diff -u -r -N squid-4.7/ChangeLog squid-4.8/ChangeLog --- squid-4.7/ChangeLog 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/ChangeLog 2019-07-10 07:05:20.000000000 +1200 @@ -1,3 +1,22 @@ +Changes to squid-4.8 (09 Jul 2019): + + - Bug 4957: Multiple XSS issues in cachemgr.cgi + - Bug 4953: to_localhost does not include :: + - Bug 4937: cachemgr.cgi: unallocated memory access + - Bug 4936: terminating c-strings beyond BASE64_DECODE_LENGTH + - Bug 4889: Ignore ECONNABORTED in accept(2) + - Bug 4842: Memory leak when http_reply_access uses external_acl + - TLS: Fix tls-min-version= being ignored + - TLS: Add the NO_TLSv1_3 option to available tls-options values + - HTTP: RFC 7230 forbids generation of userinfo subcomponent of https URL + - HTTP: Remove userinfo support from old protocols + - HTTP: Fix Digest auth parameter parsing + - HTTP: Send Connection:close with the known-last request on a connection + - HTTP: Fix handling of tiny invalid responses + - Replace uudecode with libnettle base64 decoder + - Update HttpHeader::getAuth to SBuf + - ... and some compile issues + Changes to squid-4.7 (06 May 2019): - Bug 4942: --with-filedescriptors does not do anything diff -u -r -N squid-4.7/compat/os/mswindows.h squid-4.8/compat/os/mswindows.h --- squid-4.7/compat/os/mswindows.h 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/compat/os/mswindows.h 2019-07-10 07:05:20.000000000 +1200 @@ -358,6 +358,9 @@ #ifndef ENOTSUP #define ENOTSUP WSAEOPNOTSUPP #endif +#ifndef ECONNABORTED +#define ECONNABORTED WSAECONNABORTED +#endif #undef h_errno #define h_errno errno /* we'll set it ourselves */ diff -u -r -N squid-4.7/configure squid-4.8/configure --- squid-4.7/configure 2019-05-07 01:56:57.000000000 +1200 +++ squid-4.8/configure 2019-07-10 07:16:52.000000000 +1200 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.7. +# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.8. # # Report bugs to . # @@ -595,8 +595,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='4.7' -PACKAGE_STRING='Squid Web Proxy 4.7' +PACKAGE_VERSION='4.8' +PACKAGE_STRING='Squid Web Proxy 4.8' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1651,7 +1651,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 4.7 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 4.8 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1722,7 +1722,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 4.7:";; + short | recursive ) echo "Configuration of Squid Web Proxy 4.8:";; esac cat <<\_ACEOF @@ -2155,7 +2155,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 4.7 +Squid Web Proxy configure 4.8 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3259,7 +3259,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 4.7, which was +It was created by Squid Web Proxy $as_me 4.8, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4126,7 +4126,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='4.7' + VERSION='4.8' cat >>confdefs.h <<_ACEOF @@ -44215,7 +44215,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 4.7, which was +This file was extended by Squid Web Proxy $as_me 4.8, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -44281,7 +44281,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 4.7 +Squid Web Proxy config.status 4.8 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -u -r -N squid-4.7/configure.ac squid-4.8/configure.ac --- squid-4.7/configure.ac 2019-05-07 01:56:57.000000000 +1200 +++ squid-4.8/configure.ac 2019-07-10 07:16:52.000000000 +1200 @@ -5,7 +5,7 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_INIT([Squid Web Proxy],[4.7],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[4.8],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) diff -u -r -N squid-4.7/doc/release-notes/release-4.html squid-4.8/doc/release-notes/release-4.html --- squid-4.7/doc/release-notes/release-4.html 2019-05-07 02:07:31.000000000 +1200 +++ squid-4.8/doc/release-notes/release-4.html 2019-07-10 07:25:09.000000000 +1200 @@ -2,10 +2,10 @@ - Squid 4.7 release notes + Squid 4.8 release notes -

Squid 4.7 release notes

+

Squid 4.8 release notes

Squid Developers

@@ -63,7 +63,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-4.7 for testing.

+

The Squid Team are pleased to announce the release of Squid-4.8 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.

@@ -384,6 +384,7 @@

New --consensus, --client-requested and --server-provided flags for the ssl::server_name type to control which server name to match against.

+

Added ::/128 IPv6 range to to_localhost ACL.

auth_param

New parameter queue-size= to set the maximum number @@ -399,6 +400,7 @@

New option tls-min-version=1.N to set minimum TLS version allowed.

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA

New option tls-no-npn to disable sending TLS NPN extension.

+

New tls-options= option value to disable TLS/1.3.

All ssloptions= values for SSLv2 configuration or disabling have been removed.

Removed sslversion= option. Use tls-options= instead.

@@ -432,6 +434,7 @@

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, the default is also changed to OFF.

New option tls-no-npn to disable sending TLS NPN extension.

+

New tls-options= option value to disable TLS/1.3.

All option= values for SSLv2 configuration or disabling have been removed.

Removed version= option. Use tls-options= instead.

@@ -444,6 +447,7 @@

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, the default is also changed to OFF.

New option tls-no-npn to disable sending TLS NPN extension.

+

New tls-options= option value to disable TLS/1.3.

All options= values for SSLv2 configuration or disabling have been removed.

Removed version= option. Use tls-options= instead.

@@ -462,6 +466,7 @@

New tls-min-version=1.N option to set minimum TLS version allowed on server connections.

New tls-options= option to set OpenSSL library parameters.

+

New tls-options= option value to disable TLS/1.3.

New tls-flags= option to set flags modifying Squid TLS operations.

New tls-cipher= option to set a list of ciphers permitted.

