diff -ruN squid-2.7.STABLE7/ChangeLog squid-2.7.STABLE8/ChangeLog --- squid-2.7.STABLE7/ChangeLog 2009-09-17 00:29:48.000000000 +0200 +++ squid-2.7.STABLE8/ChangeLog 2010-03-10 01:40:07.000000000 +0100 @@ -1,4 +1,26 @@ +Changes to squid-2.7.STABLE8 <10 March 2010) + + - Bug #2458: reply_body_max_size incorrectly documented + - Bug #2858: Segment violation in HTCP + - Bug #2773: Segfault in RFC2069 Digest authantication + - 64-bit filesize issue in squidclient if trying to post a file > 2GB + - Improve %nn parser to better deal with certain odd %nn sequences + - Segmentation fault if failed to open cache.log + - Bug #2819: const correctness errors in dns_internal.c + - Handle DNS header-only packets as invalid. (CVE-2010-0308) + - Windows port: Updated mswin_ad_group native helper to version 2.1 + - Cosmetic change to keep GCC happy + - Bug #2678 - storeurl_rewrite does not play nicely with vary + - Bug #2861 - only-if-cached request blocks if it collapsed into + another request + - Use libcap functions instead of raw kernel interface + - No need to sync the store on -k rotate, but instead it needs to be + done in reconfigure + - const correctness in OpenSSL initialization + - Rework the http digest auth parser + Changes to squid-2.7.STABLE7 (17 September 2009) + - Bug #2661 - Solaris /dev/poll support broken with EINVAL - Clarify external_acl_type %{Header} documentation slightly - Bug #2482: Remove mem_obj->old_entry in async code to avoid deep ctx @@ -45,6 +67,7 @@ - Bug #2768 - squid_ldap_group -K argument parsing error Changes to squid-2.7.STABLE6 (4 February 2009) + - Bug #2494: Fix tproxy url in configure - Correct latency measurements - Correct upgrade_http0.9 example @@ -53,21 +76,8 @@ authenticate_ip_shortcircuit_ttl - Add in some better documentation for override-expire. -Changes to squid-2.6.STABLE22 (19 October 2008) - - Bug #2396: Correct the opening of the PF device file. - - Make --with-large-files and --with-build-envirnment=default play - nice together - - Workaround for Linux-2.6.24 & 2.6.25 netfiler_ipv4.h include header - __u32 problem - - Make dns_nameserver work when using --disable-internal-dns on glibc - based systems - - Bug #2426: Increase negotiate auth token buffer size - - Bug #2427: squid_ldap_group -h reports the old % codes for -f - - Bug #2477: swap.state permission issues if crashing during "squid -k - reconfigure" - - Windows port: Fix build error using latest MinGW runtime. - Changes to squid-2.7.STABLE5 (17 October 2008) + - Bug #2439: configuration file contains non-ASCII characters - Bug #2441: Shut down store url rewrite helpers on squid -k reconfigure @@ -88,6 +98,7 @@ - Windows port: Fix build error using latest MinGW runtime. Changes to squid-2.7.STABLE4 (8 August 2008) + - Bug #2387: The calculation of the number of hash buckets need to account for the memory size, not only disk size - Bug #2393: DNS requests retried indefinitely at full speed on failed @@ -117,30 +128,6 @@ - More changes to deal properly with aborted requests - Bug #2427: squid_ldap_group -h reports the old % codes for -f -Changes to squid-2.6.STABLE21 (27 June 2008) - - - Bug #2350: Bugs in Linux kernel capabilities code - - Bug #2241: weights not applied properly in round-robin peer - selection - - Off by one error in DNS label decompression could cause valid DNS - messages to be rejected - - logformat docs contain extra whitespace - - Reject ridiculously large ASN.1 lengths - - Fix SNMP reporting of counters with a value > 0xFF80000 - - Correct spelling of WCCPv2 dst_port_hash to match the source - - Plug some "squid -k reconfigure" memory leaks. Mostly SSL related. - - Bug #1993: Memory leak in http_reply_access deny processing - - Bug #2122: In some situations collapsed_forwarding could leak - private information - - Bug #2376: Round-Robin becomes unbalanced when a peer dies and comes - back - - Bug #2387: The calculation of the number of hash buckets need to - account for the memory size, not only disk size - - Bug #2393: DNS requests retried indefinitely at full speed on failed - TCP connection - - Bug #2393: DNS retransmit queue could get hold up - - Correct socket syscalls statistics in commResetFD() - Changes to squid-2.7.STABLE3 (25 June 2008) - Byg #2376: Round-Robin peer selection becomes unbalanced when a diff -ruN squid-2.7.STABLE7/configure squid-2.7.STABLE8/configure --- squid-2.7.STABLE7/configure 2009-09-17 00:46:50.000000000 +0200 +++ squid-2.7.STABLE8/configure 2010-03-10 01:41:19.000000000 +0100 @@ -1,9 +1,9 @@ #! /bin/sh -# From configure.in Revision: 1.430.2.20 . +# From configure.in Revision: 1.430.2.22 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.62 for Squid Web Proxy 2.7.STABLE7. +# Generated by GNU Autoconf 2.62 for Squid Web Proxy 2.7.STABLE8. # -# Report bugs to . +# Report bugs to . # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, # 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. @@ -597,9 +597,9 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='2.7.STABLE7' -PACKAGE_STRING='Squid Web Proxy 2.7.STABLE7' -PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/' +PACKAGE_VERSION='2.7.STABLE8' +PACKAGE_STRING='Squid Web Proxy 2.7.STABLE8' +PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' ac_default_prefix=/usr/local/squid # Factoring default headers for most tests. @@ -896,6 +896,7 @@ enable_stacktraces enable_x_accelerator_vary enable_follow_x_forwarded_for +with_libcap with_maxfd ' ac_precious_vars='build_alias @@ -1459,7 +1460,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 2.7.STABLE7 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 2.7.STABLE8 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1529,7 +1530,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 2.7.STABLE7:";; + short | recursive ) echo "Configuration of Squid Web Proxy 2.7.STABLE8:";; esac cat <<\_ACEOF @@ -1732,6 +1733,8 @@ XBS5_LP64_OFF64 64 bits (legacy) XBS5_LPBIG_OFFBIG large pointers and files (legacy) default The default for your OS + --without-libcap disable usage of Linux capabilities library to + control privileges --with-maxfd=N Override maximum number of filedescriptors. Useful if you build as another user who is not privileged to use the number of filedescriptors you want the @@ -1750,7 +1753,7 @@ Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. -Report bugs to . +Report bugs to . _ACEOF ac_status=$? fi @@ -1813,7 +1816,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 2.7.STABLE7 +Squid Web Proxy configure 2.7.STABLE8 generated by GNU Autoconf 2.62 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -1827,7 +1830,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 2.7.STABLE7, which was +It was created by Squid Web Proxy $as_me 2.7.STABLE8, which was generated by GNU Autoconf 2.62. Invocation command line was $ $0 $@ @@ -2544,7 +2547,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='2.7.STABLE7' + VERSION='2.7.STABLE8' cat >>confdefs.h <<_ACEOF @@ -6549,9 +6552,9 @@ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 $as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} ( cat <<\_ASBOX -## ----------------------------------------------- ## -## Report this to http://www.squid-cache.org/bugs/ ## -## ----------------------------------------------- ## +## ------------------------------------------- ## +## Report this to http://bugs.squid-cache.org/ ## +## ------------------------------------------- ## _ASBOX ) | sed "s/^/$as_me: WARNING: /" >&2 ;; @@ -24411,6 +24414,338 @@ fi +use_libcap=auto + +# Check whether --with-libcap was given. +if test "${with_libcap+set}" = set; then + withval=$with_libcap; if test "x$withval" = "xyes" ; then + { $as_echo "$as_me:$LINENO: result: libcap forced enabled" >&5 +$as_echo "libcap forced enabled" >&6; } + use_libcap=yes + else + { $as_echo "$as_me:$LINENO: result: libcap forced disabled" >&5 +$as_echo "libcap forced disabled" >&6; } + use_libcap=no + fi + +fi + +if test "x$use_libcap" != "xno"; then + # cap_clear_flag is the most recent libcap function we require + +{ $as_echo "$as_me:$LINENO: checking for cap_clear_flag in -lcap" >&5 +$as_echo_n "checking for cap_clear_flag in -lcap... " >&6; } +if test "${ac_cv_lib_cap_cap_clear_flag+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcap $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char cap_clear_flag (); +int +main () +{ +return cap_clear_flag (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_cap_cap_clear_flag=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_cap_cap_clear_flag=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_cap_cap_clear_flag" >&5 +$as_echo "$ac_cv_lib_cap_cap_clear_flag" >&6; } +if test $ac_cv_lib_cap_cap_clear_flag = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBCAP 1 +_ACEOF + + LIBS="-lcap $LIBS" + +fi + + if test "x$ac_cv_lib_cap_cap_clear_flag" = xyes; then + use_libcap=yes + else + if test "x$use_libcap" = "xyes"; then + { { $as_echo "$as_me:$LINENO: error: libcap forced enabled but not available or not usable, requires libcap-2.09 or later" >&5 +$as_echo "$as_me: error: libcap forced enabled but not available or not usable, requires libcap-2.09 or later" >&2;} + { (exit 1); exit 1; }; } + fi + use_libcap=no + fi +fi +if test "x$use_libcap" = "xyes"; then + +cat >>confdefs.h <<\_ACEOF +#define USE_LIBCAP 1 +_ACEOF + + +for ac_header in sys/capability.