diff -ruN squid-2.5.STABLE10-RC1/ChangeLog squid-2.5.STABLE10-RC2/ChangeLog
--- squid-2.5.STABLE10-RC1/ChangeLog Wed May 4 17:39:31 2005
+++ squid-2.5.STABLE10-RC2/ChangeLog Tue May 10 06:15:04 2005
@@ -57,6 +57,10 @@
it can administer.
- [Minor] aufs statistics improvements
- [Minor] SNMP bugfixes and support for SNMPv2(c) (Bug #1288, #1299)
+ - [Minor] ARP acl documentation and cachemgr config dump corrections
+ - [Minor] dstdomain/dstdom_regex acls now allow matching of numeric
+ hostnames in addition to the reverse lookup of the domain name.
+ - [Security] Internal DNS client hardened against spoofing
Changes to squid-2.5.STABLE9 (24 Feb 2005)
diff -ruN squid-2.5.STABLE10-RC1/RELEASENOTES.html squid-2.5.STABLE10-RC2/RELEASENOTES.html
--- squid-2.5.STABLE10-RC1/RELEASENOTES.html Wed May 4 17:42:09 2005
+++ squid-2.5.STABLE10-RC2/RELEASENOTES.html Tue May 10 17:21:00 2005
@@ -7,7 +7,7 @@
Squid 2.5 release notes
-Squid Developers
$Id: release-2.5.html,v 1.1.2.50 2005/05/04 23:40:50 hno Exp $
+Squid Developers
$Id: release-2.5.html,v 1.1.2.51 2005/05/10 12:15:04 hno Exp $
This document contains the release notes for version 2.5 of Squid.
Squid is a WWW Cache application developed by the National Laboratory
@@ -403,11 +403,14 @@
cachemgr.cgi now uses a configuration controlling which servers
may be managed. This to prevent abuse of the program. See >prefix</etc/cachemgr.conf
for details. The configuration is read first from the current directory
-(normally where you installed cachemgr.cgi) and if not found there from
+(normally where you installed cachemgr.cgi) and if not found there from
+The internal DNS client has been hardened against spoofing of DNS
+responses.
>prefix</etc/cachemgr.conf
. If neither is found only access
to localhost and the full server name is provided, or the cachemgr default
host if specified to configure.
-SNMPv2 support fixed
+The SNMP agent now supports the use of SNMPv2, and has a few
+other related minor bugfixes.
a number of other minor and cosmetic bugfixes. See the list of
squid-2.5.STABLE9 patches and the
ChangeLog file for details.
diff -ruN squid-2.5.STABLE10-RC1/configure squid-2.5.STABLE10-RC2/configure
--- squid-2.5.STABLE10-RC1/configure Wed May 4 17:41:59 2005
+++ squid-2.5.STABLE10-RC2/configure Tue May 10 17:20:49 2005
@@ -1022,7 +1022,7 @@
# Define the identity of the package.
PACKAGE=squid
-VERSION=2.5.STABLE10-RC1
+VERSION=2.5.STABLE10-RC2
cat >> confdefs.h <&6
echo "configure:1079: checking whether to enable maintainer-specific portions of Makefiles" >&5
# Check whether --enable-maintainer-mode or --disable-maintainer-mode was given.
diff -ruN squid-2.5.STABLE10-RC1/configure.in squid-2.5.STABLE10-RC2/configure.in
--- squid-2.5.STABLE10-RC1/configure.in Wed May 4 17:41:59 2005
+++ squid-2.5.STABLE10-RC2/configure.in Tue May 10 17:20:49 2005
@@ -3,15 +3,15 @@
dnl
dnl Duane Wessels, wessels@nlanr.net, February 1996 (autoconf v2.9)
dnl
-dnl $Id: configure.in,v 1.251.2.89 2005/05/04 23:39:31 hno Exp $
+dnl $Id: configure.in,v 1.251.2.90 2005/05/10 23:14:48 hno Exp $
dnl
dnl
dnl
AC_INIT(src/main.c)
AC_CONFIG_AUX_DIR(cfgaux)
-AM_INIT_AUTOMAKE(squid, 2.5.STABLE10-RC1)
+AM_INIT_AUTOMAKE(squid, 2.5.STABLE10-RC2)
AM_CONFIG_HEADER(include/autoconf.h)
-AC_REVISION($Revision: 1.251.2.89 $)dnl
+AC_REVISION($Revision: 1.251.2.90 $)dnl
AC_PREFIX_DEFAULT(/usr/local/squid)
AM_MAINTAINER_MODE
diff -ruN squid-2.5.STABLE10-RC1/doc/Makefile.am squid-2.5.STABLE10-RC2/doc/Makefile.am
--- squid-2.5.STABLE10-RC1/doc/Makefile.am Mon Apr 25 22:04:30 2005
+++ squid-2.5.STABLE10-RC2/doc/Makefile.am Sun May 8 19:35:59 2005
@@ -1,7 +1,7 @@
#
# Makefile for the Squid Object Cache server
#
-# $Id: Makefile.am,v 1.1.2.5 2005/04/26 04:04:30 hno Exp $
+# $Id: Makefile.am,v 1.1.2.7 2005/05/09 01:35:59 hno Exp $
