[thirdparty/squid.git] / src / acl / DestinationIp.cc

/*
 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/* DEBUG: section 28    Access Control */

#include "squid.h"
#include "acl/DestinationIp.h"
#include "acl/FilledChecklist.h"
#include "client_side.h"
#include "comm/Connection.h"
#include "HttpRequest.h"
#include "SquidConfig.h"

ACLFlag ACLDestinationIP::SupportedFlags[] = {ACL_F_NO_LOOKUP, ACL_F_END};

char const *
ACLDestinationIP::typeString() const
{
    return "dst";
}

int
ACLDestinationIP::match(ACLChecklist *cl)
{
    ACLFilledChecklist *checklist = Filled(cl);

    // if there is no HTTP request details fallback to the dst_addr
    if (!checklist->request)
        return ACLIP::match(checklist->dst_addr);

    // Bug 3243: CVE 2009-0801
    // Bypass of browser same-origin access control in intercepted communication
    // To resolve this we will force DIRECT and only to the original client destination.
    // In which case, we also need this ACL to accurately match the destination
    if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted || checklist->request->flags.interceptTproxy)) {
        assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
        return ACLIP::match(checklist->conn()->clientConnection->local);
    }

    if (flags.isSet(ACL_F_NO_LOOKUP)) {
        if (!checklist->request->url.hostIsNumeric()) {
            debugs(28, 3, "No-lookup DNS ACL '" << AclMatchedName << "' for " << checklist->request->url.host());
            return 0;
        }

        if (ACLIP::match(checklist->request->url.hostIP()))
            return 1;
        return 0;
    }

    const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->url.host(), IP_LOOKUP_IF_MISS);

    if (ia) {
        /* Entry in cache found */

        for (int k = 0; k < (int) ia->count; ++k) {
            if (ACLIP::match(ia->in_addrs[k]))
                return 1;
        }

        return 0;
    } else if (!checklist->request->flags.destinationIpLookedUp) {
        /* No entry in cache, lookup not attempted */
        debugs(28, 3, "can't yet compare '" << name << "' ACL for " << checklist->request->url.host());
        if (checklist->goAsync(DestinationIPLookup::Instance()))
            return -1;
        // else fall through to mismatch, hiding the lookup failure (XXX)
    }

    return 0;
}

DestinationIPLookup DestinationIPLookup::instance_;

DestinationIPLookup *
DestinationIPLookup::Instance()
{
    return &instance_;
}

void
DestinationIPLookup::checkForAsync(ACLChecklist *cl)const
{
    ACLFilledChecklist *checklist = Filled(cl);
    ipcache_nbgethostbyname(checklist->request->url.host(), LookupDone, checklist);
}

void
DestinationIPLookup::LookupDone(const ipcache_addrs *, const Dns::LookupDetails &details, void *data)
{
    ACLFilledChecklist *checklist = Filled((ACLChecklist*)data);
    checklist->request->flags.destinationIpLookedUp = true;
    checklist->request->recordLookup(details);
    checklist->resumeNonBlockingCheck(DestinationIPLookup::Instance());
}

