]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/acl/DestinationIp.cc
2 * DEBUG: section 28 Access Control
3 * AUTHOR: Duane Wessels
5 * SQUID Web Proxy Cache http://www.squid-cache.org/
6 * ----------------------------------------------------------
8 * Squid is the result of efforts by numerous individuals from
9 * the Internet community; see the CONTRIBUTORS file for full
10 * details. Many organizations have provided support for Squid's
11 * development; see the SPONSORS file for full details. Squid is
12 * Copyrighted (C) 2001 by the Regents of the University of
13 * California; see the COPYRIGHT file for full details. Squid
14 * incorporates software developed and/or copyrighted by other
15 * sources; see the CREDITS file for full details.
17 * This program is free software; you can redistribute it and/or modify
18 * it under the terms of the GNU General Public License as published by
19 * the Free Software Foundation; either version 2 of the License, or
20 * (at your option) any later version.
22 * This program is distributed in the hope that it will be useful,
23 * but WITHOUT ANY WARRANTY; without even the implied warranty of
24 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 * GNU General Public License for more details.
27 * You should have received a copy of the GNU General Public License
28 * along with this program; if not, write to the Free Software
29 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
31 * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
35 #include "acl/DestinationIp.h"
36 #include "acl/FilledChecklist.h"
37 #include "client_side.h"
38 #include "comm/Connection.h"
39 #include "HttpRequest.h"
40 #include "SquidConfig.h"
43 ACLDestinationIP::typeString() const
49 ACLDestinationIP::match(ACLChecklist
*cl
)
51 ACLFilledChecklist
*checklist
= Filled(cl
);
53 // Bug 3243: CVE 2009-0801
54 // Bypass of browser same-origin access control in intercepted communication
55 // To resolve this we will force DIRECT and only to the original client destination.
56 // In which case, we also need this ACL to accurately match the destination
57 if (Config
.onoff
.client_dst_passthru
&& (checklist
->request
->flags
.intercepted
|| checklist
->request
->flags
.spoofClientIp
)) {
58 assert(checklist
->conn() && checklist
->conn()->clientConnection
!= NULL
);
59 return ACLIP::match(checklist
->conn()->clientConnection
->local
);
62 const ipcache_addrs
*ia
= ipcache_gethostbyname(checklist
->request
->GetHost(), IP_LOOKUP_IF_MISS
);
65 /* Entry in cache found */
67 for (int k
= 0; k
< (int) ia
->count
; ++k
) {
68 if (ACLIP::match(ia
->in_addrs
[k
]))
73 } else if (!checklist
->request
->flags
.destinationIpLookedUp
) {
74 /* No entry in cache, lookup not attempted */
75 debugs(28, 3, "aclMatchAcl: Can't yet compare '" << name
<< "' ACL for '" << checklist
->request
->GetHost() << "'");
76 checklist
->changeState (DestinationIPLookup::Instance());
83 DestinationIPLookup
DestinationIPLookup::instance_
;
86 DestinationIPLookup::Instance()
92 DestinationIPLookup::checkForAsync(ACLChecklist
*cl
)const
94 ACLFilledChecklist
*checklist
= Filled(cl
);
95 checklist
->asyncInProgress(true);
96 ipcache_nbgethostbyname(checklist
->request
->GetHost(), LookupDone
, checklist
);
100 DestinationIPLookup::LookupDone(const ipcache_addrs
*, const DnsLookupDetails
&details
, void *data
)
102 ACLFilledChecklist
*checklist
= Filled((ACLChecklist
*)data
);
103 assert (checklist
->asyncState() == DestinationIPLookup::Instance());
104 checklist
->request
->flags
.destinationIpLookedUp
=true;
105 checklist
->request
->recordLookup(details
);
106 checklist
->asyncInProgress(false);
107 checklist
->changeState (ACLChecklist::NullState::Instance());
108 checklist
->matchNonBlocking();
112 ACLDestinationIP::clone() const
114 return new ACLDestinationIP(*this);