New tls-cafile= option to set a file with additional CA diff -u -r -N squid-4.7/include/uudecode.h squid-4.8/include/uudecode.h --- squid-4.7/include/uudecode.h 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/include/uudecode.h 1970-01-01 12:00:00.000000000 +1200 @@ -1,21 +0,0 @@ -/* - * Copyright (C) 1996-2019 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -#ifndef _SQUID_UUDECODE_H -#define _SQUID_UUDECODE_H - -#ifdef __cplusplus -extern "C" -#else -extern -#endif - -char *uudecode(const char *); - -#endif /* _SQUID_UUDECODE_H */ - diff -u -r -N squid-4.7/include/version.h squid-4.8/include/version.h --- squid-4.7/include/version.h 2019-05-07 01:56:57.000000000 +1200 +++ squid-4.8/include/version.h 2019-07-10 07:16:52.000000000 +1200 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1557151008 +#define SQUID_RELEASE_TIME 1562699800 #endif /* diff -u -r -N squid-4.7/lib/html_quote.c squid-4.8/lib/html_quote.c --- squid-4.7/lib/html_quote.c 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/lib/html_quote.c 2019-07-10 07:05:20.000000000 +1200 @@ -90,7 +90,7 @@ } if (escape) { /* Ok, An escaped form was found above. Use it */ - strncpy(dst, escape, 6); + strncpy(dst, escape, 7); dst += strlen(escape); } else { /* Apparently there is no need to escape this character */ diff -u -r -N squid-4.7/lib/Makefile.am squid-4.8/lib/Makefile.am --- squid-4.7/lib/Makefile.am 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/lib/Makefile.am 2019-07-10 07:05:20.000000000 +1200 @@ -61,8 +61,7 @@ html_quote.c \ md5.c \ rfc1738.c \ - rfc2617.c \ - uudecode.c + rfc2617.c libmisccontainers_la_SOURCES = \ hash.cc diff -u -r -N squid-4.7/lib/Makefile.in squid-4.8/lib/Makefile.in --- squid-4.7/lib/Makefile.in 2019-05-07 01:56:53.000000000 +1200 +++ squid-4.8/lib/Makefile.in 2019-07-10 07:16:46.000000000 +1200 @@ -185,7 +185,7 @@ am__v_lt_1 = libmiscencoding_la_LIBADD = am_libmiscencoding_la_OBJECTS = base64.lo charset.lo html_quote.lo \ - md5.lo rfc1738.lo rfc2617.lo uudecode.lo + md5.lo rfc1738.lo rfc2617.lo libmiscencoding_la_OBJECTS = $(am_libmiscencoding_la_OBJECTS) libmiscutil_la_LIBADD = am_libmiscutil_la_OBJECTS = getfullhostname.lo heap.lo iso3307.lo \ @@ -236,8 +236,8 @@ ./$(DEPDIR)/radix.Plo ./$(DEPDIR)/rfc1123.Plo \ ./$(DEPDIR)/rfc1738.Plo ./$(DEPDIR)/rfc2617.Plo \ ./$(DEPDIR)/sspwin32.Plo ./$(DEPDIR)/stub_memaccount.Plo \ - ./$(DEPDIR)/util.Plo ./$(DEPDIR)/uudecode.Plo \ - ./$(DEPDIR)/xusleep.Plo tests/$(DEPDIR)/testRFC1738.Po + ./$(DEPDIR)/util.Plo ./$(DEPDIR)/xusleep.Plo \ + tests/$(DEPDIR)/testRFC1738.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -838,8 +838,7 @@ html_quote.c \ md5.c \ rfc1738.c \ - rfc2617.c \ - uudecode.c + rfc2617.c libmisccontainers_la_SOURCES = \ hash.cc @@ -972,7 +971,6 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sspwin32.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stub_memaccount.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/util.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uudecode.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xusleep.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/testRFC1738.Po@am__quote@ # am--include-marker @@ -1421,7 +1419,6 @@ -rm -f ./$(DEPDIR)/sspwin32.Plo -rm -f ./$(DEPDIR)/stub_memaccount.Plo -rm -f ./$(DEPDIR)/util.Plo - -rm -f ./$(DEPDIR)/uudecode.Plo -rm -f ./$(DEPDIR)/xusleep.Plo -rm -f tests/$(DEPDIR)/testRFC1738.Po -rm -f Makefile @@ -1488,7 +1485,6 @@ -rm -f ./$(DEPDIR)/sspwin32.Plo -rm -f ./$(DEPDIR)/stub_memaccount.Plo -rm -f ./$(DEPDIR)/util.Plo - -rm -f ./$(DEPDIR)/uudecode.Plo -rm -f ./$(DEPDIR)/xusleep.Plo -rm -f tests/$(DEPDIR)/testRFC1738.Po -rm -f Makefile diff -u -r -N squid-4.7/lib/uudecode.c squid-4.8/lib/uudecode.c --- squid-4.7/lib/uudecode.c 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/lib/uudecode.c 1970-01-01 12:00:00.000000000 +1200 @@ -1,73 +0,0 @@ -/* - * Copyright (C) 1996-2019 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -#include "squid.h" -#include "uudecode.h" - -/* aaaack but it's fast and const should make it shared text page. */ -const int pr2six[256] = { - 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, - 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63, - 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64, 64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, - 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64, 64, 26, 27, - 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, - 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, - 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, - 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, - 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, - 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, - 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64 -}; - -char * -uudecode(const char *bufcoded) -{ - int nbytesdecoded; - const unsigned char *bufin; - char *bufplain; - unsigned char *bufout; - int nprbytes; - - /* Strip leading whitespace. */ - - while (*bufcoded == ' ' || *bufcoded == '\t') - bufcoded++; - - /* Figure out how many characters are in the input buffer. - * Allocate this many from the per-transaction pool for the result. - */ - bufin = (const unsigned char *) bufcoded; - while (pr2six[*(bufin++)] <= 63); - nprbytes = (const char *) bufin - bufcoded - 1; - nbytesdecoded = ((nprbytes + 3) / 4) * 3; - - bufplain = xmalloc(nbytesdecoded + 1); - bufout = (unsigned char *) bufplain; - bufin = (const unsigned char *) bufcoded; - - while (nprbytes > 0) { - *(bufout++) = - (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); - *(bufout++) = - (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); - *(bufout++) = - (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); - bufin += 4; - nprbytes -= 4; - } - - if (nprbytes & 03) { - if (pr2six[bufin[-2]] > 63) - nbytesdecoded -= 2; - else - nbytesdecoded -= 1; - } - bufplain[nbytesdecoded] = '\0'; - return bufplain; -} - diff -u -r -N squid-4.7/RELEASENOTES.html squid-4.8/RELEASENOTES.html --- squid-4.7/RELEASENOTES.html 2019-05-07 02:07:31.000000000 +1200 +++ squid-4.8/RELEASENOTES.html 2019-07-10 07:25:09.000000000 +1200 @@ -2,10 +2,10 @@ - Squid 4.7 release notes + Squid 4.8 release notes -

Squid 4.7 release notes

+

Squid 4.8 release notes

Squid Developers

@@ -63,7 +63,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-4.7 for testing.

+

The Squid Team are pleased to announce the release of Squid-4.8 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.

@@ -384,6 +384,7 @@

New --consensus, --client-requested and --server-provided flags for the ssl::server_name type to control which server name to match against.

+

Added ::/128 IPv6 range to to_localhost ACL.

auth_param

New parameter queue-size= to set the maximum number @@ -399,6 +400,7 @@

New option tls-min-version=1.N to set minimum TLS version allowed.

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA

New option tls-no-npn to disable sending TLS NPN extension.

+

New tls-options= option value to disable TLS/1.3.

All ssloptions= values for SSLv2 configuration or disabling have been removed.

Removed sslversion= option. Use tls-options= instead.

@@ -432,6 +434,7 @@

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, the default is also changed to OFF.

New option tls-no-npn to disable sending TLS NPN extension.

+

New tls-options= option value to disable TLS/1.3.

All option= values for SSLv2 configuration or disabling have been removed.

Removed version= option. Use tls-options= instead.

@@ -444,6 +447,7 @@

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, the default is also changed to OFF.

New option tls-no-npn to disable sending TLS NPN extension.

+

New tls-options= option value to disable TLS/1.3.

All options= values for SSLv2 configuration or disabling have been removed.

Removed version= option. Use tls-options= instead.

@@ -462,6 +466,7 @@

New tls-min-version=1.N option to set minimum TLS version allowed on server connections.

New tls-options= option to set OpenSSL library parameters.

+

New tls-options= option value to disable TLS/1.3.

New tls-flags= option to set flags modifying Squid TLS operations.

New tls-cipher= option to set a list of ciphers permitted.

