|
||||||
https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where
|
|
||||||
it was filed as "Use-After-Free in Cache Manager Errors". The reported
|
|
||||||
"use after free" vulnerability was unknowingly addressed by 2022 commit
|
|
||||||
1fa761a that removed excessively long "reentrant" store_client calls
|
|
||||||
responsible for the disappearance of the properly locked StoreEntry in
|
|
||||||
this (and probably other) contexts.
|
|
||||||
|
|
||||||
diff --git a/src/cache_manager.cc b/src/cache_manager.cc
|
|
||||||
index 61c7f65be..65bf22dd0 100644
|
|
||||||
--- a/src/cache_manager.cc
|
|
||||||
+++ b/src/cache_manager.cc
|
|
||||||
@@ -326,7 +326,6 @@ CacheManager::start(const Comm::ConnectionPointer &client, HttpRequest *request,
|
|
||||||
err->url = xstrdup(entry->url());
|
|
||||||
err->detailError(new ExceptionErrorDetail(Here().id()));
|
|
||||||
errorAppendEntry(entry, err);
|
|
||||||
- entry->expires = squid_curtime;
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
@ -1,192 +0,0 @@
|
|||||||
diff --git a/src/http.cc b/src/http.cc
|
|
||||||
index 98e3969..8b55bf3 100644
|
|
||||||
--- a/src/http.cc
|
|
||||||
+++ b/src/http.cc
|
|
||||||
@@ -54,6 +54,7 @@
|
|
||||||
#include "rfc1738.h"
|
|
||||||
#include "SquidConfig.h"
|
|
||||||
#include "SquidTime.h"
|
|
||||||
+#include "SquidMath.h"
|
|
||||||
#include "StatCounters.h"
|
|
||||||
#include "Store.h"
|
|
||||||
#include "StrList.h"
|
|
||||||
@@ -1235,18 +1236,26 @@ HttpStateData::readReply(const CommIoCbParams &io)
|
|
||||||
* Plus, it breaks our lame *HalfClosed() detection
|
|
||||||
*/
|
|
||||||
|
|
||||||
- Must(maybeMakeSpaceAvailable(true));
|
|
||||||
- CommIoCbParams rd(this); // will be expanded with ReadNow results
|
|
||||||
- rd.conn = io.conn;
|
|
||||||
- rd.size = entry->bytesWanted(Range<size_t>(0, inBuf.spaceSize()));
|
|
||||||
+ const auto moreDataPermission = canBufferMoreReplyBytes();
|
|
||||||
+ if (!moreDataPermission) {
|
|
||||||
+ abortTransaction("ready to read required data, but the read buffer is full and cannot be drained");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ const auto readSizeMax = maybeMakeSpaceAvailable(moreDataPermission.value());
|
|
||||||
+ // TODO: Move this logic inside maybeMakeSpaceAvailable():
|
|
||||||
+ const auto readSizeWanted = readSizeMax ? entry->bytesWanted(Range<size_t>(0, readSizeMax)) : 0;
|
|
||||||
|
|
||||||
- if (rd.size <= 0) {
|
|
||||||
+ if (readSizeWanted <= 0) {
|
|
||||||
assert(entry->mem_obj);
|
|
||||||
AsyncCall::Pointer nilCall;
|
|
||||||
entry->mem_obj->delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall)));
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ CommIoCbParams rd(this); // will be expanded with ReadNow results
|
|
||||||
+ rd.conn = io.conn;
|
|
||||||
+ rd.size = readSizeWanted;
|
|
||||||
switch (Comm::ReadNow(rd, inBuf)) {
|
|
||||||
case Comm::INPROGRESS:
|
|
||||||
if (inBuf.isEmpty())
|
|
||||||
@@ -1617,8 +1626,10 @@ HttpStateData::maybeReadVirginBody()
|
|
||||||
if (!Comm::IsConnOpen(serverConnection) || fd_table[serverConnection->fd].closing())
|
|
||||||
return;
|
|
||||||
|
|
||||||
- if (!maybeMakeSpaceAvailable(false))
|
|
||||||
+ if (!canBufferMoreReplyBytes()) {
|
|
||||||
+ abortTransaction("more response bytes required, but the read buffer is full and cannot be drained");