#
# Uncomment and customize the following to suit your needs:
#
@@ -18,11 +18,11 @@
s%@DEFAULT_MIME_TABLE@%$(DEFAULT_MIME_TABLE)%g;\
"
-squid.8: squid.8.in Makefile
- $(SUBSTITUTE) < $< > $@
+squid.8: $(srcdir)/squid.8.in Makefile
+ $(SUBSTITUTE) < $(srcdir)/squid.8.in > $@
-cachemgr.cgi.8: cachemgr.cgi.8.in Makefile
- $(SUBSTITUTE) < $< > $@
+cachemgr.cgi.8: $(srcdir)/cachemgr.cgi.8.in Makefile
+ $(SUBSTITUTE) < $(srcdir)/cachemgr.cgi.8.in > $@
man_MANS = \
squid.8 \
diff -ruN squid-2.5.STABLE10-RC1/doc/Makefile.in squid-2.5.STABLE10-RC2/doc/Makefile.in
--- squid-2.5.STABLE10-RC1/doc/Makefile.in Mon Apr 25 22:04:30 2005
+++ squid-2.5.STABLE10-RC2/doc/Makefile.in Sun May 8 19:35:59 2005
@@ -16,7 +16,7 @@
#
# Makefile for the Squid Object Cache server
#
-# $Id: Makefile.in,v 1.1.2.15 2005/04/26 04:04:30 hno Exp $
+# $Id: Makefile.in,v 1.1.2.17 2005/05/09 01:35:59 hno Exp $
#
# Uncomment and customize the following to suit your needs:
#
@@ -314,11 +314,11 @@
uninstall-info-am uninstall-man uninstall-man8
-squid.8: squid.8.in Makefile
- $(SUBSTITUTE) < $< > $@
+squid.8: $(srcdir)/squid.8.in Makefile
+ $(SUBSTITUTE) < $(srcdir)/squid.8.in > $@
-cachemgr.cgi.8: cachemgr.cgi.8.in Makefile
- $(SUBSTITUTE) < $< > $@
+cachemgr.cgi.8: $(srcdir)/cachemgr.cgi.8.in Makefile
+ $(SUBSTITUTE) < $(srcdir)/cachemgr.cgi.8.in > $@
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
diff -ruN squid-2.5.STABLE10-RC1/include/rfc1035.h squid-2.5.STABLE10-RC2/include/rfc1035.h
--- squid-2.5.STABLE10-RC1/include/rfc1035.h Wed Dec 17 18:04:22 2003
+++ squid-2.5.STABLE10-RC2/include/rfc1035.h Tue May 10 05:48:20 2005
@@ -1,5 +1,5 @@
/*
- * $Id: rfc1035.h,v 1.6.2.1 2003/12/18 01:04:22 robertc Exp $
+ * $Id: rfc1035.h,v 1.6.2.2 2005/05/10 11:48:20 hno Exp $
*
* AUTHOR: Duane Wessels
*
@@ -56,18 +56,46 @@
unsigned short rdlength;
char *rdata;
};
-extern unsigned short rfc1035BuildAQuery(const char *hostname,
+typedef struct _rfc1035_query rfc1035_query;
+struct _rfc1035_query {
+ char name[RFC1035_MAXHOSTNAMESZ];
+ unsigned short qtype;
+ unsigned short qclass;
+};
+typedef struct _rfc1035_message rfc1035_message;
+struct _rfc1035_message {
+ unsigned short id;
+ unsigned int qr:1;
+ unsigned int opcode:4;
+ unsigned int aa:1;
+ unsigned int tc:1;
+ unsigned int rd:1;
+ unsigned int ra:1;
+ unsigned int rcode:4;
+ unsigned short qdcount;
+ unsigned short ancount;
+ unsigned short nscount;
+ unsigned short arcount;
+ rfc1035_query *query;
+ rfc1035_rr *answer;
+};
+
+extern ssize_t rfc1035BuildAQuery(const char *hostname,
char *buf,
- size_t * szp);
-extern unsigned short rfc1035BuildPTRQuery(const struct in_addr,
+ size_t sz,
+ unsigned short qid,
+ rfc1035_query * query);
+extern ssize_t rfc1035BuildPTRQuery(const struct in_addr,
char *buf,
- size_t * szp);
-extern unsigned short rfc1035RetryQuery(char *);
-extern int rfc1035AnswersUnpack(const char *buf,
size_t sz,
- rfc1035_rr ** records,
- unsigned short *id);
-extern void rfc1035RRDestroy(rfc1035_rr * rr, int n);
+ unsigned short qid,
+ rfc1035_query * query);
+extern void rfc1035SetQueryID(char *, unsigned short qid);
+extern int rfc1035MessageUnpack(const char *buf,
+ size_t sz,
+ rfc1035_message ** answer);
+extern int rfc1035QueryCompare(const rfc1035_query *, const rfc1035_query *);
+extern void rfc1035MessageDestroy(rfc1035_message * message);
extern int rfc1035_errno;
extern const char *rfc1035_error_message;
diff -ruN squid-2.5.STABLE10-RC1/include/version.h squid-2.5.STABLE10-RC2/include/version.h
--- squid-2.5.STABLE10-RC1/include/version.h Wed May 4 17:41:59 2005
+++ squid-2.5.STABLE10-RC2/include/version.h Tue May 10 17:20:49 2005
@@ -9,5 +9,5 @@
*/
#ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1115250116
+#define SQUID_RELEASE_TIME 1115767245
#endif
