]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/acl/DestinationIp.cc
2 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 28 Access Control */
12 #include "acl/DestinationIp.h"
13 #include "acl/FilledChecklist.h"
14 #include "client_side.h"
15 #include "comm/Connection.h"
16 #include "HttpRequest.h"
17 #include "SquidConfig.h"
19 ACLFlag
ACLDestinationIP::SupportedFlags
[] = {ACL_F_NO_LOOKUP
, ACL_F_END
};
22 ACLDestinationIP::typeString() const
28 ACLDestinationIP::match(ACLChecklist
*cl
)
30 ACLFilledChecklist
*checklist
= Filled(cl
);
32 // if there is no HTTP request details fallback to the dst_addr
33 if (!checklist
->request
)
34 return ACLIP::match(checklist
->dst_addr
);
36 // Bug 3243: CVE 2009-0801
37 // Bypass of browser same-origin access control in intercepted communication
38 // To resolve this we will force DIRECT and only to the original client destination.
39 // In which case, we also need this ACL to accurately match the destination
40 if (Config
.onoff
.client_dst_passthru
&& (checklist
->request
->flags
.intercepted
|| checklist
->request
->flags
.interceptTproxy
)) {
41 assert(checklist
->conn() && checklist
->conn()->clientConnection
!= NULL
);
42 return ACLIP::match(checklist
->conn()->clientConnection
->local
);
45 if (flags
.isSet(ACL_F_NO_LOOKUP
)) {
46 if (!checklist
->request
->GetHostIsNumeric()) {
47 debugs(28, 3, "aclMatchAcl: No-lookup DNS ACL '" << AclMatchedName
<< "' for '" << checklist
->request
->GetHost() << "'");
51 if (ACLIP::match(checklist
->request
->host_addr
))
56 const ipcache_addrs
*ia
= ipcache_gethostbyname(checklist
->request
->GetHost(), IP_LOOKUP_IF_MISS
);
59 /* Entry in cache found */
61 for (int k
= 0; k
< (int) ia
->count
; ++k
) {
62 if (ACLIP::match(ia
->in_addrs
[k
]))
67 } else if (!checklist
->request
->flags
.destinationIpLookedUp
) {
68 /* No entry in cache, lookup not attempted */
69 debugs(28, 3, "aclMatchAcl: Can't yet compare '" << name
<< "' ACL for '" << checklist
->request
->GetHost() << "'");
70 if (checklist
->goAsync(DestinationIPLookup::Instance()))
72 // else fall through to mismatch, hiding the lookup failure (XXX)
78 DestinationIPLookup
DestinationIPLookup::instance_
;
81 DestinationIPLookup::Instance()
87 DestinationIPLookup::checkForAsync(ACLChecklist
*cl
)const
89 ACLFilledChecklist
*checklist
= Filled(cl
);
90 ipcache_nbgethostbyname(checklist
->request
->GetHost(), LookupDone
, checklist
);
94 DestinationIPLookup::LookupDone(const ipcache_addrs
*, const DnsLookupDetails
&details
, void *data
)
96 ACLFilledChecklist
*checklist
= Filled((ACLChecklist
*)data
);
97 checklist
->request
->flags
.destinationIpLookedUp
= true;
98 checklist
->request
->recordLookup(details
);
99 checklist
->resumeNonBlockingCheck(DestinationIPLookup::Instance());
103 ACLDestinationIP::clone() const
105 return new ACLDestinationIP(*this);