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi + +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + ( cat <<\_ASBOX +## ------------------------------------------- ## +## Report this to http://bugs.squid-cache.org/ ## +## ------------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + +fi +if test `eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + { $as_echo "$as_me:$LINENO: checking for operational libcap2 headers" >&5 +$as_echo_n "checking for operational libcap2 headers... " >&6; } +if test "${squid_cv_sys_capability_works+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include +#include +#include + +int +main () +{ + +capget(NULL, NULL); +capset(NULL, NULL); + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + squid_cv_sys_capability_works=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + squid_cv_sys_capability_works=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:$LINENO: result: $squid_cv_sys_capability_works" >&5 +$as_echo "$squid_cv_sys_capability_works" >&6; } + if test x$squid_cv_sys_capability_works != xyes; then + +cat >>confdefs.h <<\_ACEOF +#define LIBCAP_BROKEN 1 +_ACEOF + + fi +fi + { $as_echo "$as_me:$LINENO: checking for main in -lnsl" >&5 $as_echo_n "checking for main in -lnsl... " >&6; } @@ -24746,9 +25081,9 @@ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 $as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} ( cat <<\_ASBOX -## ----------------------------------------------- ## -## Report this to http://www.squid-cache.org/bugs/ ## -## ----------------------------------------------- ## +## ------------------------------------------- ## +## Report this to http://bugs.squid-cache.org/ ## +## ------------------------------------------- ## _ASBOX ) | sed "s/^/$as_me: WARNING: /" >&2 ;; @@ -24897,9 +25232,9 @@ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 $as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} ( cat <<\_ASBOX -## ----------------------------------------------- ## -## Report this to http://www.squid-cache.org/bugs/ ## -## ----------------------------------------------- ## +## ------------------------------------------- ## +## Report this to http://bugs.squid-cache.org/ ## +## ------------------------------------------- ## _ASBOX ) | sed "s/^/$as_me: WARNING: /" >&2 ;; @@ -27410,7 +27745,7 @@ sleep 10 fi -if test "$LINUX_NETFILTER" ; then +if test "$LINUX_NETFILTER" = "yes"; then { $as_echo "$as_me:$LINENO: checking if Linux 2.4 or newer kernel header files are installed" >&5 $as_echo_n "checking if Linux 2.4 or newer kernel header files are installed... " >&6; } # hold on to your hats... @@ -27438,7 +27773,7 @@ sleep 10 fi -if test "$LINUX_TPROXY" ; then +if test "$LINUX_TPROXY"; then { $as_echo "$as_me:$LINENO: checking if TPROXY header files are installed" >&5 $as_echo_n "checking if TPROXY header files are installed... " >&6; } # hold on to your hats... @@ -27459,6 +27794,12 @@ fi { $as_echo "$as_me:$LINENO: result: $LINUX_TPROXY" >&5 $as_echo "$LINUX_TPROXY" >&6; } + if test "$use_libcap" != "yes"; then + { $as_echo "$as_me:$LINENO: WARNING: Missing needed capabilities (libcap or libcap2) for TPROXY" >&5 +$as_echo "$as_me: WARNING: Missing needed capabilities (libcap or libcap2) for TPROXY" >&2;} + LINUX_TPROXY="no" + sleep 10 + fi fi if test "$LINUX_TPROXY" = "no" && test "$LINUX_NETFILTER" = "yes"; then echo "WARNING: Cannot find TPROXY headers, you need to patch your kernel with the" @@ -29339,7 +29680,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 2.7.STABLE7, which was +This file was extended by Squid Web Proxy $as_me 2.7.STABLE8, which was generated by GNU Autoconf 2.62. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -29392,7 +29733,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_version="\\ -Squid Web Proxy config.status 2.7.STABLE7 +Squid Web Proxy config.status 2.7.STABLE8 configured by $0, generated by GNU Autoconf 2.62, with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" diff -ruN squid-2.7.STABLE7/configure.in squid-2.7.STABLE8/configure.in --- squid-2.7.STABLE7/configure.in 2009-09-17 00:46:50.000000000 +0200 +++ squid-2.7.STABLE8/configure.in 2010-03-10 01:41:19.000000000 +0100 @@ -1,16 +1,16 @@ dnl dnl Configuration input file for Squid dnl -dnl $Id: configure.in,v 1.430.2.20 2009/09/16 22:29:48 hno Exp $ +dnl $Id: configure.in,v 1.430.2.22 2010/03/07 15:56:50 hno Exp $ dnl dnl dnl -AC_INIT(Squid Web Proxy, 2.7.STABLE7, http://www.squid-cache.org/bugs/, squid) +AC_INIT(Squid Web Proxy, 2.7.STABLE8, http://bugs.squid-cache.org/, squid) AC_PREREQ(2.52) AM_CONFIG_HEADER(include/autoconf.h) AC_CONFIG_AUX_DIR(cfgaux) AM_INIT_AUTOMAKE -AC_REVISION($Revision: 1.430.2.20 $)dnl +AC_REVISION($Revision: 1.430.2.22 $)dnl AC_PREFIX_DEFAULT(/usr/local/squid) AM_MAINTAINER_MODE @@ -2042,6 +2042,47 @@ AC_DEFINE(mtyp_t, long, [message type for message queues]) fi +use_libcap=auto +AC_ARG_WITH(libcap, AS_HELP_STRING([--without-libcap],[disable usage of Linux capabilities library to control privileges]), +[ if test "x$withval" = "xyes" ; then + AC_MSG_RESULT(libcap forced enabled) + use_libcap=yes + else + AC_MSG_RESULT(libcap forced disabled) + use_libcap=no + fi +]) +if test "x$use_libcap" != "xno"; then + # cap_clear_flag is the most recent libcap function we require + AC_CHECK_LIB(cap, cap_clear_flag) + if test "x$ac_cv_lib_cap_cap_clear_flag" = xyes; then + use_libcap=yes + else + if test "x$use_libcap" = "xyes"; then + AC_MSG_ERROR([libcap forced enabled but not available or not usable, requires libcap-2.09 or later]) + fi + use_libcap=no + fi +fi +if test "x$use_libcap" = "xyes"; then + AC_DEFINE(USE_LIBCAP, 1, [use libcap to set capabilities required for TPROXY]) + dnl Check for libcap headader breakage. + AC_CHECK_HEADERS(sys/capability.h) + AC_CACHE_CHECK([for operational libcap2 headers], squid_cv_sys_capability_works, + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#include +]], [[ +capget(NULL, NULL); +capset(NULL, NULL); + ]])],[squid_cv_sys_capability_works=yes],[squid_cv_sys_capability_works=no]) + ) + if test x$squid_cv_sys_capability_works != xyes; then + AC_DEFINE([LIBCAP_BROKEN],1,[if libcap2 headers are broken and clashing with glibc]) + fi +fi + dnl Check for needed libraries AC_CHECK_LIB(nsl, main) AC_CHECK_LIB(socket, main) @@ -2716,7 +2757,7 @@ dnl Linux-Netfilter support requires Linux 2.4 or newer kernel header files. dnl Shamelessly copied from above -if test "$LINUX_NETFILTER" ; then +if test "$LINUX_NETFILTER" = "yes"; then AC_MSG_CHECKING(if Linux 2.4 or newer kernel header files are installed) # hold on to your hats... if test "$ac_cv_header_linux_netfilter_ipv4_h" = "yes"; then @@ -2734,9 +2775,9 @@ sleep 10 fi -dnl Linux Netfilter/TPROXY support requires some specific header files +dnl Linux Netfilter/TPROXY support requires some specific header files and libcap dnl Shamelessly copied from shamelessly copied from above -if test "$LINUX_TPROXY" ; then +if test "$LINUX_TPROXY"; then AC_MSG_CHECKING(if TPROXY header files are installed) # hold on to your hats... if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then @@ -2747,6 +2788,11 @@ AC_DEFINE(LINUX_TPROXY, 0, [Enable real Transparent Proxy support for Netfilter TPROXY.]) fi AC_MSG_RESULT($LINUX_TPROXY) + if test "$use_libcap" != "yes"; then + AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY]) + LINUX_TPROXY="no" + sleep 10 + fi fi if test "$LINUX_TPROXY" = "no" && test "$LINUX_NETFILTER" = "yes"; then echo "WARNING: Cannot find TPROXY headers, you need to patch your kernel with the" diff -ruN squid-2.7.STABLE7/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c squid-2.7.STABLE8/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c --- squid-2.7.STABLE7/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c 2009-09-16 22:43:16.000000000 +0200 +++ squid-2.7.STABLE8/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c 2010-02-12 21:39:55.000000000 +0100 @@ -31,6 +31,10 @@ * * History: * + * Version 2.1 + * 20-09-2009 Guido Serassio + * Added explicit Global Catalog query + * * Version 2.0 * 20-07-2009 Guido Serassio * Global groups support rewritten, now is based on ADSI. @@ -78,12 +82,18 @@ #include #include #include +#include #include #include #include #include "util.h" +enum ADSI_PATH { + LDAP_MODE, + GC_MODE +} ADSI_Path; + #define BUFSIZE 8192 /* the stdin buffer size */ int use_global = 0; char debug_enabled = 0; @@ -275,13 +285,16 @@ wchar_t * -GetLDAPPath(wchar_t * Base_DN) +GetLDAPPath(wchar_t * Base_DN, int query_mode) { wchar_t *wc; wc = (wchar_t *) xmalloc((wcslen(Base_DN) + 8) * sizeof(wchar_t)); - wcscpy(wc, L"LDAP://"); + if (query_mode == LDAP_MODE) + wcscpy(wc, L"LDAP://"); + else + wcscpy(wc, L"GC://"); wcscat(wc, Base_DN); return wc; @@ -412,11 +425,19 @@ wchar_t *Group_Path; IADs *pGrp; - Group_Path = GetLDAPPath(var.n1.n2.n3.bstrVal); + Group_Path = GetLDAPPath(var.n1.n2.n3.bstrVal, GC_MODE); hr = ADsGetObject(Group_Path, &IID_IADs, (void **) &pGrp); if (SUCCEEDED(hr)) { hr = Recursive_Memberof(pGrp); pGrp->lpVtbl->Release(pGrp); + safe_free(Group_Path); + Group_Path = GetLDAPPath(var.n1.n2.n3.bstrVal, LDAP_MODE); + hr = ADsGetObject(Group_Path, &IID_IADs, (void **) &pGrp); + if (SUCCEEDED(hr)) { + hr = Recursive_Memberof(pGrp); + pGrp->lpVtbl->Release(pGrp); + } else + debug("Recursive_Memberof: ERROR ADsGetObject for %S failed: %s\n", Group_Path, Get_WIN32_ErrorMessage(hr)); } else debug("Recursive_Memberof: ERROR ADsGetObject for %S failed: %s\n", Group_Path, Get_WIN32_ErrorMessage(hr)); safe_free(Group_Path); @@ -432,22 +453,38 @@ wchar_t *Group_Path; IADs *pGrp; - Group_Path = GetLDAPPath(elem.n1.n2.n3.bstrVal); + Group_Path = GetLDAPPath(elem.n1.n2.n3.bstrVal, GC_MODE); hr = ADsGetObject(Group_Path, &IID_IADs, (void **) &pGrp); if (SUCCEEDED(hr)) { hr = Recursive_Memberof(pGrp); pGrp->lpVtbl->Release(pGrp); + safe_free(Group_Path); + Group_Path = GetLDAPPath(elem.n1.n2.n3.bstrVal, LDAP_MODE); + hr = ADsGetObject(Group_Path, &IID_IADs, (void **) &pGrp); + if (SUCCEEDED(hr)) { + hr = Recursive_Memberof(pGrp); + pGrp->lpVtbl->Release(pGrp); + safe_free(Group_Path); + } else + debug("Recursive_Memberof: ERROR ADsGetObject for %S failed: %s\n", Group_Path, Get_WIN32_ErrorMessage(hr)); } else debug("Recursive_Memberof: ERROR ADsGetObject for %S failed: %s\n", Group_Path, Get_WIN32_ErrorMessage(hr)); safe_free(Group_Path); } VariantClear(&elem); + } else { + debug("Recursive_Memberof: ERROR SafeArrayGetElement failed: %s\n", Get_WIN32_ErrorMessage(hr)); + VariantClear(&elem); } ++lBound; } - } + } else + debug("Recursive_Memberof: ERROR SafeArrayGetxBound failed: %s\n", Get_WIN32_ErrorMessage(hr)); } VariantClear(&var); + } else { + if (hr != E_ADS_PROPERTY_NOT_FOUND) + debug("Recursive_Memberof: ERROR getting memberof attribute: %s\n", Get_WIN32_ErrorMessage(hr)); } return hr; } @@ -624,9 +661,7 @@ } wszGroups = build_groups_DN_array(Groups, NTDomain); - User_LDAP_path = GetLDAPPath(User_DN); - - safe_free(User_DN); + User_LDAP_path = GetLDAPPath(User_DN, GC_MODE); hr = ADsGetObject(User_LDAP_path, &IID_IADs, (void **) &pUser); if (SUCCEEDED(hr)) { @@ -638,18 +673,33 @@ debug("Valid_Global_Groups: cannot get Primary Group for '%s'.