|
|
||||||
return;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
// XXX: get rid of the do_next_read flag
|
|
||||||
// check for the proper reasons preventing read(2)
|
|
||||||
@@ -1636,40 +1647,78 @@ HttpStateData::maybeReadVirginBody()
|
|
||||||
Comm::Read(serverConnection, call);
|
|
||||||
}
|
|
||||||
|
|
||||||
-bool
|
|
||||||
-HttpStateData::maybeMakeSpaceAvailable(bool doGrow)
|
|
||||||
+/// Desired inBuf capacity based on various capacity preferences/limits:
|
|
||||||
+/// * a smaller buffer may not hold enough for look-ahead header/body parsers;
|
|
||||||
+/// * a smaller buffer may result in inefficient tiny network reads;
|
|
||||||
+/// * a bigger buffer may waste memory;
|
|
||||||
+/// * a bigger buffer may exceed SBuf storage capabilities (SBuf::maxSize);
|
|
||||||
+size_t
|
|
||||||
+HttpStateData::calcReadBufferCapacityLimit() const
|
|
||||||
{
|
|
||||||
- // how much we are allowed to buffer
|
|
||||||
- const int limitBuffer = (flags.headers_parsed ? Config.readAheadGap : Config.maxReplyHeaderSize);
|
|
||||||
-
|
|
||||||
- if (limitBuffer < 0 || inBuf.length() >= (SBuf::size_type)limitBuffer) {
|
|
||||||
- // when buffer is at or over limit already
|
|
||||||
- debugs(11, 7, "will not read up to " << limitBuffer << ". buffer has (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
|
|
||||||
- debugs(11, DBG_DATA, "buffer has {" << inBuf << "}");
|
|
||||||
- // Process next response from buffer
|
|
||||||
- processReply();
|
|
||||||
- return false;
|
|
||||||
+ if (!flags.headers_parsed)
|
|
||||||
+ return Config.maxReplyHeaderSize;
|
|
||||||
+
|
|
||||||
+ // XXX: Our inBuf is not used to maintain the read-ahead gap, and using
|
|
||||||
+ // Config.readAheadGap like this creates huge read buffers for large
|
|
||||||
+ // read_ahead_gap values. TODO: Switch to using tcp_recv_bufsize as the
|
|
||||||
+ // primary read buffer capacity factor.
|
|
||||||
+ //
|
|
||||||
+ // TODO: Cannot reuse throwing NaturalCast() here. Consider removing
|
|
||||||
+ // .value() dereference in NaturalCast() or add/use NaturalCastOrMax().
|
|
||||||
+ const auto configurationPreferences = NaturalSum<size_t>(Config.readAheadGap).value_or(SBuf::maxSize);
|
|
||||||
+
|
|
||||||
+ // TODO: Honor TeChunkedParser look-ahead and trailer parsing requirements
|
|
||||||
+ // (when explicit configurationPreferences are set too low).
|
|
||||||
+
|
|
||||||
+ return std::min<size_t>(configurationPreferences, SBuf::maxSize);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/// The maximum number of virgin reply bytes we may buffer before we violate
|
|
||||||
+/// the currently configured response buffering limits.
|
|
||||||
+/// \retval std::nullopt means that no more virgin response bytes can be read
|
|
||||||
+/// \retval 0 means that more virgin response bytes may be read later
|
|
||||||
+/// \retval >0 is the number of bytes that can be read now (subject to other constraints)
|
|
||||||
+std::optional<size_t>
|
|
||||||
+HttpStateData::canBufferMoreReplyBytes() const
|
|
||||||
+{
|
|
||||||
+#if USE_ADAPTATION
|
|
||||||
+ // If we do not check this now, we may say the final "no" prematurely below
|
|
||||||
+ // because inBuf.length() will decrease as adaptation drains buffered bytes.