ACL *
ACLDestinationIP::clone() const
{
    return new ACLDestinationIP(*this);
}
Commit	Line	Data
8000a965	1	/*
ef57eb7b	2	* Copyright (C) 1996-2016 The Squid Software Foundation and contributors
8000a965	3	*
bbc27441 AJ	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
8000a965	7	*/
8000a965	8
bbc27441 AJ	9	/* DEBUG: section 28 Access Control */
bbc27441 AJ	10
582c2af2	11	#include "squid.h"
c0941a6a AR	12	#include "acl/DestinationIp.h"
c0941a6a AR	13	#include "acl/FilledChecklist.h"
582c2af2	14	#include "client_side.h"
bfe4e2fe	15	#include "comm/Connection.h"
a2ac85d9	16	#include "HttpRequest.h"
4d5904f7	17	#include "SquidConfig.h"
8000a965	18
33810b1d CT	19	ACLFlag ACLDestinationIP::SupportedFlags[] = {ACL_F_NO_LOOKUP, ACL_F_END};
33810b1d CT	20
8000a965	21	char const *
	22	ACLDestinationIP::typeString() const
	23	{
	24	return "dst";
	25	}
	26
	27	int
c0941a6a	28	ACLDestinationIP::match(ACLChecklist *cl)
8000a965	29	{
af6a12ee	30	ACLFilledChecklist *checklist = Filled(cl);
bfe4e2fe	31
a3c5c081 AJ	32	// if there is no HTTP request details fallback to the dst_addr
	33	if (!checklist->request)
	34	return ACLIP::match(checklist->dst_addr);
	35
bfe4e2fe AJ	36	// Bug 3243: CVE 2009-0801
	37	// Bypass of browser same-origin access control in intercepted communication
	38	// To resolve this we will force DIRECT and only to the original client destination.
	39	// In which case, we also need this ACL to accurately match the destination
0d901ef4	40	if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted \|\| checklist->request->flags.interceptTproxy)) {
bfe4e2fe AJ	41	assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
	42	return ACLIP::match(checklist->conn()->clientConnection->local);
	43	}
	44
33810b1d	45	if (flags.isSet(ACL_F_NO_LOOKUP)) {
5c51bffb AJ	46	if (!checklist->request->url.hostIsNumeric()) {
5c51bffb AJ	47	debugs(28, 3, "No-lookup DNS ACL '" << AclMatchedName << "' for " << checklist->request->url.host());
33810b1d CT	48	return 0;
	49	}
	50
5c51bffb	51	if (ACLIP::match(checklist->request->url.hostIP()))
33810b1d CT	52	return 1;
	53	return 0;
	54	}
	55
5c51bffb	56	const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->url.host(), IP_LOOKUP_IF_MISS);
62e76326	57
8000a965	58	if (ia) {
62e76326	59	/* Entry in cache found */
62e76326	60
742a021b	61	for (int k = 0; k < (int) ia->count; ++k) {
62e76326	62	if (ACLIP::match(ia->in_addrs[k]))
	63	return 1;
	64	}
	65
	66	return 0;
450fe1cb	67	} else if (!checklist->request->flags.destinationIpLookedUp) {
62e76326	68	/* No entry in cache, lookup not attempted */
5c51bffb	69	debugs(28, 3, "can't yet compare '" << name << "' ACL for " << checklist->request->url.host());
6f58d7d7 AR	70	if (checklist->goAsync(DestinationIPLookup::Instance()))
	71	return -1;
	72	// else fall through to mismatch, hiding the lookup failure (XXX)
8000a965	73	}
6f58d7d7 AR	74
6f58d7d7 AR	75	return 0;
8000a965	76	}
	77
	78	DestinationIPLookup DestinationIPLookup::instance_;
	79
	80	DestinationIPLookup *
	81	DestinationIPLookup::Instance()
	82	{
	83	return &instance_;
	84	}
	85
	86	void
c0941a6a	87	DestinationIPLookup::checkForAsync(ACLChecklist *cl)const
8000a965	88	{
af6a12ee	89	ACLFilledChecklist *checklist = Filled(cl);
5c51bffb	90	ipcache_nbgethostbyname(checklist->request->url.host(), LookupDone, checklist);
8000a965	91	}
	92
	93	void
4a3b98d7	94	DestinationIPLookup::LookupDone(const ipcache_addrs , const Dns::LookupDetails &details, void data)
8000a965	95	{
3ff65596	96	ACLFilledChecklist checklist = Filled((ACLChecklist)data);
e857372a	97	checklist->request->flags.destinationIpLookedUp = true;
3ff65596	98	checklist->request->recordLookup(details);
6f58d7d7	99	checklist->resumeNonBlockingCheck(DestinationIPLookup::Instance());
8000a965	100	}
8000a965	101
8000a965	102	ACL *
	103	ACLDestinationIP::clone() const
	104	{
	105	return new ACLDestinationIP(*this);
	106	}
f53969cc	107