\n", User); else { add_User_Group(User_PrimaryGroup); - User_PrimaryGroup_Path = GetLDAPPath(User_PrimaryGroup); + User_PrimaryGroup_Path = GetLDAPPath(User_PrimaryGroup, GC_MODE); hr = ADsGetObject(User_PrimaryGroup_Path, &IID_IADs, (void **) &pGrp); if (SUCCEEDED(hr)) { hr = Recursive_Memberof(pGrp); pGrp->lpVtbl->Release(pGrp); + safe_free(User_PrimaryGroup_Path); + User_PrimaryGroup_Path = GetLDAPPath(User_PrimaryGroup, LDAP_MODE); + hr = ADsGetObject(User_PrimaryGroup_Path, &IID_IADs, (void **) &pGrp); + if (SUCCEEDED(hr)) { + hr = Recursive_Memberof(pGrp); + pGrp->lpVtbl->Release(pGrp); + } else + debug("Valid_Global_Groups: ADsGetObject for %S failed, ERROR: %s\n", User_PrimaryGroup_Path, Get_WIN32_ErrorMessage(hr)); } else debug("Valid_Global_Groups: ADsGetObject for %S failed, ERROR: %s\n", User_PrimaryGroup_Path, Get_WIN32_ErrorMessage(hr)); - safe_free(User_PrimaryGroup_Path); } hr = Recursive_Memberof(pUser); pUser->lpVtbl->Release(pUser); + safe_free(User_LDAP_path); + User_LDAP_path = GetLDAPPath(User_DN, LDAP_MODE); + hr = ADsGetObject(User_LDAP_path, &IID_IADs, (void **) &pUser); + if (SUCCEEDED(hr)) { + hr = Recursive_Memberof(pUser); + pUser->lpVtbl->Release(pUser); + } else + debug("Valid_Global_Groups: ADsGetObject for %S failed, ERROR: %s\n", User_LDAP_path, Get_WIN32_ErrorMessage(hr)); tmp = User_Groups; while (*tmp) { @@ -662,6 +712,7 @@ } else debug("Valid_Global_Groups: ADsGetObject for %S failed, ERROR: %s\n", User_LDAP_path, Get_WIN32_ErrorMessage(hr)); + safe_free(User_DN); safe_free(User_LDAP_path); safe_free(User_PrimaryGroup); tmp = wszGroups; @@ -815,10 +866,10 @@ rfc1738_unescape(username); if ((use_global ? Valid_Global_Groups(username, groups) : Valid_Local_Groups(username, groups))) { - printf("OK\n"); + SEND("OK"); } else { error: - printf("ERR\n"); + SEND("ERR"); } err = 0; } diff -ruN squid-2.7.STABLE7/helpers/external_acl/mswin_ad_group/readme.txt squid-2.7.STABLE8/helpers/external_acl/mswin_ad_group/readme.txt --- squid-2.7.STABLE7/helpers/external_acl/mswin_ad_group/readme.txt 2009-08-16 23:55:43.000000000 +0200 +++ squid-2.7.STABLE8/helpers/external_acl/mswin_ad_group/readme.txt 2010-02-12 21:39:55.000000000 +0100 @@ -25,7 +25,7 @@ When running in Active Directory Global mode, all types of Active Directory security groups are supported: - Domain Global -- Domain Local +- Domain Local from user's domain - Universal and Active Directory group nesting is fully supported. @@ -86,7 +86,10 @@ "Domain Users" -NOTES: +NOTES: +- When running in Active Directory Global mode, for better performance, + all Domain Controllers of the Active Directory forest should be configured + as Global Catalog. - When running in local mode, the standard group name comparison is case sensitive, so group name must be specified with same case as in the local SAM database. diff -ruN squid-2.7.STABLE7/include/autoconf.h.in squid-2.7.STABLE8/include/autoconf.h.in --- squid-2.7.STABLE7/include/autoconf.h.in 2008-11-20 02:55:42.000000000 +0100 +++ squid-2.7.STABLE8/include/autoconf.h.in 2010-03-08 05:38:53.000000000 +0100 @@ -194,6 +194,9 @@ /* Define to 1 if you have the `bsd' library (-lbsd). */ #undef HAVE_LIBBSD +/* Define to 1 if you have the `cap' library (-lcap). */ +#undef HAVE_LIBCAP + /* Define to 1 if you have the header file. */ #undef HAVE_LIBC_H @@ -647,6 +650,9 @@ /* Support large cache files > 2GB */ #undef LARGE_CACHE_FILES +/* if libcap2 headers are broken and clashing with glibc */ +#undef LIBCAP_BROKEN + /* Enable support for Transparent Proxy on Linux (Netfilter) systems */ #undef LINUX_NETFILTER @@ -828,6 +834,9 @@ /* Enable code for assiting in finding memory leaks. Hacker stuff only. */ #undef USE_LEAKFINDER +/* use libcap to set capabilities required for TPROXY */ +#undef USE_LIBCAP + /* Define this to make use of the OpenSSL libraries for MD5 calculation rather than Squid's own MD5 implementation or if building with SSL encryption (USE_SSL) */ diff -ruN squid-2.7.STABLE7/include/squid_types.h squid-2.7.STABLE8/include/squid_types.h --- squid-2.7.STABLE7/include/squid_types.h 2006-05-23 16:51:36.000000000 +0200 +++ squid-2.7.STABLE8/include/squid_types.h 2010-02-12 21:22:18.000000000 +0100 @@ -1,5 +1,5 @@ /* - * $Id: squid_types.h,v 1.8 2006/05/23 14:51:36 hno Exp $ + * $Id: squid_types.h,v 1.8.6.1 2010/02/12 20:22:18 hno Exp $ * * * * * * * * * Legal stuff * * * * * * * * @@ -73,4 +73,41 @@ #include #endif +#if SIZEOF_INT64_T > SIZEOF_LONG && HAVE_STRTOLL +typedef int64_t squid_off_t; +#define SIZEOF_SQUID_OFF_T SIZEOF_INT64_T +#define PRINTF_OFF_T PRId64 +#define strto_off_t (int64_t)strtoll +#else +typedef long squid_off_t; +#define SIZEOF_SQUID_OFF_T SIZEOF_LONG +#define PRINTF_OFF_T "ld" +#define strto_off_t strtol +#endif + +/* + * ISO C99 Standard printf() macros for 64 bit integers + * On some 64 bit platform, HP Tru64 is one, for printf must be used + * "%lx" instead of "%llx" + */ +#ifndef PRId64 +#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */ +#define PRId64 "I64d" +#elif SIZEOF_INT64_T > SIZEOF_LONG +#define PRId64 "lld" +#else +#define PRId64 "ld" +#endif +#endif + +#ifndef PRIu64 +#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */ +#define PRIu64 "I64u" +#elif SIZEOF_INT64_T > SIZEOF_LONG +#define PRIu64 "llu" +#else +#define PRIu64 "lu" +#endif +#endif + #endif /* SQUID_TYPES_H */ diff -ruN squid-2.7.STABLE7/include/version.h squid-2.7.STABLE8/include/version.h --- squid-2.7.STABLE7/include/version.h 2009-09-17 00:46:50.000000000 +0200 +++ squid-2.7.STABLE8/include/version.h 2010-03-10 01:41:19.000000000 +0100 @@ -9,5 +9,5 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1253141183 +#define SQUID_RELEASE_TIME 1268181671 #endif diff -ruN squid-2.7.STABLE7/lib/rfc1035.c squid-2.7.STABLE8/lib/rfc1035.c --- squid-2.7.STABLE7/lib/rfc1035.c 2008-06-19 03:11:44.000000000 +0200 +++ squid-2.7.STABLE8/lib/rfc1035.c 2010-02-12 21:28:07.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: rfc1035.c,v 1.29.6.1 2008/06/19 01:11:44 hno Exp $ + * $Id: rfc1035.c,v 1.29.6.2 2010/02/12 20:28:07 hno Exp $ * * Low level DNS protocol routines * AUTHOR: Duane Wessels @@ -286,7 +286,9 @@ size_t len; assert(ns > 0); do { - assert((*off) < sz); + if ((*off) >= sz) { + return 1; + } c = *(buf + (*off)); if (c > 191) { /* blasted compression */ diff -ruN squid-2.7.STABLE7/lib/rfc1738.c squid-2.7.STABLE8/lib/rfc1738.c --- squid-2.7.STABLE7/lib/rfc1738.c 2007-05-24 00:00:02.000000000 +0200 +++ squid-2.7.STABLE8/lib/rfc1738.c 2010-02-12 21:24:40.000000000 +0100 @@ -1,5 +1,5 @@ /* - * $Id: rfc1738.c,v 1.25 2007/05/23 22:00:02 hno Exp $ + * $Id: rfc1738.c,v 1.25.2.1 2010/02/12 20:24:40 hno Exp $ * * DEBUG: * AUTHOR: Harvest Derived @@ -180,30 +180,41 @@ * rfc1738_unescape() - Converts escaped characters (%xy numbers) in * given the string. %% is a %. %ab is the 8-bit hexadecimal number "ab" */ +static inline int +fromhex(char ch) +{ + if (ch >= '0' && ch <= '9') + return ch - '0'; + if (ch >= 'a' && ch <= 'f') + return ch - 'a' + 10; + if (ch >= 'A' && ch <= 'F') + return ch - 'A' + 10; + return -1; +} + void rfc1738_unescape(char *s) { - char hexnum[3]; int i, j; /* i is write, j is read */ - unsigned int x; for (i = j = 0; s[j]; i++, j++) { s[i] = s[j]; - if (s[i] != '%') - continue; - if (s[j + 1] == '%') { /* %% case */ - j++; - continue; - } - if (s[j + 1] && s[j + 2]) { - if (s[j + 1] == '0' && s[j + 2] == '0') { /* %00 case */ - j += 2; - continue; - } - hexnum[0] = s[j + 1]; - hexnum[1] = s[j + 2]; - hexnum[2] = '\0'; - if (1 == sscanf(hexnum, "%x", &x)) { - s[i] = (char) (0x0ff & x); + if (s[j] != '%') { + /* normal case, nothing more to do */ + } else if (s[j + 1] == '%') { /* %% case */ + j++; /* Skip % */ + } else { + /* decode */ + char v1, v2; + int x; + v1 = fromhex(s[j + 1]); + if (v1 < 0) + continue; /* non-hex or \0 */ + v2 = fromhex(s[j + 2]); + if (v2 < 0) + continue; /* non-hex or \0 */ + x = v1 << 4 | v2; + if (x > 0 && x <= 255) { + s[i] = x; j += 2; } } diff -ruN squid-2.7.STABLE7/lib/rfc2617.c squid-2.7.STABLE8/lib/rfc2617.c --- squid-2.7.STABLE7/lib/rfc2617.c 2008-01-02 21:28:48.000000000 +0100 +++ squid-2.7.STABLE8/lib/rfc2617.c 2010-02-12 21:15:54.000000000 +0100 @@ -13,7 +13,7 @@ /* - * $Id: rfc2617.c,v 1.8.6.3 2008/01/02 20:28:48 hno Exp $ + * $Id: rfc2617.c,v 1.8.6.4 2010/02/12 20:15:54 hno Exp $ * * DEBUG: * AUTHOR: RFC 2617 & Robert Collins @@ -161,7 +161,7 @@ SQUID_MD5Update(&Md5Ctx, pszMethod, strlen(pszMethod)); SQUID_MD5Update(&Md5Ctx, ":", 1); SQUID_MD5Update(&Md5Ctx, pszDigestUri, strlen(pszDigestUri)); - if (strcasecmp(pszQop, "auth-int") == 0) { + if (pszQop && strcasecmp(pszQop, "auth-int") == 0) { SQUID_MD5Update(&Md5Ctx, ":", 1); SQUID_MD5Update(&Md5Ctx, HEntity, HASHHEXLEN); } @@ -175,7 +175,7 @@ SQUID_MD5Update(&Md5Ctx, ":", 1); SQUID_MD5Update(&Md5Ctx, pszNonce, strlen(pszNonce)); SQUID_MD5Update(&Md5Ctx, ":", 1); - if (*pszQop) { + if (pszQop && *pszQop) { SQUID_MD5Update(&Md5Ctx, pszNonceCount, strlen(pszNonceCount)); SQUID_MD5Update(&Md5Ctx, ":", 1); SQUID_MD5Update(&Md5Ctx, pszCNonce, strlen(pszCNonce)); diff -ruN squid-2.7.STABLE7/RELEASENOTES.html squid-2.7.STABLE8/RELEASENOTES.html --- squid-2.7.STABLE7/RELEASENOTES.html 2009-09-17 00:58:18.000000000 +0200 +++ squid-2.7.STABLE8/RELEASENOTES.html 2010-03-10 01:41:49.000000000 +0100 @@ -2,12 +2,12 @@ - Squid 2.7.STABLE7 release notes + Squid 2.7.STABLE8 release notes -