diff -ruN squid-2.5.STABLE10-RC1/lib/rfc1035.c squid-2.5.STABLE10-RC2/lib/rfc1035.c
--- squid-2.5.STABLE10-RC1/lib/rfc1035.c Fri Mar 25 19:50:50 2005
+++ squid-2.5.STABLE10-RC2/lib/rfc1035.c Tue May 10 05:48:21 2005
@@ -1,6 +1,6 @@
/*
- * $Id: rfc1035.c,v 1.22.2.8 2005/03/26 02:50:50 hno Exp $
+ * $Id: rfc1035.c,v 1.22.2.9 2005/05/10 11:48:21 hno Exp $
*
* Low level DNS protocol routines
* AUTHOR: Duane Wessels
@@ -40,6 +40,7 @@
*/
#include "config.h"
+#include "util.h"
#if HAVE_STDIO_H
#include
@@ -82,30 +83,9 @@
#endif
-typedef struct _rfc1035_header rfc1035_header;
int rfc1035_errno;
const char *rfc1035_error_message;
-struct _rfc1035_header {
- unsigned short id;
- unsigned int qr:1;
- unsigned int opcode:4;
- unsigned int aa:1;
- unsigned int tc:1;
- unsigned int rd:1;
- unsigned int ra:1;
- unsigned int rcode:4;
- unsigned short qdcount;
- unsigned short ancount;
- unsigned short nscount;
- unsigned short arcount;
-};
-
-static const char *Alphanum =
-"abcdefghijklmnopqrstuvwxyz"
-"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-"0123456789";
-
/*
* rfc1035HeaderPack()
@@ -114,7 +94,7 @@
* Returns number of octets packed (should always be 12)
*/
static int
-rfc1035HeaderPack(char *buf, size_t sz, rfc1035_header * hdr)
+rfc1035HeaderPack(char *buf, size_t sz, rfc1035_message * hdr)
{
int off = 0;
unsigned short s;
@@ -187,14 +167,14 @@
rfc1035NamePack(char *buf, size_t sz, const char *name)
{
int off = 0;
- char *copy = strdup(name);
+ char *copy = xstrdup(name);
char *t;
/*
* NOTE: use of strtok here makes names like foo....com valid.
*/
for (t = strtok(copy, "."); t; t = strtok(NULL, "."))
off += rfc1035LabelPack(buf + off, sz - off, t);
- free(copy);
+ xfree(copy);
off += rfc1035LabelPack(buf + off, sz - off, NULL);
assert(off <= sz);
return off;
@@ -229,8 +209,8 @@
/*
* rfc1035HeaderUnpack()
*
- * Unpacks a RFC1035 message header buffer into a rfc1035_header
- * structure.
+ * Unpacks a RFC1035 message header buffer into the header fields
+ * of the rfc1035_message structure.
*
* Updates the buffer offset, which is the same as number of
* octects unpacked since the header starts at offset 0.
@@ -238,7 +218,7 @@
* Returns 0 (success) or 1 (error)
*/
static int
-rfc1035HeaderUnpack(const char *buf, size_t sz, int *off, rfc1035_header * h)
+rfc1035HeaderUnpack(const char *buf, size_t sz, int *off, rfc1035_message * h)
{
unsigned short s;
unsigned short t;
@@ -411,26 +391,26 @@
RR->rdlength = rdlength;
switch (RR->type) {
case RFC1035_TYPE_PTR:
- RR->rdata = malloc(RFC1035_MAXHOSTNAMESZ);
+ RR->rdata = xmalloc(RFC1035_MAXHOSTNAMESZ);
rdata_off = *off;
RR->rdlength = 0; /* Filled in by rfc1035NameUnpack */
if (rfc1035NameUnpack(buf, sz, &rdata_off, &RR->rdlength, RR->rdata, RFC1035_MAXHOSTNAMESZ, 0))
return 1;
- if (rdata_off != ((*off) + rdlength)) {
+ if (rdata_off > ((*off) + rdlength)) {
/*
* This probably doesn't happen for valid packets, but
* I want to make sure that NameUnpack doesn't go beyond
* the RDATA area.
*/
RFC1035_UNPACK_DEBUG;
- free(RR->rdata);
+ xfree(RR->rdata);
memset(RR, '\0', sizeof(*RR));
return 1;
}
break;
case RFC1035_TYPE_A:
default:
- RR->rdata = malloc(rdlength);
+ RR->rdata = xmalloc(rdlength);
memcpy(RR->rdata, buf + (*off), rdlength);
break;
}
@@ -439,15 +419,6 @@
return 0;
}
-static unsigned short
-rfc1035Qid(void)
-{
- static unsigned short qid = 0x0001;
- if (++qid == 0xFFFF)
- qid = 0x0001;
- return qid;
-}
-
static void
rfc1035SetErrno(int n)
{
@@ -485,7 +456,7 @@
}
}
-void
+static void
rfc1035RRDestroy(rfc1035_rr * rr, int n)
{
if (rr == NULL)
@@ -493,13 +464,74 @@
assert(n > 0);
while (n--) {
if (rr[n].rdata)
- free(rr[n].rdata);
+ xfree(rr[n].rdata);
}
- free(rr);
+ xfree(rr);
+}
+
+/*
+ * rfc1035QueryUnpack()
+ *
+ * Unpacks a RFC1035 Query Record into 'query' from a message buffer.