New tls-cafile= option to set a file with additional CA diff -u -r -N squid-4.7/src/acl/external/delayer/ext_delayer_acl.8 squid-4.8/src/acl/external/delayer/ext_delayer_acl.8 --- squid-4.7/src/acl/external/delayer/ext_delayer_acl.8 2019-05-07 02:07:33.000000000 +1200 +++ squid-4.8/src/acl/external/delayer/ext_delayer_acl.8 2019-07-10 07:25:12.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 8" -.TH EXT_DELAYER_ACL 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 8 "2019-07-09" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.7/src/acl/external/SQL_session/ext_sql_session_acl.8 squid-4.8/src/acl/external/SQL_session/ext_sql_session_acl.8 --- squid-4.7/src/acl/external/SQL_session/ext_sql_session_acl.8 2019-05-07 02:07:34.000000000 +1200 +++ squid-4.8/src/acl/external/SQL_session/ext_sql_session_acl.8 2019-07-10 07:25:12.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 8" -.TH EXT_SQL_SESSION_ACL 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 8 "2019-07-09" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.7/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 squid-4.8/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-4.7/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2019-05-07 02:07:34.000000000 +1200 +++ squid-4.8/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2019-07-10 07:25:12.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 8" -.TH EXT_WBINFO_GROUP_ACL 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 8 "2019-07-09" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.7/src/anyp/Uri.cc squid-4.8/src/anyp/Uri.cc --- squid-4.7/src/anyp/Uri.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/anyp/Uri.cc 2019-07-10 07:05:20.000000000 +1200 @@ -495,10 +495,10 @@ absolute_.append(":",1); if (getScheme() != AnyP::PROTO_URN) { absolute_.append("//", 2); - const bool omitUserInfo = getScheme() == AnyP::PROTO_HTTP || - getScheme() != AnyP::PROTO_HTTPS || - userInfo().isEmpty(); - if (!omitUserInfo) { + const bool allowUserInfo = getScheme() == AnyP::PROTO_FTP || + getScheme() == AnyP::PROTO_UNKNOWN; + + if (allowUserInfo && !userInfo().isEmpty()) { absolute_.append(userInfo()); absolute_.append("@", 1); } diff -u -r -N squid-4.7/src/auth/basic/Config.cc squid-4.8/src/auth/basic/Config.cc --- squid-4.7/src/auth/basic/Config.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/auth/basic/Config.cc 2019-07-10 07:05:20.000000000 +1200 @@ -20,6 +20,7 @@ #include "auth/CredentialsCache.h" #include "auth/Gadgets.h" #include "auth/State.h" +#include "base64.h" #include "cache_cf.h" #include "charset.h" #include "helper.h" @@ -30,7 +31,6 @@ #include "SquidTime.h" #include "Store.h" #include "util.h" -#include "uudecode.h" #include "wordlist.h" /* Basic Scheme */ @@ -169,10 +169,17 @@ // XXX: really? is the \n actually still there? does the header parse not drop it? char *eek = xstrdup(proxy_auth); strtok(eek, "\n"); - char *cleartext = uudecode(eek); - safe_free(eek); - if (cleartext) { + const size_t srcLen = strlen(eek); + char *cleartext = static_cast(xmalloc(BASE64_DECODE_LENGTH(srcLen)+1)); + + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); + + size_t dstLen = 0; + if (base64_decode_update(&ctx, &dstLen, reinterpret_cast(cleartext), srcLen, eek) && base64_decode_final(&ctx)) { + cleartext[dstLen] = '\0'; + /* * Don't allow NL or CR in the credentials. * Oezguer Kesim @@ -183,7 +190,12 @@ debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'"); safe_free(cleartext); } + } else { + debugs(29, 2, "WARNING: Invalid Base64 character in authorization header '" << httpAuthHeader << "'"); + safe_free(cleartext); } + + safe_free(eek); return cleartext; } diff -u -r -N squid-4.7/src/auth/basic/DB/basic_db_auth.8 squid-4.8/src/auth/basic/DB/basic_db_auth.8 --- squid-4.7/src/auth/basic/DB/basic_db_auth.8 2019-05-07 02:07:34.000000000 +1200 +++ squid-4.8/src/auth/basic/DB/basic_db_auth.8 2019-07-10 07:25:13.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 8" -.TH BASIC_DB_AUTH 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 8 "2019-07-09" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.7/src/auth/basic/POP3/basic_pop3_auth.8 squid-4.8/src/auth/basic/POP3/basic_pop3_auth.8 --- squid-4.7/src/auth/basic/POP3/basic_pop3_auth.8 2019-05-07 02:07:34.000000000 +1200 +++ squid-4.8/src/auth/basic/POP3/basic_pop3_auth.8 2019-07-10 07:25:13.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 8" -.TH BASIC_POP3_AUTH 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 8 "2019-07-09" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.7/src/auth/digest/Config.cc squid-4.8/src/auth/digest/Config.cc --- squid-4.7/src/auth/digest/Config.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/auth/digest/Config.cc 2019-07-10 07:05:20.000000000 +1200 @@ -787,14 +787,14 @@ if (keyName == SBuf("domain",6) || keyName == SBuf("uri",3)) { // domain is Special. Not a quoted-string, must not be de-quoted. But is wrapped in '"' // BUG 3077: uri= can also be sent to us in a mangled (invalid!) form like domain - if (*p == '"' && *(p + vlen -1) == '"') { + if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') { value.limitInit(p+1, vlen-2); } } else if (keyName == SBuf("qop",3)) { // qop is more special. // On request this must not be quoted-string de-quoted. But is several values wrapped in '"' // On response this is a single un-quoted token. - if (*p == '"' && *(p + vlen -1) == '"') { + if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') { value.limitInit(p+1, vlen-2); } else { value.limitInit(p, vlen); diff -u -r -N squid-4.7/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc squid-4.8/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc --- squid-4.7/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc 2019-07-10 07:05:20.000000000 +1200 @@ -822,7 +822,8 @@ goto cleanup; if (major_status & GSS_S_CONTINUE_NEEDED) { debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM); - fprintf(stdout, "ERR token=%s\n", token); + // XXX: where to get the server token for delivery to client? token is nullptr here. + fprintf(stdout, "ERR\n"); goto cleanup; } gss_release_buffer(&minor_status, &output_token); diff -u -r -N squid-4.7/src/auth/negotiate/wrapper/negotiate_wrapper.cc squid-4.8/src/auth/negotiate/wrapper/negotiate_wrapper.cc --- squid-4.7/src/auth/negotiate/wrapper/negotiate_wrapper.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/auth/negotiate/wrapper/negotiate_wrapper.cc 2019-07-10 07:05:20.000000000 +1200 @@ -112,7 +112,7 @@ char tbuff[MAX_AUTHTOKEN_LEN]; char buff[MAX_AUTHTOKEN_LEN+2]; char *c; - int length; + size_t length; uint8_t *token = NULL; while (1) { @@ -136,7 +136,7 @@ *c = '\0'; length = c - buf; if (debug_enabled) - fprintf(stderr, "%s| %s: Got '%s' from squid (length: %d).\n", + fprintf(stderr, "%s| %s: Got '%s' from squid (length: %" PRIuSIZE ").\n", LogTime(), PROGRAM, buf, length); } else { if (debug_enabled) @@ -181,11 +181,11 @@ } length = BASE64_DECODE_LENGTH(strlen(buf+3)); if (debug_enabled) - fprintf(stderr, "%s| %s: Decode '%s' (decoded length: %d).\n", - LogTime(), PROGRAM, buf + 3, (int) length); + fprintf(stderr, "%s| %s: Decode '%s' (decoded length: %" PRIuSIZE ").\n", + LogTime(), PROGRAM, buf + 3, length); safe_free(token); - if (!(token = static_cast(xmalloc(length)))) { + if (!(token = static_cast(xmalloc(length+1)))) { fprintf(stderr, "%s| %s: Error allocating memory for token\n", LogTime(), PROGRAM); return 1; } @@ -200,6 +200,7 @@ fprintf(stdout, "BH Invalid negotiate request token\n"); continue; } + assert(dstLen <= length); length = dstLen; token[dstLen] = '\0'; diff -u -r -N squid-4.7/src/cache_cf.cc squid-4.8/src/cache_cf.cc --- squid-4.7/src/cache_cf.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/cache_cf.cc 2019-07-10 07:05:20.000000000 +1200 @@ -2302,6 +2302,9 @@ peerDigestCreate(p); #endif + if (p->secure.encryptTransport) + p->secure.parseOptions(); + p->index = ++Config.npeers; while (*head != NULL) @@ -3772,6 +3775,7 @@ self_destruct(); return; } + s->secure.parseOptions(); } // *_port line should now be fully valid so we can clone it if necessary diff -u -r -N squid-4.7/src/cache_manager.cc squid-4.8/src/cache_manager.cc --- squid-4.7/src/cache_manager.