Squid 2.7.STABLE7 release notes

+

Squid 2.7.STABLE8 release notes

-

Squid Developers

$Id: release.html,v 1.1.2.12 2009/09/16 22:29:48 hno Exp $ +

Squid Developers

$Id: release.html,v 1.1.2.14 2010/03/07 21:12:08 hno Exp $
This document contains the release notes for version 2.7 of Squid. Squid is a WWW Cache application developed by the Web Caching community. @@ -59,6 +59,9 @@

10. Key changes in squid-2.7.STABLE7

+

+

11. Key changes in squid-2.7.STABLE8

+

1. Key changes from squid 2.6

@@ -556,6 +559,26 @@

+

11. Key changes in squid-2.7.STABLE8

+ +

+

    +
  • Bug #2858: Segment violation in HTCP
    • +
  • Bug #2773: Segfault in RFC2069 Digest authantication
    • +
  • Bug #2845: Crashes on malformed Digest authentication
    • +
  • Bug #2367: Incorrect stale=true/false indications in Digest auth +causing random auth popups.
    • +
  • Improve %nn parser to better deal with certain odd %nn sequences
    • +
  • Handle DNS header-only packets as invalid. (CVE-2010-0308)
    • +
  • Bug #2678 - storeurl_rewrite does not play nicely with vary
    • +
  • And many other minor bugfixes
    • +
  • See also the list of +squid-2.7.STABLE8 changes and the +ChangeLog file for details.
    • +
+