|
|
||||||
+ if (responseBodyBuffer) {
|
|
||||||
+ debugs(11, 3, "yes, but waiting for adaptation to drain read buffer");
|
|
||||||
+ return 0; // yes, we may be able to buffer more (but later)
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ const auto maxCapacity = calcReadBufferCapacityLimit();
|
|
||||||
+ if (inBuf.length() >= maxCapacity) {
|
|
||||||
+ debugs(11, 3, "no, due to a full buffer: " << inBuf.length() << '/' << inBuf.spaceSize() << "; limit: " << maxCapacity);
|
|
||||||
+ return std::nullopt; // no, configuration prohibits buffering more
|
|
||||||
}
|
|
||||||
|
|
||||||
+ const auto maxReadSize = maxCapacity - inBuf.length(); // positive
|
|
||||||
+ debugs(11, 7, "yes, may read up to " << maxReadSize << " into " << inBuf.length() << '/' << inBuf.spaceSize());
|
|
||||||
+ return maxReadSize; // yes, can read up to this many bytes (subject to other constraints)
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/// prepare read buffer for reading
|
|
||||||
+/// \return the maximum number of bytes the caller should attempt to read
|
|
||||||
+/// \retval 0 means that the caller should delay reading
|
|
||||||
+size_t
|
|
||||||
+HttpStateData::maybeMakeSpaceAvailable(const size_t maxReadSize)
|
|
||||||
+{
|
|
||||||
// how much we want to read
|
|
||||||
- const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), (limitBuffer - inBuf.length()));
|
|
||||||
+ const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), maxReadSize);
|
|
||||||
|
|
||||||
- if (!read_size) {
|
|
||||||
+ if (read_size < 2) {
|
|
||||||
debugs(11, 7, "will not read up to " << read_size << " into buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
|
|
||||||
- return false;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
- // just report whether we could grow or not, do not actually do it
|
|
||||||
- if (doGrow)
|
|
||||||
- return (read_size >= 2);
|
|
||||||
-
|
|
||||||
// we may need to grow the buffer
|
|
||||||
inBuf.reserveSpace(read_size);
|
|
||||||
- debugs(11, 8, (!flags.do_next_read ? "will not" : "may") <<
|
|
||||||
- " read up to " << read_size << " bytes info buf(" << inBuf.length() << "/" << inBuf.spaceSize() <<
|
|
||||||
- ") from " << serverConnection);
|
|
||||||
-
|
|
||||||
- return (inBuf.spaceSize() >= 2); // only read if there is 1+ bytes of space available
|
|
||||||
+ debugs(11, 7, "may read up to " << read_size << " bytes info buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
|
|
||||||
+ return read_size;
|
|
||||||
}
|
|
||||||
|
|
||||||
/// called after writing the very last request byte (body, last-chunk, etc)
|
|
||||||
diff --git a/src/http.h b/src/http.h
|
|
||||||
index e70cd7e..f7ed40d 100644
|
|
||||||
--- a/src/http.h
|
|
||||||
+++ b/src/http.h
|
|
||||||
@@ -15,6 +15,8 @@
|
|
||||||
#include "http/StateFlags.h"
|
|
||||||
#include "sbuf/SBuf.h"
|
|
||||||
|
|
||||||
+#include <optional>
|
|
||||||
+
|
|
||||||
class FwdState;
|
|
||||||
class HttpHeader;
|
|
||||||
class String;
|
|
||||||
@@ -112,16 +114,9 @@ private:
|
|
||||||
|
|
||||||
void abortTransaction(const char *reason) { abortAll(reason); } // abnormal termination
|
|
||||||
|
|
||||||
- /**
|
|
||||||
- * determine if read buffer can have space made available
|
|
||||||
- * for a read.
|
|
||||||
- *
|
|
||||||
- * \param grow whether to actually expand the buffer
|
|
||||||
- *
|
|
||||||
- * \return whether the buffer can be grown to provide space
|
|
||||||
- * regardless of whether the grow actually happened.
|
|
||||||
- */
|
|
||||||
- bool maybeMakeSpaceAvailable(bool grow);
|
|
||||||
+ size_t calcReadBufferCapacityLimit() const;
|
|
||||||
+ std::optional<size_t> canBufferMoreReplyBytes() const;
|
|
||||||
+ size_t maybeMakeSpaceAvailable(size_t maxReadSize);
|
|
||||||
|
|
||||||
// consuming request body
|
|
||||||
virtual void handleMoreRequestBodyAvailable();
|
|
@ -1,105 +0,0 @@
|
|||||||
diff --git a/src/SquidString.h b/src/SquidString.h
|
|
||||||
index e36cd27..ea613ad 100644
|
|
||||||
--- a/src/SquidString.h
|
|
||||||
+++ b/src/SquidString.h
|
|
||||||
@@ -140,7 +140,16 @@ private:
|
|
||||||
|
|
||||||
size_type len_ = 0; /* current length */
|
|
||||||
|
|
||||||
- static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers
|
|
||||||
+ /// An earlier 64KB limit was meant to protect some fixed-size buffers, but
|
|
||||||
+ /// (a) we do not know where those buffers are (or whether they still exist)
|
|
||||||
+ /// (b) too many String users unknowingly exceeded that limit and asserted.
|
|
||||||
+ /// We are now using a larger limit to reduce the number of (b) cases,
|
|
||||||
+ /// especially cases where "compact" lists of items grow 50% in size when we
|
|
||||||
+ /// convert them to canonical form. The new limit is selected to withstand
|
|
||||||
+ /// concatenation and ~50% expansion of two HTTP headers limited by default
|
|
||||||
+ /// request_header_max_size and reply_header_max_size settings.
