]>
Commit | Line | Data |
---|---|---|
8000a965 | 1 | /* |
8000a965 | 2 | * DEBUG: section 28 Access Control |
3 | * AUTHOR: Duane Wessels | |
4 | * | |
5 | * SQUID Web Proxy Cache http://www.squid-cache.org/ | |
6 | * ---------------------------------------------------------- | |
7 | * | |
8 | * Squid is the result of efforts by numerous individuals from | |
9 | * the Internet community; see the CONTRIBUTORS file for full | |
10 | * details. Many organizations have provided support for Squid's | |
11 | * development; see the SPONSORS file for full details. Squid is | |
12 | * Copyrighted (C) 2001 by the Regents of the University of | |
13 | * California; see the COPYRIGHT file for full details. Squid | |
14 | * incorporates software developed and/or copyrighted by other | |
15 | * sources; see the CREDITS file for full details. | |
16 | * | |
17 | * This program is free software; you can redistribute it and/or modify | |
18 | * it under the terms of the GNU General Public License as published by | |
19 | * the Free Software Foundation; either version 2 of the License, or | |
20 | * (at your option) any later version. | |
26ac0430 | 21 | * |
8000a965 | 22 | * This program is distributed in the hope that it will be useful, |
23 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
24 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
25 | * GNU General Public License for more details. | |
26ac0430 | 26 | * |
8000a965 | 27 | * You should have received a copy of the GNU General Public License |
28 | * along with this program; if not, write to the Free Software | |
29 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
30 | * | |
31 | * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org> | |
32 | */ | |
33 | ||
582c2af2 | 34 | #include "squid.h" |
c0941a6a AR |
35 | #include "acl/DestinationIp.h" |
36 | #include "acl/FilledChecklist.h" | |
582c2af2 | 37 | #include "client_side.h" |
bfe4e2fe | 38 | #include "comm/Connection.h" |
a2ac85d9 | 39 | #include "HttpRequest.h" |
4d5904f7 | 40 | #include "SquidConfig.h" |
8000a965 | 41 | |
33810b1d CT |
42 | ACLFlag ACLDestinationIP::SupportedFlags[] = {ACL_F_NO_LOOKUP, ACL_F_END}; |
43 | ||
8000a965 | 44 | char const * |
45 | ACLDestinationIP::typeString() const | |
46 | { | |
47 | return "dst"; | |
48 | } | |
49 | ||
50 | int | |
c0941a6a | 51 | ACLDestinationIP::match(ACLChecklist *cl) |
8000a965 | 52 | { |
af6a12ee | 53 | ACLFilledChecklist *checklist = Filled(cl); |
bfe4e2fe AJ |
54 | |
55 | // Bug 3243: CVE 2009-0801 | |
56 | // Bypass of browser same-origin access control in intercepted communication | |
57 | // To resolve this we will force DIRECT and only to the original client destination. | |
58 | // In which case, we also need this ACL to accurately match the destination | |
0d901ef4 | 59 | if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted || checklist->request->flags.interceptTproxy)) { |
bfe4e2fe AJ |
60 | assert(checklist->conn() && checklist->conn()->clientConnection != NULL); |
61 | return ACLIP::match(checklist->conn()->clientConnection->local); | |
62 | } | |
63 | ||
33810b1d CT |
64 | if (flags.isSet(ACL_F_NO_LOOKUP)) { |
65 | if (!checklist->request->GetHostIsNumeric()) { | |
66 | debugs(28, 3, "aclMatchAcl: No-lookup DNS ACL '" << AclMatchedName << "' for '" << checklist->request->GetHost() << "'"); | |
67 | return 0; | |
68 | } | |
69 | ||
aec45181 | 70 | if (ACLIP::match(checklist->request->host_addr)) |
33810b1d CT |
71 | return 1; |
72 | return 0; | |
73 | } | |
74 | ||
cc192b50 | 75 | const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->GetHost(), IP_LOOKUP_IF_MISS); |
62e76326 | 76 | |
8000a965 | 77 | if (ia) { |
62e76326 | 78 | /* Entry in cache found */ |
79 | ||
742a021b | 80 | for (int k = 0; k < (int) ia->count; ++k) { |
62e76326 | 81 | if (ACLIP::match(ia->in_addrs[k])) |
82 | return 1; | |
83 | } | |
84 | ||
85 | return 0; | |
450fe1cb | 86 | } else if (!checklist->request->flags.destinationIpLookedUp) { |
62e76326 | 87 | /* No entry in cache, lookup not attempted */ |
cc192b50 | 88 | debugs(28, 3, "aclMatchAcl: Can't yet compare '" << name << "' ACL for '" << checklist->request->GetHost() << "'"); |
62e76326 | 89 | checklist->changeState (DestinationIPLookup::Instance()); |
90 | return 0; | |
8000a965 | 91 | } else { |
656393e2 | 92 | return 0; |
8000a965 | 93 | } |
94 | } | |
95 | ||
96 | DestinationIPLookup DestinationIPLookup::instance_; | |
97 | ||
98 | DestinationIPLookup * | |
99 | DestinationIPLookup::Instance() | |
100 | { | |
101 | return &instance_; | |
102 | } | |
103 | ||
104 | void | |
c0941a6a | 105 | DestinationIPLookup::checkForAsync(ACLChecklist *cl)const |
8000a965 | 106 | { |
af6a12ee | 107 | ACLFilledChecklist *checklist = Filled(cl); |
8000a965 | 108 | checklist->asyncInProgress(true); |
cc192b50 | 109 | ipcache_nbgethostbyname(checklist->request->GetHost(), LookupDone, checklist); |
8000a965 | 110 | } |
111 | ||
112 | void | |
3ff65596 | 113 | DestinationIPLookup::LookupDone(const ipcache_addrs *, const DnsLookupDetails &details, void *data) |
8000a965 | 114 | { |
3ff65596 | 115 | ACLFilledChecklist *checklist = Filled((ACLChecklist*)data); |
8000a965 | 116 | assert (checklist->asyncState() == DestinationIPLookup::Instance()); |
e857372a | 117 | checklist->request->flags.destinationIpLookedUp = true; |
3ff65596 | 118 | checklist->request->recordLookup(details); |
8000a965 | 119 | checklist->asyncInProgress(false); |
120 | checklist->changeState (ACLChecklist::NullState::Instance()); | |
2efeb0b7 | 121 | checklist->matchNonBlocking(); |
8000a965 | 122 | } |
123 | ||
8000a965 | 124 | ACL * |
125 | ACLDestinationIP::clone() const | |
126 | { | |
127 | return new ACLDestinationIP(*this); | |
128 | } |