+ + diff -ruN squid-2.7.STABLE7/src/auth/digest/auth_digest.c squid-2.7.STABLE8/src/auth/digest/auth_digest.c --- squid-2.7.STABLE7/src/auth/digest/auth_digest.c 2008-01-02 16:54:26.000000000 +0100 +++ squid-2.7.STABLE8/src/auth/digest/auth_digest.c 2010-03-07 17:00:07.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: auth_digest.c,v 1.23.2.1 2008/01/02 15:54:26 hno Exp $ + * $Id: auth_digest.c,v 1.23.2.3 2010/03/07 16:00:07 hno Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Robert Collins @@ -93,6 +93,34 @@ CBDATA_TYPE(authenticateStateData); +enum http_digest_attr_type { + DIGEST_USERNAME, + DIGEST_REALM, + DIGEST_QOP, + DIGEST_ALGORITHM, + DIGEST_URI, + DIGEST_NONCE, + DIGEST_NC, + DIGEST_CNONCE, + DIGEST_RESPONSE, + DIGEST_ENUM_END +}; + +static const HttpHeaderFieldAttrs DigestAttrs[DIGEST_ENUM_END] = +{ + {"username", (http_hdr_type) DIGEST_USERNAME}, + {"realm", (http_hdr_type) DIGEST_REALM}, + {"qop", (http_hdr_type) DIGEST_QOP}, + {"algorithm", (http_hdr_type) DIGEST_ALGORITHM}, + {"uri", (http_hdr_type) DIGEST_URI}, + {"nonce", (http_hdr_type) DIGEST_NONCE}, + {"nc", (http_hdr_type) DIGEST_NC}, + {"cnonce", (http_hdr_type) DIGEST_CNONCE}, + {"response", (http_hdr_type) DIGEST_RESPONSE}, +}; + +static HttpHeaderFieldInfo *DigestFieldsInfo = NULL; + /* * * Nonce Functions @@ -567,6 +595,11 @@ { if (digestauthenticators) helperShutdown(digestauthenticators); + + if (DigestFieldsInfo) { + httpHeaderDestroyFieldsInfo(DigestFieldsInfo, DIGEST_ENUM_END); + DigestFieldsInfo = NULL; + } authdigest_initialised = 0; if (!shutting_down) { authenticateDigestNonceReconfigure(); @@ -722,6 +755,7 @@ RequestMethods[METHOD_GET].str, digest_request->uri, HA2, Response); if (strcasecmp(digest_request->response, Response)) { digest_request->flags.credentials_ok = 3; + digest_request->flags.invalid_password = 1; safe_free(auth_user_request->message); auth_user_request->message = xstrdup("Incorrect password"); return; @@ -933,6 +967,7 @@ authDigestUserSetup(); authDigestRequestSetup(); authenticateDigestNonceSetup(); + DigestFieldsInfo = httpHeaderBuildFieldsInfo(DigestAttrs, DIGEST_ENUM_END); authdigest_initialised = 1; if (digestauthenticators == NULL) digestauthenticators = helperCreate("digestauthenticator"); @@ -1153,7 +1188,7 @@ debug(29, 9) ("authenticateDigestDecodeAuth: beginning\n"); assert(auth_user_request != NULL); - digest_request = authDigestRequestNew(); + digest_request = auth_user_request->scheme_data = authDigestRequestNew(); /* trim DIGEST from string */ while (xisgraph(*proxy_auth)) @@ -1164,82 +1199,102 @@ proxy_auth++; stringInit(&temp, proxy_auth); + while (strListGetItem(&temp, ',', &item, &ilen, &pos)) { - if ((p = strchr(item, '=')) && (p - item < ilen)) - ilen = p++ - item; - if (!strncmp(item, "username", ilen)) { - /* white space */ - while (xisspace(*p)) - p++; - /* quote mark */ - p++; - username = xstrndup(p, strchr(p, '"') + 1 - p); + String value = StringNull; + size_t nlen; + size_t vlen; + enum http_digest_attr_type type; + + /* isolate directive name & value */ + if ((p = (const char *) memchr(item, '=', ilen)) && (p - item < ilen)) { + nlen = p++ - item; + vlen = ilen - (p - item); + } else { + nlen = ilen; + vlen = 0; + } + + /* parse value. auth-param = token "=" ( token | quoted-string ) */ + if (vlen > 0) { + if (*p == '"') { + if (!httpHeaderParseQuotedString(p, &value)) { + debug(29, 9) ("authDigestDecodeAuth: Failed to parse attribute '%s' in '%s'\n", item, proxy_auth); + continue; + } + } else { + stringLimitInit(&value, p, vlen); + } + } else { + debug(29, 9) ("authDigestDecodeAuth: Failed to parse attribute '%s' in '%s'\n", item, proxy_auth); + continue; + } + + /* find type */ + type = (enum http_digest_attr_type) httpHeaderIdByName(item, nlen, DigestFieldsInfo, DIGEST_ENUM_END); + + switch (type) { + case DIGEST_USERNAME: + safe_free(username); + username = xstrndup(strBuf(value), strLen(value) + 1); debug(29, 9) ("authDigestDecodeAuth: Found Username '%s'\n", username); - } else if (!strncmp(item, "realm", ilen)) { - /* white space */ - while (xisspace(*p)) - p++; - /* quote mark */ - p++; - digest_request->realm = xstrndup(p, strchr(p, '"') + 1 - p); + break; + + case DIGEST_REALM: + safe_free(digest_request->realm); + digest_request->realm = xstrndup(strBuf(value), strLen(value) + 1); debug(29, 9) ("authDigestDecodeAuth: Found realm '%s'\n", digest_request->realm); - } else if (!strncmp(item, "qop", ilen)) { - /* white space */ - while (xisspace(*p)) - p++; - if (*p == '\"') - /* quote mark */ - p++; - digest_request->qop = xstrndup(p, strcspn(p, "\" \t\r\n()<>@,;:\\/[]?={}") + 1); + break; + + case DIGEST_QOP: + safe_free(digest_request->qop); + digest_request->qop = xstrndup(strBuf(value), strLen(value) + 1); debug(29, 9) ("authDigestDecodeAuth: Found qop '%s'\n", digest_request->qop); - } else if (!strncmp(item, "algorithm", ilen)) { - /* white space */ - while (xisspace(*p)) - p++; - if (*p == '\"') - /* quote mark */ - p++; - digest_request->algorithm = xstrndup(p, strcspn(p, "\" \t\r\n()<>@,;:\\/[]?={}") + 1); + break; + + case DIGEST_ALGORITHM: + safe_free(digest_request->algorithm); + digest_request->algorithm = xstrndup(strBuf(value), strLen(value) + 1); debug(29, 9) ("authDigestDecodeAuth: Found algorithm '%s'\n", digest_request->algorithm); - } else if (!strncmp(item, "uri", ilen)) { - /* white space */ - while (xisspace(*p)) - p++; - /* quote mark */ - p++; - digest_request->uri = xstrndup(p, strchr(p, '"') + 1 - p); + break; + + case DIGEST_URI: + safe_free(digest_request->uri); + digest_request->uri = xstrndup(strBuf(value), strLen(value) + 1); debug(29, 9) ("authDigestDecodeAuth: Found uri '%s'\n", digest_request->uri); - } else if (!strncmp(item, "nonce", ilen)) { - /* white space */ - while (xisspace(*p)) - p++; - /* quote mark */ - p++; - digest_request->nonceb64 = xstrndup(p, strchr(p, '"') + 1 - p); + break; + + case DIGEST_NONCE: + safe_free(digest_request->nonceb64); + digest_request->nonceb64 = xstrndup(strBuf(value), strLen(value) + 1); debug(29, 9) ("authDigestDecodeAuth: Found nonce '%s'\n", digest_request->nonceb64); - } else if (!strncmp(item, "nc", ilen)) { - /* white space */ - while (xisspace(*p)) - p++; - xstrncpy(digest_request->nc, p, 9); + break; + + case DIGEST_NC: + if (strLen(value) != 8) { + debug(29, 9) ("authDigestDecodeAuth: Invalid nc '%s' in '%s'\n", strBuf(value), proxy_auth); + } + xstrncpy(digest_request->nc, strBuf(value), strLen(value) + 1); debug(29, 9) ("authDigestDecodeAuth: Found noncecount '%s'\n", digest_request->nc); - } else if (!strncmp(item, "cnonce", ilen)) { - /* white space */ - while (xisspace(*p)) - p++; - /* quote mark */ - p++; - digest_request->cnonce = xstrndup(p, strchr(p, '"') + 1 - p); + break; + + case DIGEST_CNONCE: + safe_free(digest_request->cnonce); + digest_request->cnonce = xstrndup(strBuf(value), strLen(value) + 1); debug(29, 9) ("authDigestDecodeAuth: Found cnonce '%s'\n", digest_request->cnonce); - } else if (!strncmp(item, "response", ilen)) { - /* white space */ - while (xisspace(*p)) - p++; - /* quote mark */ - p++; - digest_request->response = xstrndup(p, strchr(p, '"') + 1 - p); + break; + + case DIGEST_RESPONSE: + safe_free(digest_request->response); + digest_request->response = xstrndup(strBuf(value), strLen(value) + 1); debug(29, 9) ("authDigestDecodeAuth: Found response '%s'\n", digest_request->response); + break; + + default: + debug(29, 3) ("authDigestDecodeAuth: Unknown attribute '%s' in '%s'\n", item, proxy_auth); + break; } + stringClean(&value); } stringClean(&temp); @@ -1255,100 +1310,96 @@ * correct values - 400/401/407 */ - /* first the NONCE count */ - if (digest_request->cnonce && strlen(digest_request->nc) != 8) { - debug(29, 4) ("authenticateDigestDecode: nonce count length invalid\n"); - authDigestLogUsername(auth_user_request, username); - - /* we don't need the scheme specific data anymore */ - authDigestRequestDelete(digest_request); - auth_user_request->scheme_data = NULL; - return; - } - /* now the nonce */ - nonce = authenticateDigestNonceFindNonce(digest_request->nonceb64); - if (!nonce) { - /* we couldn't find a matching nonce! */ - debug(29, 4) ("authenticateDigestDecode: Unexpected or invalid nonce received\n"); - authDigestLogUsername(auth_user_request, username); - auth_user_request->scheme_data = digest_request; - return; - } - digest_request->nonce = nonce; - authDigestNonceLink(nonce); - - /* check the qop is what we expected. Note that for compatability with - * RFC 2069 we should support a missing qop. Tough. */ - if (digest_request->qop && strcmp(digest_request->qop, QOP_AUTH) != 