]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/acl/DestinationIp.cc
2 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 28 Access Control */
12 #include "acl/DestinationIp.h"
13 #include "acl/FilledChecklist.h"
14 #include "client_side.h"
15 #include "comm/Connection.h"
16 #include "HttpRequest.h"
17 #include "SquidConfig.h"
19 ACLFlag
ACLDestinationIP::SupportedFlags
[] = {ACL_F_NO_LOOKUP
, ACL_F_END
};
22 ACLDestinationIP::typeString() const
28 ACLDestinationIP::match(ACLChecklist
*cl
)
30 ACLFilledChecklist
*checklist
= Filled(cl
);
32 // Bug 3243: CVE 2009-0801
33 // Bypass of browser same-origin access control in intercepted communication
34 // To resolve this we will force DIRECT and only to the original client destination.
35 // In which case, we also need this ACL to accurately match the destination
36 if (Config
.onoff
.client_dst_passthru
&& (checklist
->request
->flags
.intercepted
|| checklist
->request
->flags
.interceptTproxy
)) {
37 assert(checklist
->conn() && checklist
->conn()->clientConnection
!= NULL
);
38 return ACLIP::match(checklist
->conn()->clientConnection
->local
);
41 if (flags
.isSet(ACL_F_NO_LOOKUP
)) {
42 if (!checklist
->request
->GetHostIsNumeric()) {
43 debugs(28, 3, "aclMatchAcl: No-lookup DNS ACL '" << AclMatchedName
<< "' for '" << checklist
->request
->GetHost() << "'");
47 if (ACLIP::match(checklist
->request
->host_addr
))
52 const ipcache_addrs
*ia
= ipcache_gethostbyname(checklist
->request
->GetHost(), IP_LOOKUP_IF_MISS
);
55 /* Entry in cache found */
57 for (int k
= 0; k
< (int) ia
->count
; ++k
) {
58 if (ACLIP::match(ia
->in_addrs
[k
]))
63 } else if (!checklist
->request
->flags
.destinationIpLookedUp
) {
64 /* No entry in cache, lookup not attempted */
65 debugs(28, 3, "aclMatchAcl: Can't yet compare '" << name
<< "' ACL for '" << checklist
->request
->GetHost() << "'");
66 if (checklist
->goAsync(DestinationIPLookup::Instance()))
68 // else fall through to mismatch, hiding the lookup failure (XXX)
74 DestinationIPLookup
DestinationIPLookup::instance_
;
77 DestinationIPLookup::Instance()
83 DestinationIPLookup::checkForAsync(ACLChecklist
*cl
)const
85 ACLFilledChecklist
*checklist
= Filled(cl
);
86 ipcache_nbgethostbyname(checklist
->request
->GetHost(), LookupDone
, checklist
);
90 DestinationIPLookup::LookupDone(const ipcache_addrs
*, const DnsLookupDetails
&details
, void *data
)
92 ACLFilledChecklist
*checklist
= Filled((ACLChecklist
*)data
);
93 checklist
->request
->flags
.destinationIpLookedUp
= true;
94 checklist
->request
->recordLookup(details
);
95 checklist
->resumeNonBlockingCheck(DestinationIPLookup::Instance());
99 ACLDestinationIP::clone() const
101 return new ACLDestinationIP(*this);