]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/acl/DestinationIp.cc
4 * DEBUG: section 28 Access Control
5 * AUTHOR: Duane Wessels
7 * SQUID Web Proxy Cache http://www.squid-cache.org/
8 * ----------------------------------------------------------
10 * Squid is the result of efforts by numerous individuals from
11 * the Internet community; see the CONTRIBUTORS file for full
12 * details. Many organizations have provided support for Squid's
13 * development; see the SPONSORS file for full details. Squid is
14 * Copyrighted (C) 2001 by the Regents of the University of
15 * California; see the COPYRIGHT file for full details. Squid
16 * incorporates software developed and/or copyrighted by other
17 * sources; see the CREDITS file for full details.
19 * This program is free software; you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation; either version 2 of the License, or
22 * (at your option) any later version.
24 * This program is distributed in the hope that it will be useful,
25 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 * GNU General Public License for more details.
29 * You should have received a copy of the GNU General Public License
30 * along with this program; if not, write to the Free Software
31 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
33 * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
37 #include "acl/DestinationIp.h"
38 #include "acl/FilledChecklist.h"
39 #include "client_side.h"
40 #include "comm/Connection.h"
41 #include "HttpRequest.h"
45 ACLDestinationIP::typeString() const
51 ACLDestinationIP::match(ACLChecklist
*cl
)
53 ACLFilledChecklist
*checklist
= Filled(cl
);
55 // Bug 3243: CVE 2009-0801
56 // Bypass of browser same-origin access control in intercepted communication
57 // To resolve this we will force DIRECT and only to the original client destination.
58 // In which case, we also need this ACL to accurately match the destination
59 if (Config
.onoff
.client_dst_passthru
&& checklist
->request
&&
60 (checklist
->request
->flags
.intercepted
|| checklist
->request
->flags
.spoof_client_ip
)) {
61 assert(checklist
->conn() && checklist
->conn()->clientConnection
!= NULL
);
62 return ACLIP::match(checklist
->conn()->clientConnection
->local
);
65 const ipcache_addrs
*ia
= ipcache_gethostbyname(checklist
->request
->GetHost(), IP_LOOKUP_IF_MISS
);
68 /* Entry in cache found */
70 for (int k
= 0; k
< (int) ia
->count
; ++k
) {
71 if (ACLIP::match(ia
->in_addrs
[k
]))
76 } else if (!checklist
->request
->flags
.destinationIPLookedUp()) {
77 /* No entry in cache, lookup not attempted */
78 debugs(28, 3, "aclMatchAcl: Can't yet compare '" << name
<< "' ACL for '" << checklist
->request
->GetHost() << "'");
79 checklist
->changeState (DestinationIPLookup::Instance());
86 DestinationIPLookup
DestinationIPLookup::instance_
;
89 DestinationIPLookup::Instance()
95 DestinationIPLookup::checkForAsync(ACLChecklist
*cl
)const
97 ACLFilledChecklist
*checklist
= Filled(cl
);
98 checklist
->asyncInProgress(true);
99 ipcache_nbgethostbyname(checklist
->request
->GetHost(), LookupDone
, checklist
);
103 DestinationIPLookup::LookupDone(const ipcache_addrs
*, const DnsLookupDetails
&details
, void *data
)
105 ACLFilledChecklist
*checklist
= Filled((ACLChecklist
*)data
);
106 assert (checklist
->asyncState() == DestinationIPLookup::Instance());
107 checklist
->request
->flags
.destinationIPLookupCompleted();
108 checklist
->request
->recordLookup(details
);
109 checklist
->asyncInProgress(false);
110 checklist
->changeState (ACLChecklist::NullState::Instance());
111 checklist
->matchNonBlocking();
115 ACLDestinationIP::clone() const
117 return new ACLDestinationIP(*this);