0) { - /* we received a qop option we didn't send */ - debug(29, 4) ("authenticateDigestDecode: Invalid qop option received\n"); - authDigestLogUsername(auth_user_request, username); - - /* we don't need the scheme specific data anymore */ - authDigestRequestDelete(digest_request); - auth_user_request->scheme_data = NULL; - return; - } - /* we can't check the URI just yet. We'll check it in the - * authenticate phase */ - - /* is the response the correct length? */ + /* 2069 requirements */ - if (!digest_request->response || strlen(digest_request->response) != 32) { - debug(29, 4) ("authenticateDigestDecode: Response length invalid\n"); - authDigestLogUsername(auth_user_request, username); - - /* we don't need the scheme specific data anymore */ - authDigestRequestDelete(digest_request); - auth_user_request->scheme_data = NULL; - return; - } /* do we have a username ? */ if (!username || username[0] == '\0') { debug(29, 4) ("authenticateDigestDecode: Empty or not present username\n"); - authDigestLogUsername(auth_user_request, username); - - /* we don't need the scheme specific data anymore */ - authDigestRequestDelete(digest_request); - auth_user_request->scheme_data = NULL; - return; + return authDigestLogUsername(auth_user_request, username); } - /* check that we're not being hacked / the username hasn't changed */ - if (nonce->auth_user && strcmp(username, authenticateUserUsername(nonce->auth_user))) { - debug(29, 4) ("authenticateDigestDecode: Username for the nonce does not equal the username for the request\n"); - authDigestLogUsername(auth_user_request, username); - - /* we don't need the scheme specific data anymore */ - authDigestRequestDelete(digest_request); - auth_user_request->scheme_data = NULL; - return; + /* Sanity check of the username. + * " can not be allowed in usernames until * the digest helper protocol + * have been redone + */ + if (strchr(username, '"')) { + debug(29, 2) ("authenticateDigestDecode: Unacceptable username '%s'\n", username); + return authDigestLogUsername(auth_user_request, username); + } + /* do we have a realm ? */ + if (!digest_request->realm || digest_request->realm[0] == '\0') { + debug(29, 2) ("authenticateDigestDecode: Empty or not present realm"); + return authDigestLogUsername(auth_user_request, username); + } + /* and a nonce? */ + if (!digest_request->nonceb64 || digest_request->nonceb64[0] == '\0') { + debug(29, 2) ("authenticateDigestDecode: Empty or not present nonce"); + return authDigestLogUsername(auth_user_request, username); } - /* if we got a qop, did we get a cnonce or did we get a cnonce wihtout a qop? */ - if ((digest_request->qop && !digest_request->cnonce) - || (!digest_request->qop && digest_request->cnonce)) { - debug(29, 4) ("authenticateDigestDecode: qop without cnonce, or vice versa!\n"); - authDigestLogUsername(auth_user_request, username); - - /* we don't need the scheme specific data anymore */ - authDigestRequestDelete(digest_request); - auth_user_request->scheme_data = NULL; - return; + /* we can't check the URI just yet. We'll check it in the + * authenticate phase, but needs to be given */ + if (!digest_request->uri || digest_request->uri[0] == '\0') { + debug(29, 2) ("authenticateDigestDecode: Missing URI field"); + return authDigestLogUsername(auth_user_request, username); + } + /* is the response the correct length? */ + if (!digest_request->response || strlen(digest_request->response) != 32) { + debug(29, 2) ("authenticateDigestDecode: Response length invalid\n"); + return authDigestLogUsername(auth_user_request, username); } /* check the algorithm is present and supported */ if (!digest_request->algorithm) digest_request->algorithm = xstrndup("MD5", 4); else if (strcmp(digest_request->algorithm, "MD5") && strcmp(digest_request->algorithm, "MD5-sess")) { - debug(29, 4) ("authenticateDigestDecode: invalid algorithm specified!\n"); - authDigestLogUsername(auth_user_request, username); + debug(29, 2) ("authenticateDigestDecode: invalid algorithm specified!\n"); + return authDigestLogUsername(auth_user_request, username); + } + /* 2617 requirements, indicated by qop */ + if (digest_request->qop) { - /* we don't need the scheme specific data anymore */ - authDigestRequestDelete(digest_request); - auth_user_request->scheme_data = NULL; - return; + /* check the qop is what we expected. */ + if (strcmp(digest_request->qop, QOP_AUTH) != 0) { + /* we received a qop option we didn't send */ + debug(29, 2) ("authenticateDigestDecode: Invalid qop option received\n"); + return authDigestLogUsername(auth_user_request, username); + } + /* check cnonce */ + if (!digest_request->cnonce || digest_request->cnonce[0] == '\0') { + debug(29, 2) ("authenticateDigestDecode: Missing cnonce field\n"); + return authDigestLogUsername(auth_user_request, username); + } + /* check nc */ + if (strlen(digest_request->nc) != 8 || strspn(digest_request->nc, "0123456789abcdefABCDEF") != 8) { + debug(29, 2) ("authenticateDigestDecode: invalid nonce count\n"); + return authDigestLogUsername(auth_user_request, username); + } + } else { + /* cnonce and nc both require qop */ + if (digest_request->cnonce || digest_request->nc) { + debug(29, 2) ("authenticateDigestDecode: missing qop!\n"); + return authDigestLogUsername(auth_user_request, username); + } } - /* the method we'll check at the authenticate step as well */ +/** below nonce state dependent **/ + + /* now the nonce */ + nonce = authenticateDigestNonceFindNonce(digest_request->nonceb64); + if (!nonce) { + /* we couldn't find a matching nonce! */ + debug(29, 2) ("authenticateDigestDecode: Unexpected or invalid nonce received\n"); + digest_request->flags.credentials_ok = 3; + return authDigestLogUsername(auth_user_request, username); + } + digest_request->nonce = nonce; + authDigestNonceLink(nonce); + + /* check that we're not being hacked / the username hasn't changed */ + if (nonce->auth_user && strcmp(username, authenticateUserUsername(nonce->auth_user))) { + debug(29, 2) ("authenticateDigestDecode: Username for the nonce does not equal the username for the request\n"); + return authDigestLogUsername(auth_user_request, username); + } + /* the method we'll check at the authenticate step as well */ /* we don't send or parse opaques. Ok so we're flexable ... */ @@ -1384,7 +1435,6 @@ } /*link the request and the user */ auth_user_request->auth_user = auth_user; - auth_user_request->scheme_data = digest_request; /* lock for the request link */ authenticateAuthUserLock(auth_user); node = dlinkNodeNew(); diff -ruN squid-2.7.STABLE7/src/cf.data.pre squid-2.7.STABLE8/src/cf.data.pre --- squid-2.7.STABLE7/src/cf.data.pre 2009-08-16 23:52:42.000000000 +0200 +++ squid-2.7.STABLE8/src/cf.data.pre 2009-11-09 23:38:57.000000000 +0100 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.450.2.33 2009/08/16 21:52:42 hno Exp $ +# $Id: cf.data.pre,v 1.450.2.34 2009/11/09 22:38:57 hno Exp $ # # SQUID Web Proxy Cache http://www.squid-cache.org/ # ---------------------------------------------------------- @@ -877,7 +877,7 @@ DOC_END NAME: reply_body_max_size -COMMENT: bytes allow|deny acl acl... +COMMENT: bytes deny acl acl... TYPE: body_size_t DEFAULT: none DEFAULT_IF_NONE: 0 allow all @@ -887,7 +887,7 @@ It can be used to prevent users from downloading very large files, such as MP3's and movies. When the reply headers are received, the reply_body_max_size lines are processed, and the first line with - a result of "allow" is used as the maximum body size for this reply. + a result of "deny" is used as the maximum body size for this reply. This size is checked twice. First when we get the reply headers, we check the content-length value. If the content length value exists and is larger than the allowed size, the request is denied and the diff -ruN squid-2.7.STABLE7/src/client_side.c squid-2.7.STABLE8/src/client_side.c --- squid-2.7.STABLE7/src/client_side.c 2009-08-16 23:43:51.000000000 +0200 +++ squid-2.7.STABLE8/src/client_side.c 2010-02-14 01:46:25.