]> git.ipfire.org Git - thirdparty/squid.git/blob - src/errorpage.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Prevent %O use by deny_info leading to header smuggling
[thirdparty/squid.git] / src / errorpage.cc
1 /*
2 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /* DEBUG: section 04 Error Generation */
10
11 #include "squid.h"
12 #include "cache_cf.h"
13 #include "clients/forward.h"
14 #include "comm/Connection.h"
15 #include "comm/Write.h"
16 #include "err_detail_type.h"
17 #include "errorpage.h"
18 #include "fde.h"
19 #include "fs_io.h"
20 #include "html_quote.h"
21 #include "HttpHeaderTools.h"
22 #include "HttpReply.h"
23 #include "HttpRequest.h"
24 #include "MemBuf.h"
25 #include "MemObject.h"
26 #include "rfc1738.h"
27 #include "SquidConfig.h"
28 #include "Store.h"
29 #include "tools.h"
30 #include "URL.h"
31 #include "wordlist.h"
32 #if USE_AUTH
33 #include "auth/UserRequest.h"
34 #endif
35 #include "SquidTime.h"
36 #if USE_OPENSSL
37 #include "ssl/ErrorDetailManager.h"
38 #endif
39
40 /**
41 \defgroup ErrorPageInternal Error Page Internals
42 \ingroup ErrorPageAPI
43 *
44 \section Abstract Abstract:
45 * These routines are used to generate error messages to be
46 * sent to clients. The error type is used to select between
47 * the various message formats. (formats are stored in the
48 * Config.errorDirectory)
49 */
50
51 #if !defined(DEFAULT_SQUID_ERROR_DIR)
52 /** Where to look for errors if config path fails.
53 \note Please use ./configure --datadir=/path instead of patching
54 */
55 #define DEFAULT_SQUID_ERROR_DIR DEFAULT_SQUID_DATA_DIR"/errors"
56 #endif
57
58 /// \ingroup ErrorPageInternal
59 CBDATA_CLASS_INIT(ErrorState);
60
61 /* local types */
62
63 /// \ingroup ErrorPageInternal
64 typedef struct {
65 int id;
66 char *page_name;
67 Http::StatusCode page_redirect;
68 } ErrorDynamicPageInfo;
69
70 /* local constant and vars */
71
72 /**
73 \ingroup ErrorPageInternal
74 *
75 \note hard coded error messages are not appended with %S
76 * automagically to give you more control on the format
77 */
78 static const struct {
79 int type; /* and page_id */
80 const char *text;
81 }
82
83 error_hard_text[] = {
84
85 {
86 ERR_SQUID_SIGNATURE,
87 "\n<br>\n"
88 "<hr>\n"
89 "<div id=\"footer\">\n"
90 "Generated %T by %h (%s)\n"
91 "</div>\n"
92 "</body></html>\n"
93 },
94 {
95 TCP_RESET,
96 "reset"
97 }
98 };
99
100 /// \ingroup ErrorPageInternal
101 static std::vector<ErrorDynamicPageInfo *> ErrorDynamicPages;
102
103 /* local prototypes */
104
105 /// \ingroup ErrorPageInternal
106 static const int error_hard_text_count = sizeof(error_hard_text) / sizeof(*error_hard_text);
107
108 /// \ingroup ErrorPageInternal
109 static char **error_text = NULL;
110
111 /// \ingroup ErrorPageInternal
112 static int error_page_count = 0;
113
114 /// \ingroup ErrorPageInternal
115 static MemBuf error_stylesheet;
116
117 static const char *errorFindHardText(err_type type);
118 static ErrorDynamicPageInfo *errorDynamicPageInfoCreate(int id, const char *page_name);
119 static void errorDynamicPageInfoDestroy(ErrorDynamicPageInfo * info);
120 static IOCB errorSendComplete;
121
122 /// \ingroup ErrorPageInternal
123 /// manages an error page template
124 class ErrorPageFile: public TemplateFile
125 {
126 public:
127 ErrorPageFile(const char *name, const err_type code) : TemplateFile(name,code) {textBuf.init();}
128
129 /// The template text data read from disk
130 const char *text() { return textBuf.content(); }
131
132 private:
133 /// stores the data read from disk to a local buffer
134 virtual bool parse(const char *buf, int len, bool) {
135 if (len)
136 textBuf.append(buf, len);
137 return true;
138 }
139
140 MemBuf textBuf; ///< A buffer to store the error page
141 };
142
143 /// \ingroup ErrorPageInternal
144 err_type &operator++ (err_type &anErr)
145 {
146 int tmp = (int)anErr;
147 anErr = (err_type)(++tmp);
148 return anErr;
149 }
150
151 /// \ingroup ErrorPageInternal
152 int operator - (err_type const &anErr, err_type const &anErr2)
153 {
154 return (int)anErr - (int)anErr2;
155 }
156
157 void
158 errorInitialize(void)
159 {
160 err_type i;
161 const char *text;
162 error_page_count = ERR_MAX + ErrorDynamicPages.size();
163 error_text = static_cast<char **>(xcalloc(error_page_count, sizeof(char *)));
164
165 for (i = ERR_NONE, ++i; i < error_page_count; ++i) {
166 safe_free(error_text[i]);
167
168 if ((text = errorFindHardText(i))) {
169 /**\par
170 * Index any hard-coded error text into defaults.