+ *
+ * Updates the new message buffer offset.
+ *
+ * Returns 0 (success) or 1 (error)
+ */
+static int
+rfc1035QueryUnpack(const char *buf, size_t sz, int *off, rfc1035_query * query)
+{
+ unsigned short s;
+ if (rfc1035NameUnpack(buf, sz, off, NULL, query->name, RFC1035_MAXHOSTNAMESZ, 0)) {
+ RFC1035_UNPACK_DEBUG;
+ memset(query, '\0', sizeof(*query));
+ return 1;
+ }
+ if (*off + 4 > sz) {
+ RFC1035_UNPACK_DEBUG;
+ memset(query, '\0', sizeof(*query));
+ return 1;
+ }
+ memcpy(&s, buf + *off, 2);
+ *off += 2;
+ query->qtype = ntohs(s);
+ memcpy(&s, buf + *off, 2);
+ *off += 2;
+ query->qclass = ntohs(s);
+ return 0;
+}
+
+void
+rfc1035MessageDestroy(rfc1035_message * msg)
+{
+ if (!msg)
+ return;
+ if (msg->query)
+ xfree(msg->query);
+ if (msg->answer)
+ rfc1035RRDestroy(msg->answer, msg->ancount);
+ xfree(msg);
}
/*
- * rfc1035AnswersUnpack()
+ * rfc1035QueryCompare()
+ *
+ * Compares two rfc1035_query entries
+ *
+ * Returns 0 (equal) or !=0 (different)
+ */
+int
+rfc1035QueryCompare(const rfc1035_query * a, const rfc1035_query * b)
+{
+ if (a->qtype != b->qtype)
+ return 1;
+ if (a->qclass != b->qclass)
+ return 1;
+ return strcmp(a->name, b->name);
+}
+
+/*
+ * rfc1035MessageUnpack()
*
* Takes the contents of a DNS reply and fills in an array
* of resource record structures. The records array is allocated
@@ -510,60 +542,53 @@
*/
int
-rfc1035AnswersUnpack(const char *buf,
+rfc1035MessageUnpack(const char *buf,
size_t sz,
- rfc1035_rr ** records,
- unsigned short *id)
+ rfc1035_message ** answer)
{
int off = 0;
- int l;
int i;
int nr = 0;
- rfc1035_header hdr;
+ rfc1035_message *msg;
rfc1035_rr *recs;
- memset(&hdr, '\0', sizeof(hdr));
- if (rfc1035HeaderUnpack(buf + off, sz - off, &off, &hdr)) {
+ rfc1035_query *querys;
+ msg = xcalloc(1, sizeof(*msg));
+ if (rfc1035HeaderUnpack(buf + off, sz - off, &off, msg)) {
RFC1035_UNPACK_DEBUG;
rfc1035SetErrno(rfc1035_unpack_error);
+ xfree(msg);
return -rfc1035_unpack_error;
}
- *id = hdr.id;
rfc1035_errno = 0;
rfc1035_error_message = NULL;
- if (hdr.rcode) {
+ if (msg->rcode) {
RFC1035_UNPACK_DEBUG;
- rfc1035SetErrno((int) hdr.rcode);
+ rfc1035SetErrno((int) msg->rcode);
+ xfree(msg);
return -rfc1035_errno;
}
- i = (int) hdr.qdcount;
- /* skip question */
- while (i--) {
- do {
- l = (int) (unsigned char) *(buf + off);
- off++;
- if (l > 191) { /* compression */
- off++;
- break;
- } else if (l > RFC1035_MAXLABELSZ) {
- /* illegal combination of compression bits */
- RFC1035_UNPACK_DEBUG;
- rfc1035SetErrno(rfc1035_unpack_error);
- return -rfc1035_unpack_error;
- } else {
- off += l;
- }
- } while (l > 0); /* a zero-length label terminates */
- off += 4; /* qtype, qclass */
- if (off > sz) {
+ i = (int) msg->qdcount;
+ if (i != 1) {
+ /* This can not be an answer to our queries.. */
+ RFC1035_UNPACK_DEBUG;
+ rfc1035SetErrno(rfc1035_unpack_error);
+ xfree(msg);
+ return -rfc1035_unpack_error;
+ }
+ querys = msg->query = xcalloc((int) msg->qdcount, sizeof(*querys));
+ for (i = 0; i < (int) msg->qdcount; i++) {
+ if (rfc1035QueryUnpack(buf, sz, &off, &querys[i])) {
RFC1035_UNPACK_DEBUG;
rfc1035SetErrno(rfc1035_unpack_error);
+ rfc1035MessageDestroy(msg);
return -rfc1035_unpack_error;
}
}
- if (hdr.ancount == 0)
+ *answer = msg;
+ if (msg->ancount == 0)
return 0;
- recs = calloc((int) hdr.ancount, sizeof(*recs));
- for (i = 0; i < (int) hdr.ancount; i++) {
+ recs = msg->answer = xcalloc((int) msg->ancount, sizeof(*recs));
+ for (i = 0; i < (int) msg->ancount; i++) {
if (off >= sz) { /* corrupt packet */
RFC1035_UNPACK_DEBUG;
break;
@@ -579,11 +604,11 @@
* we expected to unpack some answers (ancount != 0), but
* didn't actually get any.