|
|
||||||
+ static const size_type SizeMax_ = 3*64*1024 - 1;
|
|
||||||
+
|
|
||||||
/// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_
|
|
||||||
static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; }
|
|
||||||
|
|
||||||
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
|
|
||||||
index cb746dc..c4ade96 100644
|
|
||||||
--- a/src/cache_cf.cc
|
|
||||||
+++ b/src/cache_cf.cc
|
|
||||||
@@ -950,6 +950,18 @@ configDoConfigure(void)
|
|
||||||
(uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ // Warn about the dangers of exceeding String limits when manipulating HTTP
|
|
||||||
+ // headers. Technically, we do not concatenate _requests_, so we could relax
|
|
||||||
+ // their check, but we keep the two checks the same for simplicity sake.
|
|
||||||
+ const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3;
|
|
||||||
+ // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings
|
|
||||||
+ if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax)
|
|
||||||
+ debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax <<
|
|
||||||
+ " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes");
|
|
||||||
+ if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax)
|
|
||||||
+ debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax <<
|
|
||||||
+ " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes");
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Disable client side request pipelining if client_persistent_connections OFF.
|
|
||||||
* Waste of resources queueing any pipelined requests when the first will close the connection.
|
|
||||||
diff --git a/src/cf.data.pre b/src/cf.data.pre
|
|
||||||
index 67a66b0..61a66f1 100644
|
|
||||||
--- a/src/cf.data.pre
|
|
||||||
+++ b/src/cf.data.pre
|
|
||||||
@@ -6489,11 +6489,14 @@ TYPE: b_size_t
|
|
||||||
DEFAULT: 64 KB
|
|
||||||
LOC: Config.maxRequestHeaderSize
|
|
||||||
DOC_START
|
|
||||||
- This specifies the maximum size for HTTP headers in a request.
|
|
||||||
- Request headers are usually relatively small (about 512 bytes).
|
|
||||||
- Placing a limit on the request header size will catch certain
|
|
||||||
- bugs (for example with persistent connections) and possibly
|
|
||||||
- buffer-overflow or denial-of-service attacks.
|
|
||||||
+ This directives limits the header size of a received HTTP request
|
|
||||||
+ (including request-line). Increasing this limit beyond its 64 KB default
|
|
||||||
+ exposes certain old Squid code to various denial-of-service attacks. This
|
|
||||||
+ limit also applies to received FTP commands.
|
|
||||||
+
|
|
||||||
+ This limit has no direct affect on Squid memory consumption.
|
|
||||||
+
|
|
||||||
+ Squid does not check this limit when sending requests.
|
|
||||||
DOC_END
|
|
||||||
|
|
||||||
NAME: reply_header_max_size
|
|
||||||
@@ -6502,11 +6505,14 @@ TYPE: b_size_t
|
|
||||||
DEFAULT: 64 KB
|
|
||||||
LOC: Config.maxReplyHeaderSize
|
|
||||||
DOC_START
|
|
||||||
- This specifies the maximum size for HTTP headers in a reply.
|
|
||||||
- Reply headers are usually relatively small (about 512 bytes).
|
|
||||||
- Placing a limit on the reply header size will catch certain
|
|
||||||
- bugs (for example with persistent connections) and possibly
|
|
||||||
- buffer-overflow or denial-of-service attacks.
|
|
||||||
+ This directives limits the header size of a received HTTP response
|
|
||||||
+ (including status-line). Increasing this limit beyond its 64 KB default
|
|
||||||
+ exposes certain old Squid code to various denial-of-service attacks. This
|
|
||||||
+ limit also applies to FTP command responses.
|
|
||||||
+
|
|
||||||
+ Squid also checks this limit when loading hit responses from disk cache.
|
|
||||||
+
|
|
||||||
+ Squid does not check this limit when sending responses.
|
|
||||||
DOC_END
|
|
||||||
|
|
||||||
NAME: request_body_max_size
|
|
||||||
diff --git a/src/http.cc b/src/http.cc
|
|
||||||
index 7c9ae70..98e3969 100644
|
|
||||||
--- a/src/http.cc
|
|
||||||
+++ b/src/http.cc
|
|
||||||
@@ -1926,8 +1926,9 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
|
|
||||||
|
|
||||||
String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR);
|
|
||||||
|
|
||||||
- // if we cannot double strFwd size, then it grew past 50% of the limit
|
|
||||||
- if (!strFwd.canGrowBy(strFwd.size())) {
|
|
||||||
+ // Detect unreasonably long header values. And paranoidly check String
|
|
||||||
+ // limits: a String ought to accommodate two reasonable-length values.
|
|
||||||
+ if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) {
|
|
||||||
// There is probably a forwarding loop with Via detection disabled.