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: client_side.c,v 1.754.2.27 2009/08/16 21:43:51 hno Exp $ + * $Id: client_side.c,v 1.754.2.29 2010/02/14 00:46:25 hno Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -651,7 +651,7 @@ vary = httpMakeVaryMark(request, rep); if (etag && vary) { - storeAddVary(url, entry->mem_obj->method, NULL, httpHeaderGetStr(&rep->header, HDR_ETAG), request->vary_hdr, request->vary_headers, strBuf(request->vary_encoding)); + storeAddVary(entry->mem_obj->store_url, entry->mem_obj->url, entry->mem_obj->method, NULL, httpHeaderGetStr(&rep->header, HDR_ETAG), request->vary_hdr, request->vary_headers, strBuf(request->vary_encoding)); } } clientHandleETagMiss(http); @@ -3437,6 +3437,11 @@ return LOG_TCP_MISS; } if (EBIT_TEST(e->flags, KEY_EARLY_PUBLIC)) { + if (clientOnlyIfCached(http)) { + debug(33, 3) ("clientProcessRequest2: collapsed only-if-cached MISS\n"); + http->entry = NULL; + return LOG_TCP_MISS; + } r->flags.collapsed = 1; /* Don't trust the store entry */ } if (EBIT_TEST(e->flags, ENTRY_SPECIAL)) { diff -ruN squid-2.7.STABLE7/src/dns_internal.c squid-2.7.STABLE8/src/dns_internal.c --- squid-2.7.STABLE7/src/dns_internal.c 2009-08-16 23:49:44.000000000 +0200 +++ squid-2.7.STABLE8/src/dns_internal.c 2010-02-14 00:37:10.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: dns_internal.c,v 1.63.2.10 2009/08/16 21:49:44 hno Exp $ + * $Id: dns_internal.c,v 1.63.2.12 2010/02/13 23:37:10 hno Exp $ * * DEBUG: section 78 DNS lookups; interacts with lib/rfc1035.c * AUTHOR: Duane Wessels @@ -318,7 +318,7 @@ idnsParseWIN32SearchList(const char *Separator) { char *t; - char *token; + const char *token; HKEY hndKey; if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, REG_TCPIP_PARA, 0, KEY_QUERY_VALUE, &hndKey) == ERROR_SUCCESS) { @@ -351,10 +351,10 @@ } RegCloseKey(hndKey); } - if (npc == 0 && ((const char *) t = getMyHostname())) { - t = strchr(t, '.'); - if (t) - idnsAddPathComponent(t + 1); + if (npc == 0 && (token = getMyHostname())) { + token = strchr(token, '.'); + if (token) + idnsAddPathComponent(token + 1); } } diff -ruN squid-2.7.STABLE7/src/htcp.c squid-2.7.STABLE8/src/htcp.c --- squid-2.7.STABLE7/src/htcp.c 2008-05-05 01:23:13.000000000 +0200 +++ squid-2.7.STABLE8/src/htcp.c 2010-02-11 11:05:01.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: htcp.c,v 1.55.2.2 2008/05/04 23:23:13 hno Exp $ + * $Id: htcp.c,v 1.55.2.3 2010/02/11 10:05:01 amosjeffries Exp $ * * DEBUG: section 31 Hypertext Caching Protocol * AUTHOR: Duane Wesssels @@ -950,6 +950,11 @@ debug(31, 3) ("htcpHandleClr: htcpUnpackSpecifier failed\n"); return; } + if (!s->request) { + debug(31, 2) ("htcpHandleTstRequest: failed to parse request\n"); + htcpFreeSpecifier(s); + return; + } if (!htcpAccessCheck(Config.accessList.htcp_clr, s, from)) { debug(31, 2) ("htcpHandleClr: Access denied\n"); htcpFreeSpecifier(s); diff -ruN squid-2.7.STABLE7/src/HttpHeaderTools.c squid-2.7.STABLE8/src/HttpHeaderTools.c --- squid-2.7.STABLE7/src/HttpHeaderTools.c 2009-09-16 22:56:03.000000000 +0200 +++ squid-2.7.STABLE8/src/HttpHeaderTools.c 2010-03-07 17:00:07.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: HttpHeaderTools.c,v 1.41.2.2 2009/09/16 20:56:03 hno Exp $ + * $Id: HttpHeaderTools.c,v 1.41.2.3 2010/03/07 16:00:07 hno Exp $ * * DEBUG: section 66 HTTP Header Tools * AUTHOR: Alex Rousskov @@ -420,6 +420,42 @@ } #endif +/** + * Parses a quoted-string field (RFC 2616 section 2.2), complains if + * something went wrong, returns non-zero on success. + * start should point at the first double-quote. + * RC TODO: This is too looose. We should honour the BNF and exclude CTL's + */ +int +httpHeaderParseQuotedString(const char *start, String * val) +{ + const char *end, *pos; + stringClean(val); + if (*start != '"') { + debug(66, 2) ("failed to parse a quoted-string header field near '%s'\n", start); + return 0; + } + pos = start + 1; + + while (*pos != '"') { + int quoted = (*pos == '\\'); + if (quoted) + pos++; + if (!*pos) { + debug(66, 2) ("failed to parse a quoted-string header field near '%s'\n", start); + stringClean(val); + return 0; + } + end = pos + strcspn(pos + quoted, "\"\\") + quoted; + stringAppend(val, pos, end - pos); + pos = end; + } + /* Make sure it's defined even if empty "" */ + if (!val->buf) + stringLimitInit(val, "", 0); + return 1; +} + /* * httpHdrMangle checks the anonymizer (header_access) configuration. * Returns 1 if the header is allowed. diff -ruN squid-2.7.STABLE7/src/main.c squid-2.7.STABLE8/src/main.c --- squid-2.7.STABLE7/src/main.c 2009-06-26 00:53:15.000000000 +0200 +++ squid-2.7.STABLE8/src/main.c 2010-03-07 16:58:56.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: main.c,v 1.403.2.4 2009/06/25 22:53:15 hno Exp $ + * $Id: main.c,v 1.403.2.6 2010/03/07 15:58:56 hno Exp $ * * DEBUG: section 1 Startup and Main Loop * AUTHOR: Harvest Derived @@ -401,6 +401,7 @@ authenticateShutdown(); externalAclShutdown(); refreshCheckShutdown(); + storeDirSync(); /* Flush pending I/O ops */ storeDirCloseSwapLogs(); storeLogClose(); accessLogClose(); @@ -473,7 +474,6 @@ refreshCheckShutdown(); _db_rotate_log(); /* cache.log */ storeDirWriteCleanLogs(1); - storeDirSync(); /* Flush pending I/O ops */ storeLogRotate(); /* store.log */ accessLogRotate(); /* access.log */ useragentRotateLog(); /* useragent.log */ @@ -551,7 +551,8 @@ Config.Port.icp = (u_short) icpPortNumOverride; _db_init(Config.Log.log, Config.debugOptions); - fd_open(fileno(debug_log), FD_LOG, Config.Log.log); + if (debug_log != stderr) + fd_open(fileno(debug_log), FD_LOG, Config.Log.log); #if MEM_GEN_TRACE log_trace_init("/tmp/squid.alloc"); #endif diff -ruN squid-2.7.STABLE7/src/protos.h squid-2.7.STABLE8/src/protos.h --- squid-2.7.STABLE7/src/protos.h 2009-08-16 23:43:51.000000000 +0200 +++ squid-2.7.STABLE8/src/protos.h 2010-03-07 17:00:07.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: protos.h,v 1.547.2.11 2009/08/16 21:43:51 hno Exp $ + * $Id: protos.h,v 1.547.2.13 2010/03/07 16:00:07 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -426,6 +426,7 @@ extern const char *getStringPrefix(const char *str, const char *end); extern int httpHeaderParseInt(const char *start, int *val); extern int httpHeaderParseSize(const char *start, squid_off_t * sz); +extern int httpHeaderParseQuotedString(const char *start, String * val); extern int httpHeaderReset(HttpHeader * hdr); extern void httpHeaderAddClone(HttpHeader * hdr, const HttpHeaderEntry * e); #if STDC_HEADERS @@ -1470,7 +1471,7 @@ /* ETag support */ void storeLocateVaryDone(VaryData * data); void storeLocateVary(StoreEntry * e, int offset, const char *vary_data, String accept_encoding, STLVCB * callback, void *cbdata); -void storeAddVary(const char *url, const method_t method, const cache_key * key, const char *etag, const char *vary, const char *vary_headers, const char *accept_encoding); +void storeAddVary(const char *store_url, const char *url, const method_t method, const cache_key * key, const char *etag, const char *vary, const char *vary_headers, const char *accept_encoding); /* New HTTP message parsing support */ extern void HttpMsgBufInit(HttpMsgBuf * hmsg, const char *buf, size_t size); diff -ruN squid-2.7.STABLE7/src/squid.h squid-2.7.STABLE8/src/squid.h --- squid-2.7.STABLE7/src/squid.h 2008-01-09 14:55:23.000000000 +0100 +++ squid-2.7.STABLE8/src/squid.h 2010-02-12 21:22:18.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: squid.h,v 1.244.6.2 2008/01/09 13:55:23 hno Exp $ + * $Id: squid.h,v 1.244.6.3 2010/02/12 20:22:18 hno Exp $ * * AUTHOR: Duane Wessels * @@ -359,31 +359,6 @@ #define S_ISDIR(mode) (((mode) & (_S_IFMT)) == (_S_IFDIR)) #endif -/* - * ISO C99 Standard printf() macros for 64 bit integers - * On some 64 bit platform, HP Tru64 is one, for printf must be used - * "%lx" instead of "%llx" - */ -#ifndef PRId64 -#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */ -#define PRId64 "I64d" -#elif SIZEOF_INT64_T > SIZEOF_LONG -#define PRId64 "lld" -#else -#define PRId64 "ld" -#endif -#endif - -#ifndef PRIu64 -#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */ -#define PRIu64 "I64u" -#elif SIZEOF_INT64_T > SIZEOF_LONG -#define PRIu64 "llu" -#else -#define PRIu64 "lu" -#endif -#endif - #ifdef USE_GNUREGEX #include "GNUregex.h" #elif HAVE_REGEX_H diff -ruN squid-2.7.STABLE7/src/ssl_support.c squid-2.7.STABLE8/src/ssl_support.c --- squid-2.7.STABLE7/src/ssl_support.c 2006-07-04 23:55:55.000000000 +0200 +++ squid-2.7.STABLE8/src/ssl_support.c 2010-03-07 16:59:18.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: ssl_support.c,v 1.11 2006/07/04 21:55:55 hno Exp $ + * $Id: ssl_support.c,v 1.11.6.1 2010/03/07 15:59:18 hno Exp $ * * AUTHOR: Benno Rice * DEBUG: section 83 SSL accelerator support @@ -426,7 +426,7 @@ sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *CRLfile, const char *dhfile, const char *context) { int ssl_error; - SSL_METHOD *method; + const SSL_METHOD *method; SSL_CTX *sslContext; long fl = ssl_parse_flags(flags); @@ -587,7 +587,7 @@ sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile) { int ssl_error; - SSL_METHOD *method; + const SSL_METHOD *method; SSL_CTX *sslContext; long fl = ssl_parse_flags(flags); diff -ruN squid-2.7.STABLE7/src/store.c squid-2.7.STABLE8/src/store.c --- squid-2.7.STABLE7/src/store.c 2009-08-16 23:50:53.000000000 +0200 +++ squid-2.7.STABLE8/src/store.c 2010-02-14 01:45:52.