*/
- free(recs);
+ rfc1035MessageDestroy(msg);
+ *answer = NULL;
rfc1035SetErrno(rfc1035_unpack_error);
return -rfc1035_unpack_error;
}
- *records = recs;
return nr;
}
@@ -595,21 +620,15 @@
* probably be at least 512 octets. The 'szp' initially
* specifies the size of the buffer, on return it contains
* the size of the message (i.e. how much to write).
- * Return value is the query ID.
+ * Returns the size of the query
*/
-unsigned short
-rfc1035BuildAQuery(const char *hostname, char *buf, size_t * szp)
+ssize_t
+rfc1035BuildAQuery(const char *hostname, char *buf, size_t sz, unsigned short qid, rfc1035_query * query)
{
- static rfc1035_header h;
+ static rfc1035_message h;
size_t offset = 0;
- size_t sz = *szp;
memset(&h, '\0', sizeof(h));
- /* the first char of hostname must be alphanmeric */
- if (NULL == strchr(Alphanum, *hostname)) {
- rfc1035SetErrno(3);
- return 0;
- }
- h.id = rfc1035Qid();
+ h.id = qid;
h.qr = 0;
h.rd = 1;
h.opcode = 0; /* QUERY */
@@ -620,9 +639,13 @@
hostname,
RFC1035_TYPE_A,
RFC1035_CLASS_IN);
+ if (query) {
+ query->qtype = RFC1035_TYPE_A;
+ query->qclass = RFC1035_CLASS_IN;
+ xstrncpy(query->name, hostname, sizeof(query->name));
+ }
assert(offset <= sz);
- *szp = (size_t) offset;
- return h.id;
+ return offset;
}
/*
@@ -633,14 +656,13 @@
* probably be at least 512 octets. The 'szp' initially
* specifies the size of the buffer, on return it contains
* the size of the message (i.e. how much to write).
- * Return value is the query ID.
+ * Returns the size of the query
*/
-unsigned short
-rfc1035BuildPTRQuery(const struct in_addr addr, char *buf, size_t * szp)
+ssize_t
+rfc1035BuildPTRQuery(const struct in_addr addr, char *buf, size_t sz, unsigned short qid, rfc1035_query * query)
{
- static rfc1035_header h;
+ static rfc1035_message h;
size_t offset = 0;
- size_t sz = *szp;
static char rev[32];
unsigned int i;
memset(&h, '\0', sizeof(h));
@@ -650,7 +672,7 @@
(i >> 8) & 255,
(i >> 16) & 255,
(i >> 24) & 255);
- h.id = rfc1035Qid();
+ h.id = qid;
h.qr = 0;
h.rd = 1;
h.opcode = 0; /* QUERY */
@@ -661,9 +683,13 @@
rev,
RFC1035_TYPE_PTR,
RFC1035_CLASS_IN);
+ if (query) {
+ query->qtype = RFC1035_TYPE_PTR;
+ query->qclass = RFC1035_CLASS_IN;
+ xstrncpy(query->name, rev, sizeof(query->name));
+ }
assert(offset <= sz);
- *szp = offset;
- return h.id;
+ return offset;
}
/*
@@ -671,13 +697,11 @@
* just need a new ID for it. Lucky for us ID
* is the first field in the message buffer.
*/
-unsigned short
-rfc1035RetryQuery(char *buf)
+void
+rfc1035SetQueryID(char *buf, unsigned short qid)
{
- unsigned short qid = rfc1035Qid();
unsigned short s = htons(qid);
memcpy(buf, &s, sizeof(s));
- return qid;
}
#if DRIVER
diff -ruN squid-2.5.STABLE10-RC1/src/HttpHeader.c squid-2.5.STABLE10-RC2/src/HttpHeader.c
--- squid-2.5.STABLE10-RC1/src/HttpHeader.c Fri Mar 25 19:50:50 2005
+++ squid-2.5.STABLE10-RC2/src/HttpHeader.c Fri May 6 15:32:09 2005
@@ -1,6 +1,6 @@
/*
- * $Id: HttpHeader.c,v 1.74.2.27 2005/03/26 02:50:50 hno Exp $
+ * $Id: HttpHeader.c,v 1.74.2.28 2005/05/06 21:32:09 wessels Exp $
*
* DEBUG: section 55 HTTP Header
* AUTHOR: Alex Rousskov
@@ -1145,8 +1145,8 @@
/* do we have a valid field name within this field? */
if (!name_len || name_end > field_end)
return NULL;
- if (name_len > 65536) {
- /* String has a 64K limit */
+ if (name_len > 65534) {
+ /* String must be LESS THAN 64K and it adds a terminating NULL */
debug(55, 1) ("WARNING: ignoring header name of %d bytes\n", name_len);
return NULL;
}
@@ -1177,8 +1177,8 @@
value_start++;
while (value_start < field_end && xisspace(field_end[-1]))
field_end--;
- if (field_end - value_start > 65536) {
- /* String has a 64K limit */
+ if (field_end - value_start > 65534) {
+ /* String must be LESS THAN 64K and it adds a terminating NULL */
debug(55, 1) ("WARNING: ignoring '%s' header of %d bytes\n",
