[thirdparty/squid.git] / src / acl / DestinationIp.cc

/*
 * DEBUG: section 28    Access Control
 * AUTHOR: Duane Wessels
 *
 * SQUID Web Proxy Cache          http://www.squid-cache.org/
 * ----------------------------------------------------------
 *
 *  Squid is the result of efforts by numerous individuals from
 *  the Internet community; see the CONTRIBUTORS file for full
 *  details.   Many organizations have provided support for Squid's
 *  development; see the SPONSORS file for full details.  Squid is
 *  Copyrighted (C) 2001 by the Regents of the University of
 *  California; see the COPYRIGHT file for full details.  Squid
 *  incorporates software developed and/or copyrighted by other
 *  sources; see the CREDITS file for full details.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
 */

#include "squid.h"
#include "acl/DestinationIp.h"
#include "acl/FilledChecklist.h"
#include "client_side.h"
#include "comm/Connection.h"
#include "HttpRequest.h"
#include "SquidConfig.h"

ACLFlag ACLDestinationIP::SupportedFlags[] = {ACL_F_NO_LOOKUP, ACL_F_END};

char const *
ACLDestinationIP::typeString() const
{
    return "dst";
}

int
ACLDestinationIP::match(ACLChecklist *cl)
{
    ACLFilledChecklist *checklist = Filled(cl);

    // Bug 3243: CVE 2009-0801
    // Bypass of browser same-origin access control in intercepted communication
    // To resolve this we will force DIRECT and only to the original client destination.
    // In which case, we also need this ACL to accurately match the destination
    if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted || checklist->request->flags.interceptTproxy)) {
        assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
        return ACLIP::match(checklist->conn()->clientConnection->local);
    }

    if (flags.isSet(ACL_F_NO_LOOKUP)) {
        if (!checklist->request->GetHostIsNumeric()) {
            debugs(28, 3, "aclMatchAcl:  No-lookup DNS ACL '" << AclMatchedName << "' for '" << checklist->request->GetHost() << "'");
            return 0;
        }

        if (ACLIP::match(checklist->request->host_addr))
            return 1;
        return 0;
    }

    const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->GetHost(), IP_LOOKUP_IF_MISS);

    if (ia) {
        /* Entry in cache found */

        for (int k = 0; k < (int) ia->count; ++k) {
            if (ACLIP::match(ia->in_addrs[k]))
                return 1;
        }

        return 0;
    } else if (!checklist->request->flags.destinationIpLookedUp) {
        /* No entry in cache, lookup not attempted */
        debugs(28, 3, "aclMatchAcl: Can't yet compare '" << name << "' ACL for '" << checklist->request->GetHost() << "'");
        checklist->changeState (DestinationIPLookup::Instance());
        return 0;
    } else {
        return 0;
    }
}

DestinationIPLookup DestinationIPLookup::instance_;

DestinationIPLookup *
DestinationIPLookup::Instance()
{
    return &instance_;
}

void
DestinationIPLookup::checkForAsync(ACLChecklist *cl)const
{
    ACLFilledChecklist *checklist = Filled(cl);
    checklist->asyncInProgress(true);
    ipcache_nbgethostbyname(checklist->request->GetHost(), LookupDone, checklist);
}

void
DestinationIPLookup::LookupDone(const ipcache_addrs *, const DnsLookupDetails &details, void *data)
{
    ACLFilledChecklist *checklist = Filled((ACLChecklist*)data);
    assert (checklist->asyncState() == DestinationIPLookup::Instance());
    checklist->request->flags.destinationIpLookedUp = true;
    checklist->request->recordLookup(details);
    checklist->asyncInProgress(false);
    checklist->changeState (ACLChecklist::NullState::Instance());
    checklist->matchNonBlocking();
}

