src/acl/DestinationIp.cc

   1 /*
   2  * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 /* DEBUG: section 28    Access Control */
  10
  11 #include "squid.h"
  12 #include "acl/DestinationIp.h"
  13 #include "acl/FilledChecklist.h"
  14 #include "client_side.h"
  15 #include "comm/Connection.h"
  16 #include "HttpRequest.h"
  17 #include "SquidConfig.h"
  18
  19 ACLFlag ACLDestinationIP::SupportedFlags[] = {ACL_F_NO_LOOKUP, ACL_F_END};
  20
  21 char const *
  22 ACLDestinationIP::typeString() const
  23 {
  24     return "dst";
  25 }
  26
  27 int
  28 ACLDestinationIP::match(ACLChecklist *cl)
  29 {
  30     ACLFilledChecklist *checklist = Filled(cl);
  31
  32     // if there is no HTTP request details fallback to the dst_addr
  33     if (!checklist->request)
  34         return ACLIP::match(checklist->dst_addr);
  35
  36     // Bug 3243: CVE 2009-0801
  37     // Bypass of browser same-origin access control in intercepted communication
  38     // To resolve this we will force DIRECT and only to the original client destination.
  39     // In which case, we also need this ACL to accurately match the destination
  40     if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted || checklist->request->flags.interceptTproxy)) {
  41         assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
  42         return ACLIP::match(checklist->conn()->clientConnection->local);
  43     }
  44
  45     if (flags.isSet(ACL_F_NO_LOOKUP)) {
  46         if (!checklist->request->url.hostIsNumeric()) {
  47             debugs(28, 3, "No-lookup DNS ACL '" << AclMatchedName << "' for " << checklist->request->url.host());
  48             return 0;
  49         }
  50
  51         if (ACLIP::match(checklist->request->url.hostIP()))
  52             return 1;
  53         return 0;
  54     }
  55
  56     const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->url.host(), IP_LOOKUP_IF_MISS);
  57
  58     if (ia) {
  59         /* Entry in cache found */
  60
  61         for (int k = 0; k < (int) ia->count; ++k) {
  62             if (ACLIP::match(ia->in_addrs[k]))
  63                 return 1;
  64         }
  65
  66         return 0;
  67     } else if (!checklist->request->flags.destinationIpLookedUp) {
  68         /* No entry in cache, lookup not attempted */
  69         debugs(28, 3, "can't yet compare '" << name << "' ACL for " << checklist->request->url.host());
  70         if (checklist->goAsync(DestinationIPLookup::Instance()))
  71             return -1;
  72         // else fall through to mismatch, hiding the lookup failure (XXX)
  73     }
  74
  75     return 0;
  76 }
  77
  78 DestinationIPLookup DestinationIPLookup::instance_;
  79
  80 DestinationIPLookup *
  81 DestinationIPLookup::Instance()
  82 {
  83     return &instance_;
  84 }
  85
  86 void
  87 DestinationIPLookup::checkForAsync(ACLChecklist *cl)const
  88 {
  89     ACLFilledChecklist *checklist = Filled(cl);
  90     ipcache_nbgethostbyname(checklist->request->url.host(), LookupDone, checklist);
  91 }
  92
  93 void
  94 DestinationIPLookup::LookupDone(const ipcache_addrs *, const Dns::LookupDetails &details, void *data)
  95 {
  96     ACLFilledChecklist *checklist = Filled((ACLChecklist*)data);
  97     checklist->request->flags.destinationIpLookedUp = true;
  98     checklist->request->recordLookup(details);
  99     checklist->resumeNonBlockingCheck(DestinationIPLookup::Instance());
 100 }
 101
 102 ACL *
 103 ACLDestinationIP::clone() const
 104 {
 105     return new ACLDestinationIP(*this);
 106 }
 107