]>
Commit | Line | Data |
---|---|---|
8000a965 | 1 | /* |
4ac4a490 | 2 | * Copyright (C) 1996-2017 The Squid Software Foundation and contributors |
8000a965 | 3 | * |
bbc27441 AJ |
4 | * Squid software is distributed under GPLv2+ license and includes |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
8000a965 | 7 | */ |
8 | ||
bbc27441 AJ |
9 | /* DEBUG: section 28 Access Control */ |
10 | ||
582c2af2 | 11 | #include "squid.h" |
c0941a6a AR |
12 | #include "acl/DestinationIp.h" |
13 | #include "acl/FilledChecklist.h" | |
582c2af2 | 14 | #include "client_side.h" |
bfe4e2fe | 15 | #include "comm/Connection.h" |
d3dddfb5 | 16 | #include "http/Stream.h" |
a2ac85d9 | 17 | #include "HttpRequest.h" |
4d5904f7 | 18 | #include "SquidConfig.h" |
8000a965 | 19 | |
8000a965 | 20 | char const * |
21 | ACLDestinationIP::typeString() const | |
22 | { | |
23 | return "dst"; | |
24 | } | |
25 | ||
4eac3407 CT |
26 | const Acl::Options & |
27 | ACLDestinationIP::options() | |
28 | { | |
29 | static const Acl::BooleanOption LookupBan; | |
30 | static const Acl::Options MyOptions = { { "-n", &LookupBan } }; | |
31 | LookupBan.linkWith(&lookupBanned); | |
32 | return MyOptions; | |
33 | } | |
34 | ||
8000a965 | 35 | int |
c0941a6a | 36 | ACLDestinationIP::match(ACLChecklist *cl) |
8000a965 | 37 | { |
af6a12ee | 38 | ACLFilledChecklist *checklist = Filled(cl); |
bfe4e2fe | 39 | |
a3c5c081 AJ |
40 | // if there is no HTTP request details fallback to the dst_addr |
41 | if (!checklist->request) | |
42 | return ACLIP::match(checklist->dst_addr); | |
43 | ||
bfe4e2fe AJ |
44 | // Bug 3243: CVE 2009-0801 |
45 | // Bypass of browser same-origin access control in intercepted communication | |
46 | // To resolve this we will force DIRECT and only to the original client destination. | |
47 | // In which case, we also need this ACL to accurately match the destination | |
0d901ef4 | 48 | if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted || checklist->request->flags.interceptTproxy)) { |
6cf166fc EB |
49 | const auto conn = checklist->conn(); |
50 | return (conn && conn->clientConnection) ? | |
ff89bfa0 | 51 | ACLIP::match(conn->clientConnection->local) : -1; |
bfe4e2fe AJ |
52 | } |
53 | ||
4eac3407 | 54 | if (lookupBanned) { |
5c51bffb AJ |
55 | if (!checklist->request->url.hostIsNumeric()) { |
56 | debugs(28, 3, "No-lookup DNS ACL '" << AclMatchedName << "' for " << checklist->request->url.host()); | |
33810b1d CT |
57 | return 0; |
58 | } | |
59 | ||
5c51bffb | 60 | if (ACLIP::match(checklist->request->url.hostIP())) |
33810b1d CT |
61 | return 1; |
62 | return 0; | |
63 | } | |
64 | ||
5c51bffb | 65 | const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->url.host(), IP_LOOKUP_IF_MISS); |
62e76326 | 66 | |
8000a965 | 67 | if (ia) { |
62e76326 | 68 | /* Entry in cache found */ |
69 | ||
742a021b | 70 | for (int k = 0; k < (int) ia->count; ++k) { |
62e76326 | 71 | if (ACLIP::match(ia->in_addrs[k])) |
72 | return 1; | |
73 | } | |
74 | ||
75 | return 0; | |
450fe1cb | 76 | } else if (!checklist->request->flags.destinationIpLookedUp) { |
62e76326 | 77 | /* No entry in cache, lookup not attempted */ |
5c51bffb | 78 | debugs(28, 3, "can't yet compare '" << name << "' ACL for " << checklist->request->url.host()); |
6f58d7d7 AR |
79 | if (checklist->goAsync(DestinationIPLookup::Instance())) |
80 | return -1; | |
81 | // else fall through to mismatch, hiding the lookup failure (XXX) | |
8000a965 | 82 | } |
6f58d7d7 AR |
83 | |
84 | return 0; | |
8000a965 | 85 | } |
86 | ||
87 | DestinationIPLookup DestinationIPLookup::instance_; | |
88 | ||
89 | DestinationIPLookup * | |
90 | DestinationIPLookup::Instance() | |
91 | { | |
92 | return &instance_; | |
93 | } | |
94 | ||
95 | void | |
c0941a6a | 96 | DestinationIPLookup::checkForAsync(ACLChecklist *cl)const |
8000a965 | 97 | { |
af6a12ee | 98 | ACLFilledChecklist *checklist = Filled(cl); |
5c51bffb | 99 | ipcache_nbgethostbyname(checklist->request->url.host(), LookupDone, checklist); |
8000a965 | 100 | } |
101 | ||
102 | void | |
4a3b98d7 | 103 | DestinationIPLookup::LookupDone(const ipcache_addrs *, const Dns::LookupDetails &details, void *data) |
8000a965 | 104 | { |
3ff65596 | 105 | ACLFilledChecklist *checklist = Filled((ACLChecklist*)data); |
e857372a | 106 | checklist->request->flags.destinationIpLookedUp = true; |
3ff65596 | 107 | checklist->request->recordLookup(details); |
6f58d7d7 | 108 | checklist->resumeNonBlockingCheck(DestinationIPLookup::Instance()); |
8000a965 | 109 | } |
110 | ||
8000a965 | 111 | ACL * |
112 | ACLDestinationIP::clone() const | |
113 | { | |
114 | return new ACLDestinationIP(*this); | |
115 | } | |
f53969cc | 116 |