strBuf(e->name), (int) (field_end - value_start));
if (e->id == HDR_OTHER)
diff -ruN squid-2.5.STABLE10-RC1/src/acl.c squid-2.5.STABLE10-RC2/src/acl.c
--- squid-2.5.STABLE10-RC1/src/acl.c Wed Mar 30 15:46:41 2005
+++ squid-2.5.STABLE10-RC2/src/acl.c Sun May 8 19:48:09 2005
@@ -1,6 +1,6 @@
/*
- * $Id: acl.c,v 1.270.2.36 2005/03/30 22:46:41 hno Exp $
+ * $Id: acl.c,v 1.270.2.38 2005/05/09 01:48:09 hno Exp $
*
* DEBUG: section 28 Access Control
* AUTHOR: Duane Wessels
@@ -1623,8 +1623,10 @@
}
/* NOTREACHED */
case ACL_DST_DOMAIN:
+ if (aclMatchDomainList(&ae->data, r->host))
+ return 1;
if ((ia = ipcacheCheckNumeric(r->host)) == NULL)
- return aclMatchDomainList(&ae->data, r->host);
+ return 0;
fqdn = fqdncache_gethostbyaddr(ia->in_addrs[0], FQDN_LOOKUP_IF_MISS);
if (fqdn)
return aclMatchDomainList(&ae->data, fqdn);
@@ -1649,8 +1651,10 @@
return aclMatchDomainList(&ae->data, "none");
/* NOTREACHED */
case ACL_DST_DOM_REGEX:
+ if (aclMatchRegex(ae->data, r->host))
+ return 1;
if ((ia = ipcacheCheckNumeric(r->host)) == NULL)
- return aclMatchRegex(ae->data, r->host);
+ return 0;
fqdn = fqdncache_gethostbyaddr(ia->in_addrs[0], FQDN_LOOKUP_IF_MISS);
if (fqdn)
return aclMatchRegex(ae->data, fqdn);
@@ -3056,10 +3060,9 @@
for (next = buf; next < lim; next += rtm->rtm_msglen) {
rtm = (struct rt_msghdr *) next;
sin = (struct sockaddr_inarp *) (rtm + 1);
- /*sdl = (struct sockaddr_dl *) (sin + 1); */
#define ROUNDUP(a) \
((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
- (char *) sdl = (char *) sin + ROUNDUP(sin->sin_len);
+ sdl = (struct sockaddr_dl *) ((char *) sin + ROUNDUP(sin->sin_len));
if (c.s_addr == sin->sin_addr.s_addr) {
if (sdl->sdl_alen) {
arpReq.arp_ha.sa_len = sizeof(struct sockaddr);
@@ -3198,8 +3201,9 @@
while (*W != NULL)
W = &(*W)->next;
snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x",
- arp->eth[0], arp->eth[1], arp->eth[2], arp->eth[3],
- arp->eth[4], arp->eth[5]);
+ arp->eth[0] & 0xff, arp->eth[1] & 0xff,
+ arp->eth[2] & 0xff, arp->eth[3] & 0xff,
+ arp->eth[4] & 0xff, arp->eth[5] & 0xff);
wordlistAdd(state, buf);
}
diff -ruN squid-2.5.STABLE10-RC1/src/cache_cf.c squid-2.5.STABLE10-RC2/src/cache_cf.c
--- squid-2.5.STABLE10-RC1/src/cache_cf.c Thu Apr 21 04:18:46 2005
+++ squid-2.5.STABLE10-RC2/src/cache_cf.c Fri May 6 16:33:53 2005
@@ -1,6 +1,6 @@
/*
- * $Id: cache_cf.c,v 1.396.2.25 2005/04/21 10:18:46 hno Exp $
+ * $Id: cache_cf.c,v 1.396.2.26 2005/05/06 22:33:53 wessels Exp $
*
* DEBUG: section 3 Configuration File Parsing
* AUTHOR: Harvest Derived
@@ -2490,6 +2490,8 @@
s->key = xstrdup(token + 4);
} else if (strncmp(token, "version=", 8) == 0) {
s->version = atoi(token + 8);
+ if (s->version < 1 || s->version > 4)
+ self_destruct();
} else if (strncmp(token, "options=", 8) == 0) {
safe_free(s->options);
s->options = xstrdup(token + 8);
diff -ruN squid-2.5.STABLE10-RC1/src/cf.data.pre squid-2.5.STABLE10-RC2/src/cf.data.pre
--- squid-2.5.STABLE10-RC1/src/cf.data.pre Fri Apr 22 14:29:29 2005
+++ squid-2.5.STABLE10-RC2/src/cf.data.pre Tue May 10 17:08:40 2005
@@ -1,6 +1,6 @@
#
-# $Id: cf.data.pre,v 1.245.2.91 2005/04/22 20:29:29 hno Exp $
+# $Id: cf.data.pre,v 1.245.2.94 2005/05/10 23:08:40 hno Exp $
#
#
# SQUID Web Proxy Cache http://www.squid-cache.org/
@@ -2010,13 +2010,22 @@
acl aclname dst ip-address/netmask ... (URL host's IP address)
acl aclname myip ip-address/netmask ... (local socket IP address)
+ acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
+ # The arp ACL requires the special configure option --enable-arp-acl.
+ # Furthermore, the arp ACL code is not portable to all operating systems.
+ # It works on Linux, Solaris, FreeBSD and some other *BSD variants.
+ #
+ # NOTE: Squid can only determine the MAC address for clients that are on
+ # the same subnet. If the client is on a different subnet, then Squid cannot
+ # find out its MAC address.