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/cache_manager.cc 2019-07-10 07:05:20.000000000 +1200 @@ -27,6 +27,7 @@ #include "mgr/FunAction.h" #include "mgr/QueryParams.h" #include "protos.h" +#include "sbuf/StringConvert.h" #include "SquidConfig.h" #include "SquidTime.h" #include "Store.h" @@ -243,20 +244,20 @@ // TODO: use the authentication system decode to retrieve these details properly. /* base 64 _decoded_ user:passwd pair */ - const char *basic_cookie = request->header.getAuth(Http::HdrType::AUTHORIZATION, "Basic"); + const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); - if (!basic_cookie) + if (basic_cookie.isEmpty()) return; - const char *passwd_del; - if (!(passwd_del = strchr(basic_cookie, ':'))) { + const auto colonPos = basic_cookie.find(':'); + if (colonPos == SBuf::npos) { debugs(16, DBG_IMPORTANT, "CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'"); return; } /* found user:password pair, reset old values */ - params.userName.limitInit(basic_cookie, passwd_del - basic_cookie); - params.password = passwd_del + 1; + params.userName = SBufToString(basic_cookie.substr(0, colonPos)); + params.password = SBufToString(basic_cookie.substr(colonPos+1)); /* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */ debugs(16, 9, "CacheManager::ParseHeaders: got user: '" << diff -u -r -N squid-4.7/src/cf.data.pre squid-4.8/src/cf.data.pre --- squid-4.7/src/cf.data.pre 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/cf.data.pre 2019-07-10 07:05:20.000000000 +1200 @@ -1003,7 +1003,7 @@ DEFAULT: all src all DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/ DEFAULT: localhost src 127.0.0.1/32 ::1 -DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1/128 ::/128 DEFAULT_DOC: ACLs all, manager, localhost, and to_localhost are predefined. DOC_START Defining an Access List @@ -2751,7 +2751,7 @@ min-version=1.N The minimum TLS protocol version to permit. To control SSLv3 use the options= parameter. - Supported Values: 1.0 (default), 1.1, 1.2 + Supported Values: 1.0 (default), 1.1, 1.2, 1.3 options=... Specify various TLS/SSL implementation options. diff -u -r -N squid-4.7/src/clients/FtpGateway.cc squid-4.8/src/clients/FtpGateway.cc --- squid-4.7/src/clients/FtpGateway.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/clients/FtpGateway.cc 2019-07-10 07:05:20.000000000 +1200 @@ -1039,7 +1039,7 @@ #if HAVE_AUTH_MODULE_BASIC /* Check HTTP Authorization: headers (better than defaults, but less than URL) */ - const SBuf auth(req_hdr->getAuth(Http::HdrType::AUTHORIZATION, "Basic")); + const auto auth(req_hdr->getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); if (!auth.isEmpty()) { flags.authenticated = 1; loginParser(auth, false); diff -u -r -N squid-4.7/src/client_side.cc squid-4.8/src/client_side.cc --- squid-4.7/src/client_side.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/client_side.cc 2019-07-10 07:05:20.000000000 +1200 @@ -2522,9 +2522,10 @@ /// Create TLS connection structure and update fd_table static bool -httpsCreate(const Comm::ConnectionPointer &conn, const Security::ContextPointer &ctx) +httpsCreate(const ConnStateData *connState, const Security::ContextPointer &ctx) { - if (Security::CreateServerSession(ctx, conn, "client https start")) { + const auto conn = connState->clientConnection; + if (Security::CreateServerSession(ctx, conn, connState->port->secure, "client https start")) { debugs(33, 5, "will negotiate TLS on " << conn); return true; } @@ -2709,7 +2710,7 @@ assert(connState); const Comm::ConnectionPointer &details = connState->clientConnection; - if (!ctx || !httpsCreate(details, ctx)) + if (!ctx || !httpsCreate(connState, ctx)) return; typedef CommCbMemFunT TimeoutDialer; @@ -3072,7 +3073,7 @@ } } - if (!httpsCreate(clientConnection, ctx)) + if (!httpsCreate(this, ctx)) return; // bumped intercepted conns should already have Config.Timeout.request set @@ -3293,7 +3294,7 @@ Security::ContextPointer unConfiguredCTX(Ssl::createSSLContext(port->secure.signingCa.cert, port->secure.signingCa.pkey, port->secure)); fd_table[clientConnection->fd].dynamicTlsContext = unConfiguredCTX; - if (!httpsCreate(clientConnection, unConfiguredCTX)) + if (!httpsCreate(this, unConfiguredCTX)) return; switchedToHttps_ = true; diff -u -r -N squid-4.7/src/comm/TcpAcceptor.cc squid-4.8/src/comm/TcpAcceptor.cc --- squid-4.7/src/comm/TcpAcceptor.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/comm/TcpAcceptor.cc 2019-07-10 07:05:20.000000000 +1200 @@ -361,10 +361,10 @@ PROF_stop(comm_accept); - if (ignoreErrno(errcode)) { + if (ignoreErrno(errcode) || errcode == ECONNABORTED) { debugs(50, 5, status() << ": " << xstrerr(errcode)); return Comm::NOMESSAGE; - } else if (ENFILE == errno || EMFILE == errno) { + } else if (errcode == ENFILE || errcode == EMFILE) { debugs(50, 3, status() << ": " << xstrerr(errcode)); return Comm::COMM_ERROR; } else { diff -u -r -N squid-4.7/src/enums.h squid-4.8/src/enums.h --- squid-4.7/src/enums.h 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/enums.h 2019-07-10 07:05:20.000000000 +1200 @@ -10,7 +10,7 @@ #define SQUID_ENUMS_H enum fd_type { - FD_NONE, + FD_NONE_TYPE, FD_LOG, FD_FILE, FD_SOCKET, diff -u -r -N squid-4.7/src/http/one/ResponseParser.cc squid-4.8/src/http/one/ResponseParser.cc --- squid-4.7/src/http/one/ResponseParser.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/http/one/ResponseParser.cc 2019-07-10 07:05:20.000000000 +1200 @@ -159,8 +159,13 @@ debugs(74, DBG_DATA, "parse remaining buf={length=" << tok.remaining().length() << ", data='" << tok.remaining() << "'}"); buf_ = tok.remaining(); // resume checkpoint return parseResponseStatusAndReason(tok, WspDelim); - - } else if (buf_.length() > Http1magic.length() && buf_.length() > IcyMagic.length()) { + } else if (buf_.length() < Http1magic.length() && Http1magic.startsWith(buf_)) { + debugs(74, 7, Raw("valid HTTP/1 prefix", buf_.rawContent(), buf_.length())); + return 0; + } else if (buf_.length() < IcyMagic.length() && IcyMagic.startsWith(buf_)) { + debugs(74, 7, Raw("valid ICY prefix", buf_.rawContent(), buf_.length())); + return 0; + } else { debugs(74, 2, "unknown/missing prefix magic. Interpreting as HTTP/0.9"); // found something that looks like an HTTP/0.9 response // Gateway/Transform it into HTTP/1.1 @@ -180,7 +185,9 @@ return 1; // no more parsing } - return 0; // need more to parse anything. + // unreachable + assert(false); + return -1; } bool diff -u -r -N squid-4.7/src/http/StateFlags.h squid-4.8/src/http/StateFlags.h --- squid-4.7/src/http/StateFlags.h 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/http/StateFlags.h 2019-07-10 07:05:20.000000000 +1200 @@ -17,7 +17,7 @@ public: unsigned int front_end_https = 0; ///< send "Front-End-Https: On" header (off/on/auto=2) bool proxying = false; - bool keepalive = false; + bool keepalive = false; ///< whether to keep the connection persistent bool only_if_cached = false; bool handling1xx = false; ///< we are ignoring or forwarding 1xx response bool headers_parsed = false; diff -u -r -N squid-4.7/src/http/url_rewriters/LFS/url_lfs_rewrite.8 squid-4.8/src/http/url_rewriters/LFS/url_lfs_rewrite.8 --- squid-4.7/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2019-05-07 02:07:35.000000000 +1200 +++ squid-4.8/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2019-07-10 07:25:14.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "URL_LFS_REWRITE 8" -.TH URL_LFS_REWRITE 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" +.TH URL_LFS_REWRITE 8 "2019-07-09" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.7/src/http.cc squid-4.8/src/http.cc --- squid-4.7/src/http.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/http.cc 2019-07-10 07:05:20.000000000 +1200 @@ -1909,10 +1909,10 @@ delete cc; } - /* maybe append Connection: keep-alive */ - if (flags.keepalive) { - hdr_out->putStr(Http::HdrType::CONNECTION, "keep-alive"); - } + // Always send Connection because HTTP/1.0 servers need explicit "keep-alive" + // while HTTP/1.1 servers need explicit "close", and we do not always know + // the server expectations. + hdr_out->putStr(Http::HdrType::CONNECTION, flags.keepalive ? "keep-alive" : "close"); /* append Front-End-Https */ if (flags.front_end_https) { diff -u -r -N squid-4.7/src/HttpHeader.cc squid-4.8/src/HttpHeader.cc --- squid-4.7/src/HttpHeader.