171 */
172 error_text[i] = xstrdup(text);
173
174 } else if (i < ERR_MAX) {
175 /**\par
176 * Index precompiled fixed template files from one of two sources:
177 * (a) default language translation directory (error_default_language)
178 * (b) admin specified custom directory (error_directory)
179 */
180 ErrorPageFile errTmpl(err_type_str[i], i);
181 error_text[i] = errTmpl.loadDefault() ? xstrdup(errTmpl.text()) : NULL;
182 } else {
183 /** \par
184 * Index any unknown file names used by deny_info.
185 */
186 ErrorDynamicPageInfo *info = ErrorDynamicPages.at(i - ERR_MAX);
187 assert(info && info->id == i && info->page_name);
188
189 const char *pg = info->page_name;
190 if (info->page_redirect != Http::scNone)
191 pg = info->page_name +4;
192
193 if (strchr(pg, ':') == NULL) {
194 /** But only if they are not redirection URL. */
195 ErrorPageFile errTmpl(pg, ERR_MAX);
196 error_text[i] = errTmpl.loadDefault() ? xstrdup(errTmpl.text()) : NULL;
197 }
198 }
199 }
200
201 error_stylesheet.reset();
202
203 // look for and load stylesheet into global MemBuf for it.
204 if (Config.errorStylesheet) {
205 ErrorPageFile tmpl("StylesSheet", ERR_MAX);
206 tmpl.loadFromFile(Config.errorStylesheet);
207 error_stylesheet.appendf("%s",tmpl.text());
208 }
209
210 #if USE_OPENSSL
211 Ssl::errorDetailInitialize();
212 #endif
213 }
214
215 void
216 errorClean(void)
217 {
218 if (error_text) {
219 int i;
220
221 for (i = ERR_NONE + 1; i < error_page_count; ++i)
222 safe_free(error_text[i]);
223
224 safe_free(error_text);
225 }
226
227 while (!ErrorDynamicPages.empty()) {
228 errorDynamicPageInfoDestroy(ErrorDynamicPages.back());
229 ErrorDynamicPages.pop_back();
230 }
231
232 error_page_count = 0;
233
234 #if USE_OPENSSL
235 Ssl::errorDetailClean();
236 #endif
237 }
238
239 /// \ingroup ErrorPageInternal
240 static const char *
241 errorFindHardText(err_type type)
242 {
243 int i;
244
245 for (i = 0; i < error_hard_text_count; ++i)
246 if (error_hard_text[i].type == type)
247 return error_hard_text[i].text;
248
249 return NULL;
250 }
251
252 TemplateFile::TemplateFile(const char *name, const err_type code): silent(false), wasLoaded(false), templateName(name), templateCode(code)
253 {
254 assert(name);
255 }
256
257 bool
258 TemplateFile::loadDefault()
259 {
260 if (loaded()) // already loaded?
