src/acl/DestinationIp.cc

   1 /*
   2  * DEBUG: section 28    Access Control
   3  * AUTHOR: Duane Wessels
   4  *
   5  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   6  * ----------------------------------------------------------
   7  *
   8  *  Squid is the result of efforts by numerous individuals from
   9  *  the Internet community; see the CONTRIBUTORS file for full
  10  *  details.   Many organizations have provided support for Squid's
  11  *  development; see the SPONSORS file for full details.  Squid is
  12  *  Copyrighted (C) 2001 by the Regents of the University of
  13  *  California; see the COPYRIGHT file for full details.  Squid
  14  *  incorporates software developed and/or copyrighted by other
  15  *  sources; see the CREDITS file for full details.
  16  *
  17  *  This program is free software; you can redistribute it and/or modify
  18  *  it under the terms of the GNU General Public License as published by
  19  *  the Free Software Foundation; either version 2 of the License, or
  20  *  (at your option) any later version.
  21  *
  22  *  This program is distributed in the hope that it will be useful,
  23  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  24  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  25  *  GNU General Public License for more details.
  26  *
  27  *  You should have received a copy of the GNU General Public License
  28  *  along with this program; if not, write to the Free Software
  29  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  30  *
  31  * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
  32  */
  33
  34 #include "squid.h"
  35 #include "acl/DestinationIp.h"
  36 #include "acl/FilledChecklist.h"
  37 #include "client_side.h"
  38 #include "comm/Connection.h"
  39 #include "HttpRequest.h"
  40 #include "SquidConfig.h"
  41
  42 ACLFlag ACLDestinationIP::SupportedFlags[] = {ACL_F_NO_LOOKUP, ACL_F_END};
  43
  44 char const *
  45 ACLDestinationIP::typeString() const
  46 {
  47     return "dst";
  48 }
  49
  50 int
  51 ACLDestinationIP::match(ACLChecklist *cl)
  52 {
  53     ACLFilledChecklist *checklist = Filled(cl);
  54
  55     // Bug 3243: CVE 2009-0801
  56     // Bypass of browser same-origin access control in intercepted communication
  57     // To resolve this we will force DIRECT and only to the original client destination.
  58     // In which case, we also need this ACL to accurately match the destination
  59     if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted || checklist->request->flags.interceptTproxy)) {
  60         assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
  61         return ACLIP::match(checklist->conn()->clientConnection->local);
  62     }
  63
  64     if (flags.isSet(ACL_F_NO_LOOKUP)) {
  65         if (!checklist->request->GetHostIsNumeric()) {
  66             debugs(28, 3, "aclMatchAcl:  No-lookup DNS ACL '" << AclMatchedName << "' for '" << checklist->request->GetHost() << "'");
  67             return 0;
  68         }
  69
  70         if (ACLIP::match(checklist->request->host_addr))
  71             return 1;
  72         return 0;
  73     }
  74
  75     const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->GetHost(), IP_LOOKUP_IF_MISS);
  76
  77     if (ia) {
  78         /* Entry in cache found */
  79
  80         for (int k = 0; k < (int) ia->count; ++k) {
  81             if (ACLIP::match(ia->in_addrs[k]))
  82                 return 1;
  83         }
  84
  85         return 0;
  86     } else if (!checklist->request->flags.destinationIpLookedUp) {
  87         /* No entry in cache, lookup not attempted */
  88         debugs(28, 3, "aclMatchAcl: Can't yet compare '" << name << "' ACL for '" << checklist->request->GetHost() << "'");
  89         if (checklist->goAsync(DestinationIPLookup::Instance()))
  90             return -1;
  91         // else fall through to mismatch, hiding the lookup failure (XXX)
  92     }
  93
  94     return 0;
  95 }
  96
  97 DestinationIPLookup DestinationIPLookup::instance_;
  98
  99 DestinationIPLookup *
 100 DestinationIPLookup::Instance()
 101 {
 102     return &instance_;
 103 }
 104
 105 void
 106 DestinationIPLookup::checkForAsync(ACLChecklist *cl)const
 107 {
 108     ACLFilledChecklist *checklist = Filled(cl);
 109     ipcache_nbgethostbyname(checklist->request->GetHost(), LookupDone, checklist);
 110 }
 111
 112 void
 113 DestinationIPLookup::LookupDone(const ipcache_addrs *, const DnsLookupDetails &details, void *data)
 114 {
 115     ACLFilledChecklist *checklist = Filled((ACLChecklist*)data);
 116     checklist->request->flags.destinationIpLookedUp = true;
 117     checklist->request->recordLookup(details);
 118     checklist->resumeNonBlockingCheck(DestinationIPLookup::Instance());
 119 }
 120
 121 ACL *
 122 ACLDestinationIP::clone() const
 123 {
 124     return new ACLDestinationIP(*this);
 125 }