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/HttpHeader.cc 2019-07-10 07:05:20.000000000 +1200 @@ -1268,43 +1268,46 @@ return cr; } -const char * -HttpHeader::getAuth(Http::HdrType id, const char *auth_scheme) const +SBuf +HttpHeader::getAuthToken(Http::HdrType id, const char *auth_scheme) const { const char *field; int l; assert(auth_scheme); field = getStr(id); + static const SBuf nil; if (!field) /* no authorization field */ - return NULL; + return nil; l = strlen(auth_scheme); if (!l || strncasecmp(field, auth_scheme, l)) /* wrong scheme */ - return NULL; + return nil; field += l; if (!xisspace(*field)) /* wrong scheme */ - return NULL; + return nil; /* skip white space */ for (; field && xisspace(*field); ++field); if (!*field) /* no authorization cookie */ - return NULL; + return nil; - static char decodedAuthToken[8192]; + const auto fieldLen = strlen(field); + SBuf result; + char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen)); struct base64_decode_ctx ctx; base64_decode_init(&ctx); size_t decodedLen = 0; - if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), strlen(field), field) || + if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), fieldLen, field) || !base64_decode_final(&ctx)) { - return NULL; + return nil; } - decodedAuthToken[decodedLen] = '\0'; - return decodedAuthToken; + result.rawAppendFinish(decodedAuthToken, decodedLen); + return result; } ETag diff -u -r -N squid-4.7/src/HttpHeader.h squid-4.8/src/HttpHeader.h --- squid-4.7/src/HttpHeader.h 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/HttpHeader.h 2019-07-10 07:05:20.000000000 +1200 @@ -134,7 +134,7 @@ HttpHdrRange *getRange() const; HttpHdrSc *getSc() const; HttpHdrContRange *getContRange() const; - const char *getAuth(Http::HdrType id, const char *auth_scheme) const; + SBuf getAuthToken(Http::HdrType id, const char *auth_scheme) const; ETag getETag(Http::HdrType id) const; TimeOrTag getTimeOrTag(Http::HdrType id) const; int hasListMember(Http::HdrType id, const char *member, const char separator) const; diff -u -r -N squid-4.7/src/HttpReply.cc squid-4.8/src/HttpReply.cc --- squid-4.7/src/HttpReply.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/HttpReply.cc 2019-07-10 07:05:20.000000000 +1200 @@ -477,6 +477,7 @@ expectBody = false; else if (sline.status() == Http::scNotModified) expectBody = false; + // TODO: Consider assuming that gray-area 0xx responses have bodies, like 9xx responses. else if (sline.status() < Http::scOkay) expectBody = false; else diff -u -r -N squid-4.7/src/ipc/SharedListen.cc squid-4.8/src/ipc/SharedListen.cc --- squid-4.7/src/ipc/SharedListen.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/ipc/SharedListen.cc 2019-07-10 07:05:20.000000000 +1200 @@ -54,11 +54,6 @@ return -1; } -Ipc::OpenListenerParams::OpenListenerParams() -{ - memset(this, 0, sizeof(*this)); -} - bool Ipc::OpenListenerParams::operator <(const OpenListenerParams &p) const { diff -u -r -N squid-4.7/src/ipc/SharedListen.h squid-4.8/src/ipc/SharedListen.h --- squid-4.7/src/ipc/SharedListen.h 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/ipc/SharedListen.h 2019-07-10 07:05:20.000000000 +1200 @@ -24,18 +24,16 @@ class OpenListenerParams { public: - OpenListenerParams(); - bool operator <(const OpenListenerParams &p) const; ///< useful for map<> // bits to re-create the fde entry - int sock_type; - int proto; - int fdNote; ///< index into fd_note() comment strings + int sock_type = 0; + int proto = 0; + int fdNote = 0; ///< index into fd_note() comment strings // bits to re-create the listener Comm::Connection descriptor Ip::Address addr; ///< will be memset and memcopied - int flags; + int flags = 0; /// handler to subscribe to Comm::ConnAcceptor when we get the response Subscription::Pointer handlerSubscription; diff -u -r -N squid-4.7/src/log/DB/log_db_daemon.8 squid-4.8/src/log/DB/log_db_daemon.8 --- squid-4.7/src/log/DB/log_db_daemon.8 2019-05-07 02:07:35.000000000 +1200 +++ squid-4.8/src/log/DB/log_db_daemon.8 2019-07-10 07:25:14.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 8" -.TH LOG_DB_DAEMON 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 8 "2019-07-09" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.7/src/mgr/InfoAction.cc squid-4.8/src/mgr/InfoAction.cc --- squid-4.7/src/mgr/InfoAction.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/mgr/InfoAction.cc 2019-07-10 07:05:20.000000000 +1200 @@ -28,11 +28,6 @@ void DumpInfo(Mgr::InfoActionData& stats, StoreEntry* sentry); void DumpMallocStatistics(StoreEntry* sentry); -Mgr::InfoActionData::InfoActionData() -{ - memset(this, 0, sizeof(*this)); -} - Mgr::InfoActionData& Mgr::InfoActionData::operator += (const InfoActionData& stats) { diff -u -r -N squid-4.7/src/mgr/InfoAction.h squid-4.8/src/mgr/InfoAction.h --- squid-4.7/src/mgr/InfoAction.h 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/mgr/InfoAction.h 2019-07-10 07:05:20.000000000 +1200 @@ -22,73 +22,72 @@ class InfoActionData { public: - InfoActionData(); InfoActionData& operator += (const InfoActionData& stats); public: - struct timeval squid_start; - struct timeval current_time; - double client_http_clients; - double client_http_requests; - double icp_pkts_recv; - double icp_pkts_sent; - double icp_replies_queued; + struct timeval squid_start = {}; + struct timeval current_time = {}; + double client_http_clients = 0.0; + double client_http_requests = 0.0; + double icp_pkts_recv = 0.0; + double icp_pkts_sent = 0.0; + double icp_replies_queued = 0.0; #if USE_HTCP - double htcp_pkts_recv; - double htcp_pkts_sent; + double htcp_pkts_recv = 0.0; + double htcp_pkts_sent = 0.0; #endif - double request_failure_ratio; - double avg_client_http_requests; - double avg_icp_messages; - double select_loops; - double avg_loop_time; - double request_hit_ratio5; - double request_hit_ratio60; - double byte_hit_ratio5; - double byte_hit_ratio60; - double request_hit_mem_ratio5; - double request_hit_mem_ratio60; - double request_hit_disk_ratio5; - double request_hit_disk_ratio60; + double request_failure_ratio = 0.0; + double avg_client_http_requests = 0.0; + double avg_icp_messages = 0.0; + double select_loops = 0.0; + double avg_loop_time = 0.0; + double request_hit_ratio5 = 0.0; + double request_hit_ratio60 = 0.0; + double byte_hit_ratio5 = 0.0; + double byte_hit_ratio60 = 0.0; + double request_hit_mem_ratio5 = 0.0; + double request_hit_mem_ratio60 = 0.0; + double request_hit_disk_ratio5 = 0.0; + double request_hit_disk_ratio60 = 0.0; StoreInfoStats store; ///< disk and memory cache statistics - double unlink_requests; - double http_requests5; - double http_requests60; - double cache_misses5; - double cache_misses60; - double cache_hits5; - double cache_hits60; - double near_hits5; - double near_hits60; - double not_modified_replies5; - double not_modified_replies60; - double dns_lookups5; - double dns_lookups60; - double icp_queries5; - double icp_queries60; - double up_time; - double cpu_time; - double cpu_usage; - double cpu_usage5; - double cpu_usage60; - double maxrss; - double page_faults; + double unlink_requests = 0.0; + double http_requests5 = 0.0; + double http_requests60 = 0.0; + double cache_misses5 = 0.0; + double cache_misses60 = 0.0; + double cache_hits5 = 0.0; + double cache_hits60 = 0.0; + double near_hits5 = 0.0; + double near_hits60 = 0.0; + double not_modified_replies5 = 0.0; + double not_modified_replies60 = 0.0; + double dns_lookups5 = 0.0; + double dns_lookups60 = 0.0; + double icp_queries5 = 0.0; + double icp_queries60 = 0.0; + double up_time = 0.0; + double cpu_time = 0.0; + double cpu_usage = 0.0; + double cpu_usage5 = 0.0; + double cpu_usage60 = 0.0; + double maxrss = 0.0; + double page_faults = 0.0; #if HAVE_MSTATS && HAVE_GNUMALLOC_H - double ms_bytes_total; - double ms_bytes_free; + double ms_bytes_total = 0.0; + double ms_bytes_free = 0.0; #endif - double total_accounted; - double gb_saved_count; - double gb_freed_count; - double max_fd; - double biggest_fd; - double number_fd; - double opening_fd; - double num_fd_free; - double reserved_fd; - unsigned int count; + double total_accounted = 0.0; + double gb_saved_count = 0.0; + double gb_freed_count = 0.0; + double max_fd = 0.0; + double biggest_fd = 0.0; + double number_fd = 0.0; + double opening_fd = 0.0; + double num_fd_free = 0.0; + double reserved_fd = 0.0; + unsigned int count = 0; }; /// implement aggregated 'info' action diff -u -r -N squid-4.7/src/security/cert_validators/fake/security_fake_certverify.8 squid-4.8/src/security/cert_validators/fake/security_fake_certverify.8 --- squid-4.7/src/security/cert_validators/fake/security_fake_certverify.8 2019-05-07 02:07:36.000000000 +1200 +++ squid-4.8/src/security/cert_validators/fake/security_fake_certverify.8 2019-07-10 07:25:14.