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: store.c,v 1.584.2.9 2009/08/16 21:50:53 hno Exp $ + * $Id: store.c,v 1.584.2.10 2010/02/14 00:45:52 hno Exp $ * * DEBUG: section 20 Storage Manager * AUTHOR: Harvest Derived @@ -417,6 +417,7 @@ StoreEntry *oe; StoreEntry *e; store_client *sc; + char *store_url; char *url; char *key; char *vary_headers; @@ -468,6 +469,7 @@ storeUnlockObject(state->oe); state->oe = NULL; } + safe_free(state->store_url); safe_free(state->url); safe_free(state->key); safe_free(state->vary_headers); @@ -711,7 +713,7 @@ * At leas one of key or etag must be specified, preferably both. */ void -storeAddVary(const char *url, const method_t method, const cache_key * key, const char *etag, const char *vary, const char *vary_headers, const char *accept_encoding) +storeAddVary(const char *store_url, const char *url, const method_t method, const cache_key * key, const char *etag, const char *vary, const char *vary_headers, const char *accept_encoding) { AddVaryState *state; request_flags flags = null_request_flags; @@ -725,13 +727,15 @@ state->accept_encoding = xstrdup(accept_encoding); if (etag) state->etag = xstrdup(etag); - state->oe = storeGetPublic(url, method); + state->oe = storeGetPublic(store_url ? store_url : url, method); debug(11, 2) ("storeAddVary: %s (%s) %s %s\n", state->url, state->key, state->vary_headers, state->etag); if (state->oe) storeLockObject(state->oe); flags.cachable = 1; state->e = storeCreateEntry(url, flags, method); + if (store_url) + state->e->mem_obj->store_url = xstrdup(store_url); httpReplySetHeaders(state->e->mem_obj->reply, HTTP_OK, "Internal marker object", "x-squid-internal/vary", -1, -1, squid_curtime + 100000); httpHeaderPutStr(&state->e->mem_obj->reply->header, HDR_VARY, vary); storeSetPublicKey(state->e); @@ -1055,7 +1059,7 @@ strListAdd(&vary, strBuf(varyhdr), ','); stringClean(&varyhdr); #endif - storeAddVary(mem->url, mem->method, newkey, httpHeaderGetStr(&mem->reply->header, HDR_ETAG), strBuf(vary), mem->vary_headers, mem->vary_encoding); + storeAddVary(mem->store_url, mem->url, mem->method, newkey, httpHeaderGetStr(&mem->reply->header, HDR_ETAG), strBuf(vary), mem->vary_headers, mem->vary_encoding); stringClean(&vary); } } else { diff -ruN squid-2.7.STABLE7/src/tools.c squid-2.7.STABLE8/src/tools.c --- squid-2.7.STABLE7/src/tools.c 2008-10-06 23:27:17.000000000 +0200 +++ squid-2.7.STABLE8/src/tools.c 2010-03-07 16:56:50.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: tools.c,v 1.260.2.5 2008/10/06 21:27:17 hno Exp $ + * $Id: tools.c,v 1.260.2.6 2010/03/07 15:56:50 hno Exp $ * * DEBUG: section 21 Misc Functions * AUTHOR: Harvest Derived @@ -42,13 +42,15 @@ #ifdef _SQUID_LINUX_ #if HAVE_SYS_CAPABILITY_H -#undef _POSIX_SOURCE +#if LIBCAP_BROKEN /* Ugly glue to get around linux header madness colliding with glibc */ +#undef _POSIX_SOURCE #define _LINUX_TYPES_H #define _LINUX_FS_H typedef uint32_t __u32; -#include #endif +#include +#endif /* HAVE_SYS_CAPABILITY_H */ #endif #if HAVE_SYS_PRCTL_H @@ -1344,7 +1346,7 @@ void keepCapabilities(void) { -#if HAVE_PRCTL && defined(PR_SET_KEEPCAPS) && HAVE_SYS_CAPABILITY_H +#if HAVE_PRCTL && defined(PR_SET_KEEPCAPS) && USE_LIBCAP if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { /* Silent failure unless TPROXY is required. Maybe not started as root */ #if LINUX_TPROXY @@ -1359,44 +1361,42 @@ static void restoreCapabilities(int keep) { -#if defined(_SQUID_LINUX_) && HAVE_SYS_CAPABILITY_H -#ifndef _LINUX_CAPABILITY_VERSION_1 -#define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION -#endif - cap_user_header_t head = xcalloc(1, sizeof(*head)); - cap_user_data_t cap = xcalloc(1, sizeof(*cap)); - - head->version = _LINUX_CAPABILITY_VERSION_1; - if (capget(head, cap) != 0) { - debug(50, 1) ("Can't get current capabilities\n"); - goto nocap; - } - if (head->version != _LINUX_CAPABILITY_VERSION_1) { - debug(50, 1) ("Invalid capability version %d (expected %d)\n", head->version, _LINUX_CAPABILITY_VERSION); - goto nocap; - } - head->pid = 0; - - cap->inheritable = 0; - cap->effective = (1 << CAP_NET_BIND_SERVICE); -#if LINUX_TPROXY - if (need_linux_tproxy) - cap->effective |= (1 << CAP_NET_ADMIN) | (1 << CAP_NET_BROADCAST); -#endif - if (!keep) - cap->permitted &= cap->effective; - if (capset(head, cap) != 0) { - /* Silent failure unless TPROXY is required */ +#if USE_LIBCAP + cap_t caps; + if (keep) + caps = cap_get_proc(); + else + caps = cap_init(); + if (!caps) { #if LINUX_TPROXY if (need_linux_tproxy) debug(50, 1) ("Error enabling needed capabilities. Will continue without tproxy support\n"); need_linux_tproxy = 0; #endif + } else { + int ncaps = 0; + int rc = 0; + cap_value_t cap_list[10]; + cap_list[ncaps++] = CAP_NET_BIND_SERVICE; +#if LINUX_TPROXY + if (need_linux_tproxy) { + cap_list[ncaps++] = CAP_NET_ADMIN; + cap_list[ncaps++] = CAP_NET_BROADCAST; + } +#endif + cap_clear_flag(caps, CAP_EFFECTIVE); + rc |= cap_set_flag(caps, CAP_EFFECTIVE, ncaps, cap_list, CAP_SET); + rc |= cap_set_flag(caps, CAP_PERMITTED, ncaps, cap_list, CAP_SET); + if (rc || cap_set_proc(caps) != 0) { + /* Silent failure unless TPROXY is required */ +#if LINUX_TPROXY + if (need_linux_tproxy) + debug(50, 1) ("Error enabling needed capabilities. Will continue without tproxy support\n"); + need_linux_tproxy = 0; +#endif + } } - nocap: - xfree(head); - xfree(cap); -#else +#else /* !USE_LIBCAP */ #if LINUX_TPROXY if (need_linux_tproxy) debug(50, 1) ("Missing needed capability support. Will continue without tproxy support\n"); diff -ruN squid-2.7.STABLE7/src/typedefs.h squid-2.7.STABLE8/src/typedefs.h --- squid-2.7.STABLE7/src/typedefs.h 2009-08-16 23:43:51.000000000 +0200 +++ squid-2.7.STABLE8/src/typedefs.h 2010-02-12 21:22:18.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: typedefs.h,v 1.157.2.2 2009/08/16 21:43:51 hno Exp $ + * $Id: typedefs.h,v 1.157.2.3 2010/02/12 20:22:18 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -41,18 +41,6 @@ typedef signed int sfileno; typedef signed int sdirno; -#if SIZEOF_INT64_T > SIZEOF_LONG && HAVE_STRTOLL -typedef int64_t squid_off_t; -#define SIZEOF_SQUID_OFF_T SIZEOF_INT64_T -#define PRINTF_OFF_T PRId64 -#define strto_off_t (int64_t)strtoll -#else -typedef long squid_off_t; -#define SIZEOF_SQUID_OFF_T SIZEOF_LONG -#define PRINTF_OFF_T "ld" -#define strto_off_t strtol -#endif - #if LARGE_CACHE_FILES typedef squid_off_t squid_file_sz; #define SIZEOF_SQUID_FILE_SZ SIZEOF_SQUID_OFF_T diff -ruN squid-2.7.STABLE7/src/wccp2.c squid-2.7.STABLE8/src/wccp2.c --- squid-2.7.STABLE7/src/wccp2.c 2008-05-05 01:23:13.000000000 +0200 +++ squid-2.7.STABLE8/src/wccp2.c 2010-02-12 21:49:53.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: wccp2.c,v 1.31.2.3 2008/05/04 23:23:13 hno Exp $ + * $Id: wccp2.c,v 1.31.2.4 2010/02/12 20:49:53 hno Exp $ * * DEBUG: section 80 WCCP Support * AUTHOR: Steven WIlton @@ -1137,6 +1137,7 @@ break; default: fatalf("Unknown Wccp2 assignment method\n"); + return; /* Keep GCC happy, thinks cache_address may be used uninitialized otherwise */ } /* Update the cache list */ diff -ruN squid-2.7.STABLE7/tools/squidclient.c squid-2.7.STABLE8/tools/squidclient.c --- squid-2.7.STABLE7/tools/squidclient.c 2008-06-04 22:32:50.000000000 +0200 +++ squid-2.7.STABLE8/tools/squidclient.c 2010-02-12 21:22:20.000000000 +0100 @@ -1,6 +1,6 @@ /* - * $Id: squidclient.c,v 1.9.2.1 2008/06/04 20:32:50 hno Exp $ + * $Id: squidclient.c,v 1.9.2.2 2010/02/12 20:22:20 hno Exp $ * * DEBUG: section 0 WWW Client * AUTHOR: Harvest Derived @@ -83,33 +83,12 @@ #endif #include "util.h" +#include "squid_types.h" #ifndef BUFSIZ #define BUFSIZ 8192 #endif -#ifndef PRId64 -#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */ -#define PRId64 "I64d" -#elif SIZEOF_INT64_T > SIZEOF_LONG -#define PRId64 "lld" -#else -#define PRId64 "ld" -#endif -#endif - -#if SIZEOF_INT64_T > SIZEOF_LONG && HAVE_STRTOLL -typedef int64_t squid_off_t; -#define SIZEOF_SQUID_OFF_T SIZEOF_INT64_T -#define PRINTF_OFF_T PRId64 -#define strto_off_t (int64_t)strtoll -#else -typedef long squid_off_t; -#define SIZEOF_SQUID_OFF_T SIZEOF_LONG -#define PRINTF_OFF_T "ld" -#define strto_off_t strtol -#endif - typedef void SIGHDLR(int sig); /* Local functions */ @@ -351,7 +330,7 @@ strcat(msg, buf); } if (put_fd > 0) { - snprintf(buf, BUFSIZ, "Content-length: %d\r\n", (int) sb.st_size); + snprintf(buf, BUFSIZ, "Content-length: %" PRINTF_OFF_T "\r\n", (squid_off_t) sb.st_size); strcat(msg, buf); } if (opt_noaccept == 0) {