[thirdparty/squid.git] / src / acl / DestinationIp.cc

/*
 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/* DEBUG: section 28    Access Control */

#include "squid.h"
#include "acl/DestinationIp.h"
#include "acl/FilledChecklist.h"
#include "client_side.h"
#include "comm/Connection.h"
#include "http/Stream.h"
#include "HttpRequest.h"
#include "SquidConfig.h"

char const *
ACLDestinationIP::typeString() const
{
    return "dst";
}

const Acl::Options &
ACLDestinationIP::options()
{
    static const Acl::BooleanOption LookupBan;
    static const Acl::Options MyOptions = { { "-n", &LookupBan } };
    LookupBan.linkWith(&lookupBanned);
    return MyOptions;
}

int
ACLDestinationIP::match(ACLChecklist *cl)
{
    ACLFilledChecklist *checklist = Filled(cl);

    // if there is no HTTP request details fallback to the dst_addr
    if (!checklist->request)
        return ACLIP::match(checklist->dst_addr);

    // Bug 3243: CVE 2009-0801
    // Bypass of browser same-origin access control in intercepted communication
    // To resolve this we will force DIRECT and only to the original client destination.
    // In which case, we also need this ACL to accurately match the destination
    if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted || checklist->request->flags.interceptTproxy)) {
        const auto conn = checklist->conn();
        return (conn && conn->clientConnection) ?
               ACLIP::match(conn->clientConnection->local) : -1;
    }

    if (lookupBanned) {
        if (!checklist->request->url.hostIsNumeric()) {
            debugs(28, 3, "No-lookup DNS ACL '" << AclMatchedName << "' for " << checklist->request->url.host());
            return 0;
        }

        if (ACLIP::match(checklist->request->url.hostIP()))
            return 1;
        return 0;
    }

    const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->url.host(), IP_LOOKUP_IF_MISS);

    if (ia) {
        /* Entry in cache found */

        for (const auto &ip: ia->goodAndBad()) {
            if (ACLIP::match(ip))
                return 1;
        }

        return 0;
    } else if (!checklist->request->flags.destinationIpLookedUp) {
        /* No entry in cache, lookup not attempted */
        debugs(28, 3, "can't yet compare '" << name << "' ACL for " << checklist->request->url.host());
        if (checklist->goAsync(DestinationIPLookup::Instance()))
            return -1;
        // else fall through to mismatch, hiding the lookup failure (XXX)
    }

    return 0;
}

DestinationIPLookup DestinationIPLookup::instance_;

DestinationIPLookup *
DestinationIPLookup::Instance()
{
    return &instance_;
}

void
DestinationIPLookup::checkForAsync(ACLChecklist *cl)const
{
    ACLFilledChecklist *checklist = Filled(cl);
    ipcache_nbgethostbyname(checklist->request->url.host(), LookupDone, checklist);
}

void
DestinationIPLookup::LookupDone(const ipcache_addrs *, const Dns::LookupDetails &details, void *data)
{
    ACLFilledChecklist *checklist = Filled((ACLChecklist*)data);
    checklist->request->flags.destinationIpLookedUp = true;
    checklist->request->recordLookup(details);
    checklist->resumeNonBlockingCheck(DestinationIPLookup::Instance());
}