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "SECURITY_FAKE_CERTVERIFY 8" -.TH SECURITY_FAKE_CERTVERIFY 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" +.TH SECURITY_FAKE_CERTVERIFY 8 "2019-07-09" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.7/src/security/PeerOptions.cc squid-4.8/src/security/PeerOptions.cc --- squid-4.7/src/security/PeerOptions.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/security/PeerOptions.cc 2019-07-10 07:05:20.000000000 +1200 @@ -53,13 +53,14 @@ KeyData &t = certs.back(); t.privateKeyFile = SBuf(token + 4); } else if (strncmp(token, "version=", 8) == 0) { - debugs(0, DBG_PARSE_NOTE(1), "UPGRADE WARNING: SSL version= is deprecated. Use options= to limit protocols instead."); + debugs(0, DBG_PARSE_NOTE(1), "UPGRADE WARNING: SSL version= is deprecated. Use options= and tls-min-version= to limit protocols instead."); sslVersion = xatoi(token + 8); } else if (strncmp(token, "min-version=", 12) == 0) { tlsMinVersion = SBuf(token + 12); + optsReparse = true; } else if (strncmp(token, "options=", 8) == 0) { sslOptions = SBuf(token + 8); - parseOptions(); + optsReparse = true; } else if (strncmp(token, "cipher=", 7) == 0) { sslCipher = SBuf(token + 7); } else if (strncmp(token, "cafile=", 7) == 0) { @@ -152,37 +153,31 @@ if (!tlsMinVersion.isEmpty()) { ::Parser::Tokenizer tok(tlsMinVersion); int64_t v = 0; + tlsMinOptions.clear(); if (tok.skip('1') && tok.skip('.') && tok.int64(v, 10, false, 1) && v <= 3) { // only account for TLS here - SSL versions are handled by options= parameter // avoid affecting options= parameter in cachemgr config report + SBuf add; #if USE_OPENSSL -#if SSL_OP_NO_TLSv1 if (v > 0) - parsedOptions |= SSL_OP_NO_TLSv1; -#endif -#if SSL_OP_NO_TLSv1_1 + add.append(":NO_TLSv1"); if (v > 1) - parsedOptions |= SSL_OP_NO_TLSv1_1; -#endif -#if SSL_OP_NO_TLSv1_2 + add.append(":NO_TLSv1_1"); if (v > 2) - parsedOptions |= SSL_OP_NO_TLSv1_2; -#endif - + add.append(":NO_TLSv1_2"); #elif USE_GNUTLS - // XXX: update parsedOptions directly to avoid polluting 'options=' dumps - SBuf add; if (v > 0) add.append(":-VERS-TLS1.0"); if (v > 1) add.append(":-VERS-TLS1.1"); if (v > 2) add.append(":-VERS-TLS1.2"); +#endif - if (sslOptions.isEmpty()) + if (!tlsMinOptions.isEmpty()) add.chop(1); // remove the initial ':' - sslOptions.append(add); -#endif + tlsMinOptions.append(add); + optsReparse = true; } else { debugs(0, DBG_PARSE_NOTE(1), "WARNING: Unknown TLS minimum version: " << tlsMinVersion); @@ -200,42 +195,41 @@ switch (sslVersion) { case 3: #if USE_OPENSSL - parsedOptions |= (SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2); + add = ":NO_TLSv1:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3"; #elif USE_GNUTLS - add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"; + add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3"; #endif break; case 4: #if USE_OPENSSL - parsedOptions |= (SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2); + add = ":NO_SSLv3:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3"; #elif USE_GNUTLS - add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"; + add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3"; #endif break; case 5: #if USE_OPENSSL - parsedOptions |= (SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_2); + add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_2:NO_TLSv1_3"; #elif USE_GNUTLS - add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2"; + add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3"; #endif break; case 6: #if USE_OPENSSL - parsedOptions |= (SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1); + add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_1:NO_TLSv1_3"; #elif USE_GNUTLS - add = ":-VERS-TLS1.0:-VERS-TLS1.1"; + add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3"; #endif break; default: // nothing break; } if (add) { -#if USE_GNUTLS // do not bother otherwise if (sslOptions.isEmpty()) sslOptions.append(add+1, strlen(add+1)); else sslOptions.append(add, strlen(add)); -#endif + optsReparse = true; } sslVersion = 0; // prevent sslOptions being repeatedly appended } @@ -390,16 +384,29 @@ { "NO_TLSv1", SSL_OP_NO_TLSv1 }, +#else + { "NO_TLSv1", 0 }, #endif #if SSL_OP_NO_TLSv1_1 { "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 }, +#else + { "NO_TLSv1_1", 0 }, #endif #if SSL_OP_NO_TLSv1_2 { "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 }, +#else + { "NO_TLSv1_2", 0 }, +#endif +#if SSL_OP_NO_TLSv1_3 + { + "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 + }, +#else + { "NO_TLSv1_3", 0 }, #endif #if SSL_OP_NO_COMPRESSION { @@ -432,8 +439,20 @@ void Security::PeerOptions::parseOptions() { + // do not allow repeated parsing when multiple contexts are created + // NP: we cannot use !parsedOptions because a nil value does have meaning there + if (!optsReparse) + return; + optsReparse = false; + + // combination of settings we have to set via parsedOptions. + // options= with override by tls-min-version= + SBuf str; + str.append(sslOptions); + str.append(tlsMinOptions); + #if USE_OPENSSL - ::Parser::Tokenizer tok(sslOptions); + ::Parser::Tokenizer tok(str); long op = 0; while (!tok.atEnd()) { @@ -498,16 +517,17 @@ parsedOptions = op; #elif USE_GNUTLS - if (sslOptions.isEmpty()) { + if (str.isEmpty()) { parsedOptions.reset(); return; } const char *err = nullptr; - const char *priorities = sslOptions.c_str(); + const char *priorities = str.c_str(); gnutls_priority_t op; - if (gnutls_priority_init(&op, priorities, &err) != GNUTLS_E_SUCCESS) { - fatalf("Unknown TLS option '%s'", err); + int x = gnutls_priority_init(&op, priorities, &err); + if (x != GNUTLS_E_SUCCESS) { + fatalf("(%s) in TLS options '%s'", ErrorString(x), err); } parsedOptions = Security::ParsedOptions(op, [](gnutls_priority_t p) { debugs(83, 5, "gnutls_priority_deinit p=" << (void*)p); @@ -591,12 +611,13 @@ } void -Security::PeerOptions::updateContextOptions(Security::ContextPointer &ctx) const +Security::PeerOptions::updateContextOptions(Security::ContextPointer &ctx) { + parseOptions(); #if USE_OPENSSL SSL_CTX_set_options(ctx.get(), parsedOptions); #elif USE_GNUTLS - // NP: GnuTLS uses 'priorities' which are set per-session instead. + // NP: GnuTLS uses 'priorities' which are set only per-session instead. #endif } @@ -723,8 +744,12 @@ void Security::PeerOptions::updateSessionOptions(Security::SessionPointer &s) { + parseOptions(); #if USE_OPENSSL - // 'options=' value being set to session is a GnuTLS specific thing. + debugs(83, 5, "set OpenSSL options for session=" << s << ", parsedOptions=" << parsedOptions); + // XXX: Options already set before (via the context) are not cleared! + SSL_set_options(s.get(), parsedOptions); + #elif USE_GNUTLS int x; SBuf errMsg; @@ -734,13 +759,13 @@ static const SBuf defaults("default"); errMsg = defaults; } else { - debugs(83, 5, "set GnuTLS options '" << sslOptions << "' for session=" << s); + debugs(83, 5, "set GnuTLS session=" << s << ", options='" << sslOptions << ":" << tlsMinOptions << "'"); x = gnutls_priority_set(s.get(), parsedOptions.get()); errMsg = sslOptions; } if (x != GNUTLS_E_SUCCESS) { - debugs(83, DBG_IMPORTANT, "ERROR: Failed to set TLS options (" << errMsg << "). error: " << Security::ErrorString(x)); + debugs(83, DBG_IMPORTANT, "ERROR: session=" << s << " Failed to set TLS options (" << errMsg << ":" << tlsMinVersion << "). error: " << Security::ErrorString(x)); } #endif } @@ -750,5 +775,6 @@ { while(const char *token = ConfigParser::NextToken()) opt->parse(token); + opt->parseOptions(); } diff -u -r -N squid-4.7/src/security/PeerOptions.h squid-4.8/src/security/PeerOptions.h --- squid-4.7/src/security/PeerOptions.h 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/security/PeerOptions.h 2019-07-10 07:05:20.000000000 +1200 @@ -32,6 +32,9 @@ /// parse a TLS squid.conf option virtual void parse(const char *); + /// parse and verify the [tls-]options= string in sslOptions + void parseOptions(); + /// reset the configuration details to default virtual void clear() {*this = PeerOptions();} @@ -45,7 +48,7 @@ void updateTlsVersionLimits(); /// Setup the library specific 'options=' parameters for the given context. - void updateContextOptions(Security::ContextPointer &) const; + void updateContextOptions(Security::ContextPointer &); /// setup the NPN extension details for the given context void updateContextNpn(Security::ContextPointer &); @@ -66,7 +69,6 @@ virtual void dumpCfg(Packable *, const char *pfx) const; private: - void parseOptions(); ///< parsed value of sslOptions long parseFlags(); void loadCrlFile(); void loadKeysFile(); @@ -82,7 +84,19 @@ SBuf tlsMinVersion; ///< version label for minimum TLS version to permit - Security::ParsedOptions parsedOptions; ///< parsed value of sslOptions +private: + /// Library-specific options string generated from tlsMinVersion. + /// Call updateTlsVersionLimits() to regenerate this string. + SBuf tlsMinOptions; + + /// Parsed value of sslOptions + tlsMinOptions settings. + /// Set optsReparse=true to have this re-parsed before next use. + Security::ParsedOptions parsedOptions; + + /// whether parsedOptions content needs to be regenerated + bool optsReparse = true; + +public: long parsedFlags = 0; ///< parsed value of sslFlags std::list certs; ///< details from the cert= and file= config parameters @@ -93,13 +107,15 @@ template Security::ContextPointer convertContextFromRawPtr(T ctx) const { #if USE_OPENSSL + debugs(83, 5, "SSL_CTX construct, this=" << (void*)ctx); return ContextPointer(ctx, [](SSL_CTX *p) { - debugs(83, 5, "SSL_free ctx=" << (void*)p); + debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p); SSL_CTX_free(p); }); #elif USE_GNUTLS + debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx); return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) { - debugs(83, 5, "gnutls_certificate_free_credentials ctx=" << (void*)p); + debugs(83, 0, "gnutls_certificate_credentials destruct this=" << (void*)p); gnutls_certificate_free_credentials(p); }); #else diff -u -r -N squid-4.7/src/security/Session.cc squid-4.8/src/security/Session.cc --- squid-4.7/src/security/Session.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/security/Session.cc 2019-07-10 07:05:20.000000000 +1200 @@ -106,7 +106,7 @@ #endif static bool -CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &conn, Security::Io::Type type, const char *squidCtx) +CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &conn, Security::PeerOptions &opts, Security::Io::Type type, const char *squidCtx) { if (!Comm::IsConnOpen(conn)) { debugs(83, DBG_IMPORTANT, "Gone connection"); @@ -122,6 +122,7 @@ if (!session) { errCode = ERR_get_error(); errAction = "failed to allocate handle"; + debugs(83, DBG_IMPORTANT, "TLS error: " << errAction << ": " << Security::ErrorString(errCode)); } #elif USE_GNUTLS gnutls_session_t tmp; @@ -134,6 +135,7 @@ if (errCode != GNUTLS_E_SUCCESS) { session.reset(); errAction = "failed to initialize session"; + debugs(83, DBG_IMPORTANT, "TLS error: " << errAction << ": " << Security::ErrorString(errCode)); } #endif @@ -148,10 +150,7 @@ errCode = gnutls_credentials_set(session.get(), GNUTLS_CRD_CERTIFICATE, ctx.get()); if (errCode == GNUTLS_E_SUCCESS) { - if (auto *peer = conn->getPeer()) - peer->secure.updateSessionOptions(session); - else - Security::ProxyOutgoingConfig.updateSessionOptions(session); + opts.updateSessionOptions(session); // NP: GnuTLS does not yet support the BIO operations // this does the equivalent of SSL_set_fd() for now. @@ -184,13 +183,17 @@ bool Security::CreateClientSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx) { - return CreateSession(ctx, c, Security::Io::BIO_TO_SERVER, squidCtx); + if (!c || !c->getPeer()) + return CreateSession(ctx, c, Security::ProxyOutgoingConfig, Security::Io::BIO_TO_SERVER, squidCtx); + + auto *peer = c->getPeer(); + return CreateSession(ctx, c, peer->secure, Security::Io::BIO_TO_SERVER, squidCtx); } bool -Security::CreateServerSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx) +Security::CreateServerSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, Security::PeerOptions &o, const char *squidCtx) { - return CreateSession(ctx, c, Security::Io::BIO_TO_CLIENT, squidCtx); + return CreateSession(ctx, c, o, Security::Io::BIO_TO_CLIENT, squidCtx); } void diff -u -r -N squid-4.7/src/security/Session.h squid-4.8/src/security/Session.h --- squid-4.7/src/security/Session.h 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/security/Session.h 2019-07-10 07:05:20.000000000 +1200 @@ -34,9 +34,11 @@ /// On errors, emits DBG_IMPORTANT with details and returns false. bool CreateClientSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx); +class PeerOptions; + /// Creates TLS Server connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO). /// On errors, emits DBG_IMPORTANT with details and returns false. -bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx); +bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, Security::PeerOptions &, const char *squidCtx); #if USE_OPENSSL typedef std::shared_ptr SessionPointer; diff -u -r -N squid-4.7/src/servers/Http1Server.cc squid-4.8/src/servers/Http1Server.cc --- squid-4.7/src/servers/Http1Server.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/servers/Http1Server.cc 2019-07-10 07:05:20.000000000 +1200 @@ -305,6 +305,7 @@ } assert(rep); + HTTPMSGUNLOCK(http->al->reply); http->al->reply = rep; HTTPMSGLOCK(http->al->reply); context->sendStartOfMessage(rep, receivedData); diff -u -r -N squid-4.7/src/ssl/PeekingPeerConnector.cc squid-4.8/src/ssl/PeekingPeerConnector.cc --- squid-4.7/src/ssl/PeekingPeerConnector.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/ssl/PeekingPeerConnector.cc 2019-07-10 07:05:20.000000000 +1200 @@ -185,7 +185,7 @@ srvBio->mode(csd->sslBumpMode); } else { // Set client SSL options - SSL_set_options(serverSession.get(), ::Security::ProxyOutgoingConfig.parsedOptions); + ::Security::ProxyOutgoingConfig.updateSessionOptions(serverSession); const bool redirected = request->flags.redirected && ::Config.onoff.redir_rewrites_host; const char *sniServer = (!hostName || redirected) ? diff -u -r -N squid-4.7/src/store/id_rewriters/file/storeid_file_rewrite.8 squid-4.8/src/store/id_rewriters/file/storeid_file_rewrite.8 --- squid-4.7/src/store/id_rewriters/file/storeid_file_rewrite.8 2019-05-07 02:07:34.000000000 +1200 +++ squid-4.8/src/store/id_rewriters/file/storeid_file_rewrite.8 2019-07-10 07:25:12.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "STOREID_FILE_REWRITE 8" -.TH STOREID_FILE_REWRITE 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" +.TH STOREID_FILE_REWRITE 8 "2019-07-09" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.7/src/StoreStats.cc squid-4.8/src/StoreStats.cc --- squid-4.7/src/StoreStats.