]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/acl/DestinationIp.cc
2 * Copyright (C) 1996-2019 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 28 Access Control */
12 #include "acl/DestinationIp.h"
13 #include "acl/FilledChecklist.h"
14 #include "client_side.h"
15 #include "comm/Connection.h"
16 #include "http/Stream.h"
17 #include "HttpRequest.h"
18 #include "SquidConfig.h"
21 ACLDestinationIP::typeString() const
27 ACLDestinationIP::options()
29 static const Acl::BooleanOption LookupBan
;
30 static const Acl::Options MyOptions
= { { "-n", &LookupBan
} };
31 LookupBan
.linkWith(&lookupBanned
);
36 ACLDestinationIP::match(ACLChecklist
*cl
)
38 ACLFilledChecklist
*checklist
= Filled(cl
);
40 // if there is no HTTP request details fallback to the dst_addr
41 if (!checklist
->request
)
42 return ACLIP::match(checklist
->dst_addr
);
44 // Bug 3243: CVE 2009-0801
45 // Bypass of browser same-origin access control in intercepted communication
46 // To resolve this we will force DIRECT and only to the original client destination.
47 // In which case, we also need this ACL to accurately match the destination
48 if (Config
.onoff
.client_dst_passthru
&& (checklist
->request
->flags
.intercepted
|| checklist
->request
->flags
.interceptTproxy
)) {
49 const auto conn
= checklist
->conn();
50 return (conn
&& conn
->clientConnection
) ?
51 ACLIP::match(conn
->clientConnection
->local
) : -1;
55 if (!checklist
->request
->url
.hostIsNumeric()) {
56 debugs(28, 3, "No-lookup DNS ACL '" << AclMatchedName
<< "' for " << checklist
->request
->url
.host());
60 if (ACLIP::match(checklist
->request
->url
.hostIP()))
65 const ipcache_addrs
*ia
= ipcache_gethostbyname(checklist
->request
->url
.host(), IP_LOOKUP_IF_MISS
);
68 /* Entry in cache found */
70 for (const auto ip
: ia
->goodAndBad()) {
76 } else if (!checklist
->request
->flags
.destinationIpLookedUp
) {
77 /* No entry in cache, lookup not attempted */
78 debugs(28, 3, "can't yet compare '" << name
<< "' ACL for " << checklist
->request
->url
.host());
79 if (checklist
->goAsync(DestinationIPLookup::Instance()))
81 // else fall through to mismatch, hiding the lookup failure (XXX)
87 DestinationIPLookup
DestinationIPLookup::instance_
;
90 DestinationIPLookup::Instance()
96 DestinationIPLookup::checkForAsync(ACLChecklist
*cl
)const
98 ACLFilledChecklist
*checklist
= Filled(cl
);
99 ipcache_nbgethostbyname(checklist
->request
->url
.host(), LookupDone
, checklist
);
103 DestinationIPLookup::LookupDone(const ipcache_addrs
*, const Dns::LookupDetails
&details
, void *data
)
105 ACLFilledChecklist
*checklist
= Filled((ACLChecklist
*)data
);
106 checklist
->request
->flags
.destinationIpLookedUp
= true;
107 checklist
->request
->recordLookup(details
);
108 checklist
->resumeNonBlockingCheck(DestinationIPLookup::Instance());
112 ACLDestinationIP::clone() const
114 return new ACLDestinationIP(*this);