261 return true;
262
263 /** test error_directory configured location */
264 if (Config.errorDirectory) {
265 char path[MAXPATHLEN];
266 snprintf(path, sizeof(path), "%s/%s", Config.errorDirectory, templateName.termedBuf());
267 loadFromFile(path);
268 }
269
270 #if USE_ERR_LOCALES
271 /** test error_default_language location */
272 if (!loaded() && Config.errorDefaultLanguage) {
273 if (!tryLoadTemplate(Config.errorDefaultLanguage)) {
274 debugs(1, (templateCode < TCP_RESET ? DBG_CRITICAL : 3), "Unable to load default error language files. Reset to backups.");
275 }
276 }
277 #endif
278
279 /* test default location if failed (templates == English translation base templates) */
280 if (!loaded()) {
281 tryLoadTemplate("templates");
282 }
283
284 /* giving up if failed */
285 if (!loaded()) {
286 debugs(1, (templateCode < TCP_RESET ? DBG_CRITICAL : 3), "WARNING: failed to find or read error text file " << templateName);
287 parse("Internal Error: Missing Template ", 33, '\0');
288 parse(templateName.termedBuf(), templateName.size(), '\0');
289 }
290
291 return true;
292 }
293
294 bool
295 TemplateFile::tryLoadTemplate(const char *lang)
296 {
297 assert(lang);
298
299 char path[MAXPATHLEN];
300 /* TODO: prep the directory path string to prevent snprintf ... */
301 snprintf(path, sizeof(path), "%s/%s/%s",
302 DEFAULT_SQUID_ERROR_DIR, lang, templateName.termedBuf());
303 path[MAXPATHLEN-1] = '\0';
304
305 if (loadFromFile(path))
306 return true;
307
308 #if HAVE_GLOB
309 if ( strlen(lang) == 2) {
310 /* TODO glob the error directory for sub-dirs matching: <tag> '-*' */
311 /* use first result. */
312 debugs(4,2, HERE << "wildcard fallback errors not coded yet.");
313 }
314 #endif
315
316 return false;
317 }
318
319 bool
320 TemplateFile::loadFromFile(const char *path)
321 {
322 int fd;
323 char buf[4096];
324 ssize_t len;
325
326 if (loaded()) // already loaded?
327 return true;
328
329 fd = file_open(path, O_RDONLY | O_TEXT);
330
331 if (fd < 0) {
332 /* with dynamic locale negotiation we may see some failures before a success. */
333 if (!silent && templateCode < TCP_RESET) {
334 int xerrno = errno;
335 debugs(4, DBG_CRITICAL, MYNAME << "'" << path << "': " << xstrerr(xerrno));
336 }
337 wasLoaded = false;
338 return wasLoaded;
339 }
340
341 while ((len = FD_READ_METHOD(fd, buf, sizeof(buf))) > 0) {
342 if (!parse(buf, len, false)) {
343 debugs(4, DBG_CRITICAL, MYNAME << "parse error while reading template file: " << path);
344 wasLoaded = false;
345 return wasLoaded;
346 }
347 }
348 parse(buf, 0, true);
349
350 if (len < 0) {
351 int xerrno = errno;
352 debugs(4, DBG_CRITICAL, MYNAME << "ERROR: failed to fully read: '" << path << "': " << xstrerr(xerrno));
353 }
354
355 file_close(fd);
356
357 wasLoaded = true;
358 return wasLoaded;
359 }
360
361 bool strHdrAcptLangGetItem(const String &hdr, char *lang, int langLen, size_t &pos)
362 {
363 while (pos < hdr.size()) {
364 char *dt = lang;
365
366 /* skip any initial whitespace. */
367 while (pos < hdr.size() && xisspace(hdr[pos]))
368 ++pos;
369
370 /*
371 * Header value format:
372 * - sequence of whitespace delimited tags
373 * - each tag may suffix with ';'.* which we can ignore.
374 * - IFF a tag contains only two characters we can wildcard ANY translations matching: <it> '-'? .*
375 * with preference given to an exact match.
376 */
377 bool invalid_byte = false;
378 while (pos < hdr.size() && hdr[pos] != ';' && hdr[pos] != ',' && !xisspace(hdr[pos]) && dt < (lang + (langLen -1)) ) {
379 if (!invalid_byte) {
380 #if USE_HTTP_VIOLATIONS
381 // if accepting violations we may as well accept some broken browsers
382 // which may send us the right code, wrong ISO formatting.
383 if (hdr[pos] == '_')
384 *dt = '-';
385 else
386 #endif
387 *dt = xtolower(hdr[pos]);
388 // valid codes only contain A-Z, hyphen (-) and *
389 if (*dt != '-' && *dt != '*' && (*dt < 'a' || *dt > 'z') )
390 invalid_byte = true;
391 else
392 ++dt; // move to next destination byte.
393 }
394 ++pos;
395 }
396 *dt = '\0'; // nul-terminated the filename content string before system use.
397 ++dt;
398
399 // if we terminated the tag on garbage or ';' we need to skip to the next ',' or end of header.