|
|
||||||
// If we do nothing, String will assert on overflow soon.
|
|
||||||
// TODO: Terminate all transactions with huge XFF?
|
|
@ -1,13 +0,0 @@
|
|||||||
diff --git a/lib/libTrie/TrieNode.cc b/lib/libTrie/TrieNode.cc
|
|
||||||
index b379856..5d87279 100644
|
|
||||||
--- a/lib/libTrie/TrieNode.cc
|
|
||||||
+++ b/lib/libTrie/TrieNode.cc
|
|
||||||
@@ -32,7 +32,7 @@ TrieNode::add(char const *aString, size_t theLength, void *privatedata, TrieChar
|
|
||||||
/* We trust that privatedata and existant keys have already been checked */
|
|
||||||
|
|
||||||
if (theLength) {
|
|
||||||
- int index = transform ? (*transform)(*aString): *aString;
|
|
||||||
+ const unsigned char index = transform ? (*transform)(*aString): *aString;
|
|
||||||
|
|
||||||
if (!internal[index])
|
|
||||||
internal[index] = new TrieNode;
|
|
@ -1,25 +0,0 @@
|
|||||||
File: squid-5.5.tar.xz
|
|
||||||
Date: Wed 13 Apr 2022 08:45:42 UTC
|
|
||||||
Size: 2565732
|
|
||||||
MD5 : 83ccc2d86ca0966e3555a3b78f5afd14
|
|
||||||
SHA1: 42302bd9b8feff851a41420334cb8eaeab2806ab
|
|
||||||
Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
|
|
||||||
B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E
|
|
||||||
keyring = http://www.squid-cache.org/pgp.asc
|
|
||||||
keyserver = pool.sks-keyservers.net
|
|
||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAmJWjb4ACgkQzW2/jvOx
|
|
||||||
fT7t0A/9GjAdINfSP4gQyUr+Uvakz9O6fA9Jo3F30VafYimrSGm+VdGWntTsrOaP
|
|
||||||
VcsCdG3/Dvrhnqtu9+hwfKKQ61lmmUC7KVycx3whEUepQbZu5kd05csD7nwQ+AFe
|
|
||||||
7eJr0IwbRI4XdUhNW4AB52i/+hpHs/YSrSokumx5NVhwAUvT81TToUNzUjfKuXyy
|
|
||||||
U+w6GQ9kJbVW1UgFYZGZdJwCmD5Z7fNdUllKZhLj4I5GZ+5Zz5+lJP3ZBC6qavde
|
|
||||||
34hbpHbt+/lqz337eNoxwlyPNKPDiGIUEY9T4cdzA0BiLggTmlukDFErlYuHgCMX
|
|
||||||
BmQ9elJtdRaCD2YD+U1H9J+2wqt9O01gdyFU1V3RnNLZphgWur9X808rujuE46+Q
|
|
||||||
sxyV6SjeBh6Xs/I7wA9utX0pbVD+nLvna6Be49M1yAghBwTjiYN9fGC3ufj4St3k
|
|
||||||
PCvkTkBUOop3m4aBCRtUVO6w4Y/YmF71qAHIiSLe1i6xoztEDTVI0CA+vfrwwu2G
|
|
||||||
rFP5wuKsaYfBjkhQw4Jv6X30vnnOVqlxITGXcOnPXrHoD5KuYXv/Xsobqf8XsFdl
|
|
||||||
3qyXUe8lSI5idCg+Ajj9m0IqGWA50iFBs28Ca7GDacl9KApGn4O7kPLQY+7nN5cz
|
|
||||||
Nv3k8lYPh4KvRI1b2hcuoe3K63rEzty0e2vqG9zqxkpxOt20E/U=
|
|
||||||
=9xr/
|
|
||||||
-----END PGP SIGNATURE-----
|
|
@ -1,5 +1,9 @@
|
|||||||
# default squid options
|
# default squid options
|
||||||
SQUID_OPTS=""
|
SQUID_OPTS=""
|
||||||
|
|
||||||
|
# Time to wait for Squid to shut down when asked. Should not be necessary
|
||||||
|
# most of the time.
|
||||||
|
SQUID_SHUTDOWN_TIMEOUT=100
|
||||||
|
|
||||||
# default squid conf file
|
# default squid conf file
|
||||||
SQUID_CONF="/etc/squid/squid.conf"
|
SQUID_CONF="/etc/squid/squid.conf"
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
g squid 23 -
|
|
||||||
u squid 23 "Squid proxy user" /var/spool/squid /sbin/nologin
|
|
Loading…
Reference in new issue