ACL *
ACLDestinationIP::clone() const
{
    return new ACLDestinationIP(*this);
}
Commit	Line	Data
8000a965	1	/*
f70aedc4	2	* Copyright (C) 1996-2021 The Squid Software Foundation and contributors
8000a965	3	*
bbc27441 AJ	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
8000a965	7	*/
8000a965	8
bbc27441 AJ	9	/* DEBUG: section 28 Access Control */
bbc27441 AJ	10
582c2af2	11	#include "squid.h"
c0941a6a AR	12	#include "acl/DestinationIp.h"
c0941a6a AR	13	#include "acl/FilledChecklist.h"
582c2af2	14	#include "client_side.h"
bfe4e2fe	15	#include "comm/Connection.h"
d3dddfb5	16	#include "http/Stream.h"
a2ac85d9	17	#include "HttpRequest.h"
4d5904f7	18	#include "SquidConfig.h"
8000a965	19
8000a965	20	char const *
	21	ACLDestinationIP::typeString() const
	22	{
	23	return "dst";
	24	}
	25
4eac3407 CT	26	const Acl::Options &
	27	ACLDestinationIP::options()
	28	{
	29	static const Acl::BooleanOption LookupBan;
	30	static const Acl::Options MyOptions = { { "-n", &LookupBan } };
	31	LookupBan.linkWith(&lookupBanned);
	32	return MyOptions;
	33	}
	34
8000a965	35	int
c0941a6a	36	ACLDestinationIP::match(ACLChecklist *cl)
8000a965	37	{
af6a12ee	38	ACLFilledChecklist *checklist = Filled(cl);
bfe4e2fe	39
a3c5c081 AJ	40	// if there is no HTTP request details fallback to the dst_addr
	41	if (!checklist->request)
	42	return ACLIP::match(checklist->dst_addr);
	43
bfe4e2fe AJ	44	// Bug 3243: CVE 2009-0801
	45	// Bypass of browser same-origin access control in intercepted communication
	46	// To resolve this we will force DIRECT and only to the original client destination.
	47	// In which case, we also need this ACL to accurately match the destination
0d901ef4	48	if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted \|\| checklist->request->flags.interceptTproxy)) {
6cf166fc EB	49	const auto conn = checklist->conn();
6cf166fc EB	50	return (conn && conn->clientConnection) ?
ff89bfa0	51	ACLIP::match(conn->clientConnection->local) : -1;
bfe4e2fe AJ	52	}
bfe4e2fe AJ	53
4eac3407	54	if (lookupBanned) {
5c51bffb AJ	55	if (!checklist->request->url.hostIsNumeric()) {
5c51bffb AJ	56	debugs(28, 3, "No-lookup DNS ACL '" << AclMatchedName << "' for " << checklist->request->url.host());
33810b1d CT	57	return 0;
	58	}
	59
5c51bffb	60	if (ACLIP::match(checklist->request->url.hostIP()))
33810b1d CT	61	return 1;
	62	return 0;
	63	}
	64
5c51bffb	65	const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->url.host(), IP_LOOKUP_IF_MISS);
62e76326	66
8000a965	67	if (ia) {
62e76326	68	/* Entry in cache found */
62e76326	69
b4bae09e	70	for (const auto &ip: ia->goodAndBad()) {
fd9c47d1	71	if (ACLIP::match(ip))
62e76326	72	return 1;
	73	}
	74
	75	return 0;
450fe1cb	76	} else if (!checklist->request->flags.destinationIpLookedUp) {
62e76326	77	/* No entry in cache, lookup not attempted */
5c51bffb	78	debugs(28, 3, "can't yet compare '" << name << "' ACL for " << checklist->request->url.host());
6f58d7d7 AR	79	if (checklist->goAsync(DestinationIPLookup::Instance()))
	80	return -1;
	81	// else fall through to mismatch, hiding the lookup failure (XXX)
8000a965	82	}
6f58d7d7 AR	83
6f58d7d7 AR	84	return 0;
8000a965	85	}
	86
	87	DestinationIPLookup DestinationIPLookup::instance_;
	88
	89	DestinationIPLookup *
	90	DestinationIPLookup::Instance()
	91	{
	92	return &instance_;
	93	}
	94
	95	void
c0941a6a	96	DestinationIPLookup::checkForAsync(ACLChecklist *cl)const
8000a965	97	{
af6a12ee	98	ACLFilledChecklist *checklist = Filled(cl);
5c51bffb	99	ipcache_nbgethostbyname(checklist->request->url.host(), LookupDone, checklist);
8000a965	100	}
	101
	102	void
4a3b98d7	103	DestinationIPLookup::LookupDone(const ipcache_addrs , const Dns::LookupDetails &details, void data)
8000a965	104	{
3ff65596	105	ACLFilledChecklist checklist = Filled((ACLChecklist)data);
e857372a	106	checklist->request->flags.destinationIpLookedUp = true;
3ff65596	107	checklist->request->recordLookup(details);
6f58d7d7	108	checklist->resumeNonBlockingCheck(DestinationIPLookup::Instance());
8000a965	109	}
8000a965	110
8000a965	111	ACL *
	112	ACLDestinationIP::clone() const
	113	{
	114	return new ACLDestinationIP(*this);
	115	}
f53969cc	116