400 while (pos < hdr.size() && hdr[pos] != ',')
401 ++pos;
402
403 if (pos < hdr.size() && hdr[pos] == ',')
404 ++pos;
405
406 debugs(4, 9, HERE << "STATE: dt='" << dt << "', lang='" << lang << "', pos=" << pos << ", buf='" << ((pos < hdr.size()) ? hdr.substr(pos,hdr.size()) : "") << "'");
407
408 /* if we found anything we might use, try it. */
409 if (*lang != '\0' && !invalid_byte)
410 return true;
411 }
412 return false;
413 }
414
415 bool
416 TemplateFile::loadFor(const HttpRequest *request)
417 {
418 String hdr;
419
420 #if USE_ERR_LOCALES
421 if (loaded()) // already loaded?
422 return true;
423
424 if (!request || !request->header.getList(Http::HdrType::ACCEPT_LANGUAGE, &hdr) )
425 return false;
426
427 char lang[256];
428 size_t pos = 0; // current parsing position in header string
429
430 debugs(4, 6, HERE << "Testing Header: '" << hdr << "'");
431
432 while ( strHdrAcptLangGetItem(hdr, lang, 256, pos) ) {
433
434 /* wildcard uses the configured default language */
435 if (lang[0] == '*' && lang[1] == '\0') {
436 debugs(4, 6, HERE << "Found language '" << lang << "'. Using configured default.");
437 return false;
438 }
439
440 debugs(4, 6, HERE << "Found language '" << lang << "', testing for available template");
441
442 if (tryLoadTemplate(lang)) {
443 /* store the language we found for the Content-Language reply header */
444 errLanguage = lang;
445 break;
446 } else if (Config.errorLogMissingLanguages) {
447 debugs(4, DBG_IMPORTANT, "WARNING: Error Pages Missing Language: " << lang);
448 }
449 }
450 #endif
451
452 return loaded();
453 }
454
455 /// \ingroup ErrorPageInternal
456 static ErrorDynamicPageInfo *
457 errorDynamicPageInfoCreate(int id, const char *page_name)
458 {
459 ErrorDynamicPageInfo *info = new ErrorDynamicPageInfo;
460 info->id = id;
461 info->page_name = xstrdup(page_name);
462 info->page_redirect = static_cast<Http::StatusCode>(atoi(page_name));
463
464 /* WARNING on redirection status:
465 * 2xx are permitted, but not documented officially.
466 * - might be useful for serving static files (PAC etc) in special cases
467 * 3xx require a URL suitable for Location: header.
468 * - the current design does not allow for a Location: URI as well as a local file template
469 * although this possibility is explicitly permitted in the specs.
470 * 4xx-5xx require a local file template.
471 * - sending Location: on these codes with no body is invalid by the specs.
472 * - current result is Squid crashing or XSS problems as dynamic deny_info load random disk files.
473 * - a future redesign of the file loading may result in loading remote objects sent inline as local body.
474 */
475 if (info->page_redirect == Http::scNone)
476 ; // special case okay.
477 else if (info->page_redirect < 200 || info->page_redirect > 599) {
478 // out of range
479 debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " is not valid on '" << page_name << "'");
480 self_destruct();
481 } else if ( /* >= 200 && */ info->page_redirect < 300 && strchr(&(page_name[4]), ':')) {
482 // 2xx require a local template file
483 debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " requires a template on '" << page_name << "'");
484 self_destruct();
485 } else if (info->page_redirect >= 300 && info->page_redirect <= 399 && !strchr(&(page_name[4]), ':')) {
486 // 3xx require an absolute URL
487 debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " requires a URL on '" << page_name << "'");
488 self_destruct();
489 } else if (info->page_redirect >= 400 /* && <= 599 */ && strchr(&(page_name[4]), ':')) {
490 // 4xx/5xx require a local template file
491 debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " requires a template on '" << page_name << "'");
492 self_destruct();
493 }
494 // else okay.