+
acl aclname srcdomain .foo.com ... # reverse lookup, client IP
acl aclname dstdomain .foo.com ... # Destination server from URL
acl aclname srcdom_regex [-i] xxx ... # regex matching client name
acl aclname dstdom_regex [-i] xxx ... # regex matching server
# For dstdomain and dstdom_regex a reverse lookup is tried if a IP
- # based URL is used. The name "none" is used if the reverse lookup
- # fails.
+ # based URL is used and no match is found. The name "none" is used
+ # if the reverse lookup fails.
acl aclname time [day-abbrevs] [h1:m1-h2:m2]
day-abbrevs:
@@ -2126,6 +2135,7 @@
# external_acl_type directive.
Examples:
+acl macaddress arp 09:00:2b:23:45:67
acl myexample dst_as 1241
acl password proxy_auth REQUIRED
acl fileupload req_mime_type -i ^multipart/form-data$
@@ -3070,8 +3080,9 @@
Usage: always_direct allow|deny [!]aclname ...
Here you can use ACL elements to specify requests which should
- ALWAYS be forwarded directly to origin servers. For example,
- to always directly forward requests for local servers use
+ ALWAYS be forwarded by Squid to the origin servers without using
+ any peers. For example, to always directly forward requests for
+ local servers ignoring any parents or siblings you may have use
something like:
acl local-servers dstdomain my.domain.net
@@ -3092,6 +3103,15 @@
acl local-servers dstdomain .foo.net
always_direct deny local-external
always_direct allow local-servers
+
+ NOTE: If your goal is to make the client forward the request
+ directly to the origin server bypassing Squid then this needs
+ to be done in the client configuration. Squid configuration
+ can only tell Squid how Squid should fetch the object.
+
+ NOTE: This directive is not related to caching. The replies
+ is cached as usual even if you use always_direct. To not cache
+ the replies see no_cache.
This option replaces some v1.1 options such as local_domain
and local_ip.
diff -ruN squid-2.5.STABLE10-RC1/src/dns_internal.c squid-2.5.STABLE10-RC2/src/dns_internal.c
--- squid-2.5.STABLE10-RC1/src/dns_internal.c Mon Mar 7 06:31:35 2005
+++ squid-2.5.STABLE10-RC2/src/dns_internal.c Tue May 10 10:06:56 2005
@@ -1,6 +1,6 @@
/*
- * $Id: dns_internal.c,v 1.45.2.6 2005/03/07 13:31:35 hno Exp $
+ * $Id: dns_internal.c,v 1.45.2.8 2005/05/10 16:06:56 wessels Exp $
*
* DEBUG: section 78 DNS lookups; interacts with lib/rfc1035.c
* AUTHOR: Duane Wessels
@@ -55,7 +55,7 @@
struct _idns_query {
hash_link hash;
- char query[RFC1035_MAXHOSTNAMESZ + 1];
+ rfc1035_query query;
char buf[512];
size_t sz;
unsigned short id;
@@ -442,6 +442,23 @@
return NULL;
}
+static unsigned short
+idnsQueryID(void)
+{
+ unsigned short id = squid_random() & 0xFFFF;
+ unsigned short first_id = id;
+
+ while (idnsFindQuery(id)) {
+ id++;
+
+ if (id == first_id)
+ break;
+ }
+
+ return squid_random() & 0xFFFF;
+}
+
+
static void
idnsCallback(idns_query * q, rfc1035_rr * answers, int n, const char *error)
{
@@ -469,30 +486,34 @@
idnsGrokReply(const char *buf, size_t sz)
{
int n;
- rfc1035_rr *answers = NULL;
- unsigned short rid = 0xFFFF;
+ rfc1035_message *message = NULL;
idns_query *q;
- n = rfc1035AnswersUnpack(buf,
+ n = rfc1035MessageUnpack(buf,
sz,
- &answers,
- &rid);
- debug(78, 3) ("idnsGrokReply: ID %#hx, %d answers\n", rid, n);
- if (rid == 0xFFFF) {
- debug(78, 1) ("idnsGrokReply: Unknown error\n");
- /* XXX leak answers? */
+ &message);
+ if (message == NULL) {
+ debug(78, 2) ("idnsGrokReply: Malformed DNS response\n");
return;
}
- q = idnsFindQuery(rid);
+ debug(78, 3) ("idnsGrokReply: ID %#hx, %d answers\n", message->id, n);
+
+ q = idnsFindQuery(message->id);
+
if (q == NULL) {
debug(78, 3) ("idnsGrokReply: Late response\n");
- rfc1035RRDestroy(answers, n);
+ rfc1035MessageDestroy(message);
+ return;
+ }
+ if (rfc1035QueryCompare(&q->query, message->query) != 0) {
+ debug(78, 3) ("idnsGrokReply: Query mismatch (%s != %s)\n", q->query.name, message->query->name);
+ rfc1035MessageDestroy(message);
return;
}
dlinkDelete(&q->lru, &lru_list);
idnsRcodeCount(n, q->attempt);
q->error = NULL;
if (n < 0) {
- debug(78, 3) ("idnsGrokReply: error %d\n", rfc1035_errno);
+ debug(78, 3) ("idnsGrokReply: error %s (%d)\n", rfc1035_error_message, rfc1035_errno);
q->error = rfc1035_error_message;
q->rcode = -n;
if (q->rcode == 2 && ++q->attempt < MAX_ATTEMPT) {
@@ -501,15 +522,17 @@
* unable to process this query due to a problem with
* the name server."