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/StoreStats.cc 2019-07-10 07:05:20.000000000 +1200 @@ -12,13 +12,6 @@ #include "StoreStats.h" #include "tools.h" -/* StoreInfoStats */ - -StoreInfoStats::StoreInfoStats() -{ - memset(this, 0, sizeof(*this)); -} - StoreInfoStats & StoreInfoStats::operator +=(const StoreInfoStats &stats) { diff -u -r -N squid-4.7/src/StoreStats.h squid-4.8/src/StoreStats.h --- squid-4.7/src/StoreStats.h 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/StoreStats.h 2019-07-10 07:05:20.000000000 +1200 @@ -17,9 +17,9 @@ class Part { public: - double size; ///< bytes currently in use - double count; ///< number of cached objects - double capacity; ///< the size limit + double size = 0.0; ///< bytes currently in use + double count = 0.0; ///< number of cached objects + double capacity = 0.0; ///< the size limit /// mean size of a cached object double meanObjectSize() const { return count > 0 ? size/count : 0.0; } @@ -32,25 +32,24 @@ class Swap: public Part { public: - double open_disk_fd; ///< number of opened disk files + double open_disk_fd = 0.0; ///< number of opened disk files }; /// memory cache (cache_mem) storage stats class Mem: public Part { public: - bool shared; ///< whether memory cache is shared among workers + bool shared = false; ///< whether memory cache is shared among workers }; - StoreInfoStats(); StoreInfoStats &operator +=(const StoreInfoStats &stats); Swap swap; ///< cache_mem stats Mem mem; ///< all cache_dirs stats /* stats that could be shared by memory and disk storage */ - double store_entry_count; ///< number of StoreEntry objects in existence - double mem_object_count; ///< number of MemObject objects in existence + double store_entry_count = 0.0; ///< number of StoreEntry objects in existence + double mem_object_count = 0.0; ///< number of MemObject objects in existence }; // TODO: this should be adjusted for use in StoreIoActionData, DiskdActionData diff -u -r -N squid-4.7/src/StoreSwapLogData.cc squid-4.8/src/StoreSwapLogData.cc --- squid-4.7/src/StoreSwapLogData.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/StoreSwapLogData.cc 2019-07-10 07:05:20.000000000 +1200 @@ -49,11 +49,6 @@ return os << raw[0] << '-' << raw[1] << '-' << raw[2]; } -StoreSwapLogData::StoreSwapLogData() -{ - memset(this, 0, sizeof(*this)); -} - bool StoreSwapLogData::sane() const { diff -u -r -N squid-4.7/src/StoreSwapLogData.h squid-4.8/src/StoreSwapLogData.h --- squid-4.7/src/StoreSwapLogData.h 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/StoreSwapLogData.h 2019-07-10 07:05:20.000000000 +1200 @@ -90,8 +90,6 @@ /// type to use for storing time-related members; must be signed typedef int64_t SwappedTime; - StoreSwapLogData(); - /// consistency self-check: whether the data appears to make sense bool sane() const; @@ -102,7 +100,7 @@ * Either SWAP_LOG_ADD when an object is added to the disk storage, * or SWAP_LOG_DEL when an object is deleted. */ - uint8_t op; + uint8_t op = 0; /** * Fingerprint to weed out bogus/corrupted swap.state entries. @@ -116,7 +114,7 @@ * are set at run time because the order of storage directories * may change over time. */ - sfileno swap_filen; + sfileno swap_filen = 0; /** * A Unix time value that represents the time when @@ -125,12 +123,12 @@ * to that time. Otherwise, it is set to the Squid process time * when the response is read (as soon as the end of headers are found). */ - SwappedTime timestamp; + SwappedTime timestamp = 0; /** * The last time that a client requested this object. */ - SwappedTime lastref; + SwappedTime lastref = 0; /** * The value of the response's Expires: header, if any. @@ -141,20 +139,20 @@ * where Squid sets expires to -2. This happens for the * internal "netdb" object and for FTP URL responses. */ - SwappedTime expires; + SwappedTime expires = 0; /** * The value of the response's Last-modified: header, if any. * This is set to -1 if there is no Last-modified: header, * or if it is unparseable. */ - SwappedTime lastmod; + SwappedTime lastmod = 0; /** * This is the number of bytes that the object occupies on * disk. It includes the Squid "swap file header". */ - uint64_t swap_file_sz; + uint64_t swap_file_sz = 0; /** * The number of times that this object has been accessed (referenced). @@ -168,12 +166,12 @@ * check when rebuilding the cache at startup. Objects that * have the KEY_PRIVATE flag set are not added back to the cache. */ - uint16_t flags; + uint16_t flags = 0; /** * The 128-bit MD5 hash for this object. */ - unsigned char key[SQUID_MD5_DIGEST_LENGTH]; + unsigned char key[SQUID_MD5_DIGEST_LENGTH] = {}; }; /// \ingroup FileFormatSwapStateAPI diff -u -r -N squid-4.7/src/tests/stub_libsecurity.cc squid-4.8/src/tests/stub_libsecurity.cc --- squid-4.7/src/tests/stub_libsecurity.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/tests/stub_libsecurity.cc 2019-07-10 07:05:20.000000000 +1200 @@ -110,7 +110,7 @@ #include "security/Session.h" namespace Security { bool CreateClientSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *) STUB_RETVAL(false) -bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *) STUB_RETVAL(false) +bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, Security::PeerOptions &, const char *) STUB_RETVAL(false) void SessionSendGoodbye(const Security::SessionPointer &) STUB bool SessionIsResumed(const Security::SessionPointer &) STUB_RETVAL(false) void MaybeGetSessionResumeData(const Security::SessionPointer &, Security::SessionStatePointer &) STUB diff -u -r -N squid-4.7/src/tests/stub_store_stats.cc squid-4.8/src/tests/stub_store_stats.cc --- squid-4.7/src/tests/stub_store_stats.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/src/tests/stub_store_stats.cc 2019-07-10 07:05:20.000000000 +1200 @@ -14,8 +14,6 @@ #include "StoreStats.h" #include -StoreInfoStats::StoreInfoStats() STUB - StoreInfoStats & StoreInfoStats::operator +=(const StoreInfoStats &stats) STUB_RETVAL(*this) diff -u -r -N squid-4.7/tools/cachemgr.cc squid-4.8/tools/cachemgr.cc --- squid-4.7/tools/cachemgr.cc 2019-05-07 01:53:49.000000000 +1200 +++ squid-4.8/tools/cachemgr.cc 2019-07-10 07:05:20.000000000 +1200 @@ -355,7 +355,7 @@ printf("Manager name:\n", user_name); + printf("size=\"30\" VALUE=\"%s\">\n", rfc1738_escape(user_name)); printf("Password:hostname, req->port, - safe_str(req->user_name), + rfc1738_escape(safe_str(req->user_name)), action, safe_str(req->pub_auth)); return url; @@ -1074,8 +1074,8 @@ const int bufLen = snprintf(buf, sizeof(buf), "%s|%d|%s|%s", req->hostname, (int) now, - req->user_name ? req->user_name : "", - req->passwd); + rfc1738_escape(safe_str(req->user_name)), + rfc1738_escape(req->passwd)); debug("cmgr: pre-encoded for pub: %s\n", buf); const int encodedLen = base64_encode_len(bufLen); @@ -1091,11 +1091,8 @@ static void decode_pub_auth(cachemgr_request * req) { - char *buf; const char *host_name; const char *time_str; - const char *user_name; - const char *passwd; debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth)); safe_free(req->passwd); @@ -1103,16 +1100,17 @@ if (!req->pub_auth || strlen(req->pub_auth) < 4 + strlen(safe_str(req->hostname))) return; - size_t decodedLen = BASE64_DECODE_LENGTH(strlen(req->pub_auth)); - buf = (char*)xmalloc(decodedLen); + char *buf = static_cast(xmalloc(BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1)); struct base64_decode_ctx ctx; base64_decode_init(&ctx); + size_t decodedLen = 0; if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(buf), strlen(req->pub_auth), req->pub_auth) || !base64_decode_final(&ctx)) { debug("cmgr: base64 decode failure. Incomplete auth token string.\n"); xfree(buf); return; } + buf[decodedLen] = '\0'; debug("cmgr: length ok\n"); @@ -1131,17 +1129,21 @@ debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now); + char *user_name; if ((user_name = strtok(NULL, "|")) == NULL) { xfree(buf); return; } + rfc1738_unescape(user_name); debug("cmgr: decoded uname: '%s'\n", user_name); + char *passwd; if ((passwd = strtok(NULL, "|")) == NULL) { xfree(buf); return; } + rfc1738_unescape(passwd); debug("cmgr: decoded passwd: '%s'\n", passwd); diff -u -r -N squid-4.7/tools/helper-mux/helper-mux.8 squid-4.8/tools/helper-mux/helper-mux.8 --- squid-4.7/tools/helper-mux/helper-mux.8 2019-05-07 02:07:36.000000000 +1200 +++ squid-4.8/tools/helper-mux/helper-mux.8 2019-07-10 07:25:15.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "HELPER-MUX 8" -.TH HELPER-MUX 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" +.TH HELPER-MUX 8 "2019-07-09" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l