495
496 return info;
497 }
498
499 /// \ingroup ErrorPageInternal
500 static void
501 errorDynamicPageInfoDestroy(ErrorDynamicPageInfo * info)
502 {
503 assert(info);
504 safe_free(info->page_name);
505 delete info;
506 }
507
508 /// \ingroup ErrorPageInternal
509 static int
510 errorPageId(const char *page_name)
511 {
512 for (int i = 0; i < ERR_MAX; ++i) {
513 if (strcmp(err_type_str[i], page_name) == 0)
514 return i;
515 }
516
517 for (size_t j = 0; j < ErrorDynamicPages.size(); ++j) {
518 if (strcmp(ErrorDynamicPages[j]->page_name, page_name) == 0)
519 return j + ERR_MAX;
520 }
521
522 return ERR_NONE;
523 }
524
525 err_type
526 errorReservePageId(const char *page_name)
527 {
528 ErrorDynamicPageInfo *info;
529 int id = errorPageId(page_name);
530
531 if (id == ERR_NONE) {
532 info = errorDynamicPageInfoCreate(ERR_MAX + ErrorDynamicPages.size(), page_name);
533 ErrorDynamicPages.push_back(info);
534 id = info->id;
535 }
536
537 return (err_type)id;
538 }
539
540 /// \ingroup ErrorPageInternal
541 const char *
542 errorPageName(int pageId)
543 {
544 if (pageId >= ERR_NONE && pageId < ERR_MAX) /* common case */
545 return err_type_str[pageId];
546
547 if (pageId >= ERR_MAX && pageId - ERR_MAX < (ssize_t)ErrorDynamicPages.size())
548 return ErrorDynamicPages[pageId - ERR_MAX]->page_name;
549
550 return "ERR_UNKNOWN"; /* should not happen */
551 }
552
553 ErrorState *
554 ErrorState::NewForwarding(err_type type, HttpRequest *request)
555 {
556 assert(request);
557 const Http::StatusCode status = request->flags.needValidation ?
558 Http::scGatewayTimeout : Http::scServiceUnavailable;
559 return new ErrorState(type, status, request);
560 }
561
562 ErrorState::ErrorState(err_type t, Http::StatusCode status, HttpRequest * req) :
563 type(t),
564 page_id(t),
565 err_language(NULL),
566 httpStatus(status),
567 #if USE_AUTH
568 auth_user_request (NULL),
569 #endif
570 request(NULL),
571 url(NULL),
572 xerrno(0),
573 port(0),
574 dnsError(),
575 ttl(0),
576 src_addr(),
577 redirect_url(NULL),
578 callback(NULL),
579 callback_data(NULL),
580 request_hdrs(NULL),
581 err_msg(NULL),
582 #if USE_OPENSSL
583 detail(NULL),
584 #endif
585 detailCode(ERR_DETAIL_NONE)
586 {
587 memset(&ftp, 0, sizeof(ftp));
588
589 if (page_id >= ERR_MAX && ErrorDynamicPages[page_id - ERR_MAX]->page_redirect != Http::scNone)
590 httpStatus = ErrorDynamicPages[page_id - ERR_MAX]->page_redirect;
591
592 if (req != NULL) {
593 request = req;
594 HTTPMSGLOCK(request);
595 src_addr = req->client_addr;
596 }
597 }
598
599 void
600 errorAppendEntry(StoreEntry * entry, ErrorState * err)
601 {
602 assert(entry->mem_obj != NULL);
603 assert (entry->isEmpty());
604 debugs(4, 4, "Creating an error page for entry " << entry <<
605 " with errorstate " << err <<
606 " page id " << err->page_id);
607
608 if (entry->store_status != STORE_PENDING) {
609 debugs(4, 2, "Skipping error page due to store_status: " << entry->store_status);
610 /*
611 * If the entry is not STORE_PENDING, then no clients
612 * care about it, and we don't need to generate an
613 * error message
614 */
615 assert(EBIT_TEST(entry->flags, ENTRY_ABORTED));
616 assert(entry->mem_obj->nclients == 0);
617 delete err;
618 return;
619 }
620
621 if (err->page_id == TCP_RESET) {
622 if (err->request) {
623 debugs(4, 2, "RSTing this reply");
624 err->request->flags.resetTcp = true;
625 }
626 }
627
628 entry->storeErrorResponse(err->BuildHttpReply());
629 delete err;
630 }
631
632 void
633 errorSend(const Comm::ConnectionPointer &conn, ErrorState * err)
634 {
635 HttpReply *rep;
636 debugs(4, 3, HERE << conn << ", err=" << err);
637 assert(Comm::IsConnOpen(conn));
638
639 rep = err->BuildHttpReply();
640
641 MemBuf *mb = rep->pack();
642 AsyncCall::Pointer call = commCbCall(78, 5, "errorSendComplete",
643 CommIoCbPtrFun(&errorSendComplete, err));
644 Comm::Write(conn, mb, call);
645 delete mb;
646
647 delete rep;
648 }
649
650 /**
651 \ingroup ErrorPageAPI
652 *
653 * Called by commHandleWrite() after data has been written
654 * to the client socket.