*/
- assert(NULL == answers);
+ rfc1035MessageDestroy(message);
q->start_t = current_time;
- q->id = rfc1035RetryQuery(q->buf);
+ q->id = idnsQueryID();
+ rfc1035SetQueryID(q->buf, q->id);
idnsSendQuery(q);
return;
}
}
- idnsCallback(q, answers, n, q->error);
- rfc1035RRDestroy(answers, n);
+ idnsCallback(q, message->answer, n, q->error);
+ rfc1035MessageDestroy(message);
+
memFree(q, MEM_IDNS_QUERY);
}
@@ -527,7 +550,7 @@
from_len = sizeof(from);
memset(&from, '\0', from_len);
statCounter.syscalls.sock.recvfroms++;
- len = recvfrom(fd, rbuf, 512, 0, (struct sockaddr *) &from, &from_len);
+ len = recvfrom(fd, rbuf, sizeof(rbuf), 0, (struct sockaddr *) &from, &from_len);
if (len == 0)
break;
if (len < 0) {
@@ -563,23 +586,6 @@
}
continue;
}
- if (len > 512) {
- /*
- * Check for non-conforming replies. RFC 1035 says
- * DNS/UDP messages must be 512 octets or less. If we
- * get one that is too large, we generate a warning
- * and then pretend that we only got 512 octets. This
- * should prevent the rfc1035.c code from reading past
- * the end of our buffer.
- */
- static int other_large_pkts = 0;
- int x;
- x = (ns < 0) ? ++other_large_pkts : ++nameservers[ns].large_pkts;
- if (isPowTen(x))
- debug(78, 1) ("WARNING: Got %d large DNS replies from %s\n",
- x, inet_ntoa(from.sin_addr));
- len = 512;
- }
idnsGrokReply(rbuf, len);
}
if (lru_list.head)
@@ -722,10 +728,9 @@
}
static void
-idnsCacheQuery(idns_query * q, const char *key)
+idnsCacheQuery(idns_query * q)
{
- xstrncpy(q->query, key, sizeof(q->query));
- q->hash.key = q->query;
+ q->hash.key = q->query.name;
hash_join(idns_lookup_hash, &q->hash);
}
@@ -736,9 +741,9 @@
if (idnsCachedLookup(name, callback, data))
return;
q = memAllocate(MEM_IDNS_QUERY);
- q->sz = sizeof(q->buf);
- q->id = rfc1035BuildAQuery(name, q->buf, &q->sz);
- if (0 == q->id) {
+ q->id = idnsQueryID();
+ q->sz = rfc1035BuildAQuery(name, q->buf, sizeof(q->buf), q->id, &q->query);
+ if (q->sz < 0) {
/* problem with query data -- query not sent */
callback(data, NULL, 0, "Internal error");
memFree(q, MEM_IDNS_QUERY);
@@ -750,7 +755,7 @@
q->callback_data = data;
cbdataLock(q->callback_data);
q->start_t = current_time;
- idnsCacheQuery(q, name);
+ idnsCacheQuery(q);
idnsSendQuery(q);
}
@@ -762,15 +767,21 @@
if (idnsCachedLookup(ip, callback, data))
return;
q = memAllocate(MEM_IDNS_QUERY);
- q->sz = sizeof(q->buf);
- q->id = rfc1035BuildPTRQuery(addr, q->buf, &q->sz);
+ q->id = idnsQueryID();
+ q->sz = rfc1035BuildPTRQuery(addr, q->buf, sizeof(q->buf), q->id, &q->query);
debug(78, 3) ("idnsPTRLookup: buf is %d bytes for %s, id = %#hx\n",
(int) q->sz, ip, q->id);
+ if (q->sz < 0) {
+ /* problem with query data -- query not sent */
+ callback(data, NULL, 0, "Internal error");
+ memFree(q, MEM_IDNS_QUERY);
+ return;
+ }
q->callback = callback;
q->callback_data = data;
cbdataLock(q->callback_data);
q->start_t = current_time;
- idnsCacheQuery(q, ip);
+ idnsCacheQuery(q);
idnsSendQuery(q);
}
diff -ruN squid-2.5.STABLE10-RC1/src/store_swapout.c squid-2.5.STABLE10-RC2/src/store_swapout.c
--- squid-2.5.STABLE10-RC1/src/store_swapout.c Sat Apr 30 06:40:28 2005
+++ squid-2.5.STABLE10-RC2/src/store_swapout.c Tue May 10 16:30:33 2005
@@ -1,6 +1,6 @@
/*
- * $Id: store_swapout.c,v 1.85.2.10 2005/04/30 12:40:28 hno Exp $
+ * $Id: store_swapout.c,v 1.85.2.11 2005/05/10 22:30:33 hno Exp $
*
* DEBUG: section 20 Storage Manager Swapout Functions
* AUTHOR: Duane Wessels
@@ -113,7 +113,7 @@
return 1;
swapout_able = storeSwapOutAble(e);
- if (!swapout_able && EBIT_TEST(e->flags, ENTRY_CACHABLE)) {
+ if (!swapout_able) {
/* Stop writing to disk */
storeReleaseRequest(e);
if (e->mem_obj->swapout.sio != NULL)