ACL *
ACLDestinationIP::clone() const
{
    return new ACLDestinationIP(*this);
}
Commit	Line	Data
8000a965	1	/*
8000a965	2	* DEBUG: section 28 Access Control
	3	* AUTHOR: Duane Wessels
	4	*
	5	* SQUID Web Proxy Cache http://www.squid-cache.org/
	6	* ----------------------------------------------------------
	7	*
	8	* Squid is the result of efforts by numerous individuals from
	9	* the Internet community; see the CONTRIBUTORS file for full
	10	* details. Many organizations have provided support for Squid's
	11	* development; see the SPONSORS file for full details. Squid is
	12	* Copyrighted (C) 2001 by the Regents of the University of
	13	* California; see the COPYRIGHT file for full details. Squid
	14	* incorporates software developed and/or copyrighted by other
	15	* sources; see the CREDITS file for full details.
	16	*
	17	* This program is free software; you can redistribute it and/or modify
	18	* it under the terms of the GNU General Public License as published by
	19	* the Free Software Foundation; either version 2 of the License, or
	20	* (at your option) any later version.
26ac0430	21	*
8000a965	22	* This program is distributed in the hope that it will be useful,
	23	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	24	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	25	* GNU General Public License for more details.
26ac0430	26	*
8000a965	27	* You should have received a copy of the GNU General Public License
	28	* along with this program; if not, write to the Free Software
	29	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	30	*
	31	* Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
	32	*/
	33
582c2af2	34	#include "squid.h"
c0941a6a AR	35	#include "acl/DestinationIp.h"
c0941a6a AR	36	#include "acl/FilledChecklist.h"
582c2af2	37	#include "client_side.h"
bfe4e2fe	38	#include "comm/Connection.h"
a2ac85d9	39	#include "HttpRequest.h"
4d5904f7	40	#include "SquidConfig.h"
8000a965	41
33810b1d CT	42	ACLFlag ACLDestinationIP::SupportedFlags[] = {ACL_F_NO_LOOKUP, ACL_F_END};
33810b1d CT	43
8000a965	44	char const *
	45	ACLDestinationIP::typeString() const
	46	{
	47	return "dst";
	48	}
	49
	50	int
c0941a6a	51	ACLDestinationIP::match(ACLChecklist *cl)
8000a965	52	{
af6a12ee	53	ACLFilledChecklist *checklist = Filled(cl);
bfe4e2fe AJ	54
	55	// Bug 3243: CVE 2009-0801
	56	// Bypass of browser same-origin access control in intercepted communication
	57	// To resolve this we will force DIRECT and only to the original client destination.
	58	// In which case, we also need this ACL to accurately match the destination
0d901ef4	59	if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted \|\| checklist->request->flags.interceptTproxy)) {
bfe4e2fe AJ	60	assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
	61	return ACLIP::match(checklist->conn()->clientConnection->local);
	62	}
	63
33810b1d CT	64	if (flags.isSet(ACL_F_NO_LOOKUP)) {
	65	if (!checklist->request->GetHostIsNumeric()) {
	66	debugs(28, 3, "aclMatchAcl: No-lookup DNS ACL '" << AclMatchedName << "' for '" << checklist->request->GetHost() << "'");
	67	return 0;
	68	}
	69
aec45181	70	if (ACLIP::match(checklist->request->host_addr))
33810b1d CT	71	return 1;
	72	return 0;
	73	}
	74
cc192b50	75	const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->GetHost(), IP_LOOKUP_IF_MISS);
62e76326	76
8000a965	77	if (ia) {
62e76326	78	/* Entry in cache found */
62e76326	79
742a021b	80	for (int k = 0; k < (int) ia->count; ++k) {
62e76326	81	if (ACLIP::match(ia->in_addrs[k]))
	82	return 1;
	83	}
	84
	85	return 0;
450fe1cb	86	} else if (!checklist->request->flags.destinationIpLookedUp) {
62e76326	87	/* No entry in cache, lookup not attempted */
cc192b50	88	debugs(28, 3, "aclMatchAcl: Can't yet compare '" << name << "' ACL for '" << checklist->request->GetHost() << "'");
62e76326	89	checklist->changeState (DestinationIPLookup::Instance());
62e76326	90	return 0;
8000a965	91	} else {
656393e2	92	return 0;
8000a965	93	}
	94	}
	95
	96	DestinationIPLookup DestinationIPLookup::instance_;
	97
	98	DestinationIPLookup *
	99	DestinationIPLookup::Instance()
	100	{
	101	return &instance_;
	102	}
	103
	104	void
c0941a6a	105	DestinationIPLookup::checkForAsync(ACLChecklist *cl)const
8000a965	106	{
af6a12ee	107	ACLFilledChecklist *checklist = Filled(cl);
8000a965	108	checklist->asyncInProgress(true);
cc192b50	109	ipcache_nbgethostbyname(checklist->request->GetHost(), LookupDone, checklist);
8000a965	110	}
	111
	112	void
3ff65596	113	DestinationIPLookup::LookupDone(const ipcache_addrs , const DnsLookupDetails &details, void data)
8000a965	114	{
3ff65596	115	ACLFilledChecklist checklist = Filled((ACLChecklist)data);
8000a965	116	assert (checklist->asyncState() == DestinationIPLookup::Instance());
e857372a	117	checklist->request->flags.destinationIpLookedUp = true;
3ff65596	118	checklist->request->recordLookup(details);
8000a965	119	checklist->asyncInProgress(false);
8000a965	120	checklist->changeState (ACLChecklist::NullState::Instance());
2efeb0b7	121	checklist->matchNonBlocking();
8000a965	122	}
8000a965	123
8000a965	124	ACL *
	125	ACLDestinationIP::clone() const
	126	{
	127	return new ACLDestinationIP(*this);
	128	}