655 *
656 \note If there is a callback, the callback is responsible for
657 * closing the FD, otherwise we do it ourselves.
658 */
659 static void
660 errorSendComplete(const Comm::ConnectionPointer &conn, char *, size_t size, Comm::Flag errflag, int, void *data)
661 {
662 ErrorState *err = static_cast<ErrorState *>(data);
663 debugs(4, 3, HERE << conn << ", size=" << size);
664
665 if (errflag != Comm::ERR_CLOSING) {
666 if (err->callback) {
667 debugs(4, 3, "errorSendComplete: callback");
668 err->callback(conn->fd, err->callback_data, size);
669 } else {
670 debugs(4, 3, "errorSendComplete: comm_close");
671 conn->close();
672 }
673 }
674
675 delete err;
676 }
677
678 ErrorState::~ErrorState()
679 {
680 HTTPMSGUNLOCK(request);
681 safe_free(redirect_url);
682 safe_free(url);
683 safe_free(request_hdrs);
684 wordlistDestroy(&ftp.server_msg);
685 safe_free(ftp.request);
686 safe_free(ftp.reply);
687 #if USE_AUTH
688 auth_user_request = NULL;
689 #endif
690 safe_free(err_msg);
691 #if USE_ERR_LOCALES
692 if (err_language != Config.errorDefaultLanguage)
693 #endif
694 safe_free(err_language);
695 #if USE_OPENSSL
696 delete detail;
697 #endif
698 }
699
700 int
701 ErrorState::Dump(MemBuf * mb)
702 {
703 MemBuf str;
704 char ntoabuf[MAX_IPSTRLEN];
705
706 str.reset();
707 /* email subject line */
708 str.appendf("CacheErrorInfo - %s", errorPageName(type));
709 mb->appendf("?subject=%s", rfc1738_escape_part(str.buf));
710 str.reset();
711 /* email body */
712 str.appendf("CacheHost: %s\r\n", getMyHostname());
713 /* - Err Msgs */
714 str.appendf("ErrPage: %s\r\n", errorPageName(type));
715
716 if (xerrno) {
717 str.appendf("Err: (%d) %s\r\n", xerrno, strerror(xerrno));
718 } else {
719 str.append("Err: [none]\r\n", 13);
720 }
721 #if USE_AUTH
722 if (auth_user_request.getRaw() && auth_user_request->denyMessage())
723 str.appendf("Auth ErrMsg: %s\r\n", auth_user_request->denyMessage());
724 #endif
725 if (dnsError.size() > 0)
726 str.appendf("DNS ErrMsg: %s\r\n", dnsError.termedBuf());
727
728 /* - TimeStamp */
729 str.appendf("TimeStamp: %s\r\n\r\n", mkrfc1123(squid_curtime));
730
731 /* - IP stuff */
732 str.appendf("ClientIP: %s\r\n", src_addr.toStr(ntoabuf,MAX_IPSTRLEN));
733
734 if (request && request->hier.host[0] != '\0') {
735 str.appendf("ServerIP: %s\r\n", request->hier.host);
736 }
737
738 str.append("\r\n", 2);
739 /* - HTTP stuff */
740 str.append("HTTP Request:\r\n", 15);
741 if (request) {
742 str.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n",
743 SQUIDSBUFPRINT(request->method.image()),
744 SQUIDSBUFPRINT(request->url.path()),
745 AnyP::ProtocolType_str[request->http_ver.protocol],
746 request->http_ver.major, request->http_ver.minor);
747 request->header.packInto(&str);
748 }
749
750 str.append("\r\n", 2);
751 /* - FTP stuff */
752
753 if (ftp.request) {
754 str.appendf("FTP Request: %s\r\n", ftp.request);
755 str.appendf("FTP Reply: %s\r\n", (ftp.reply? ftp.reply:"[none]"));
756 str.append("FTP Msg: ", 9);
757 wordlistCat(ftp.server_msg, &str);
758 str.append("\r\n", 2);
759 }
760
761 str.append("\r\n", 2);
762 mb->appendf("&body=%s", rfc1738_escape_part(str.buf));
763 str.clean();
764 return 0;
765 }
766
767 /// \ingroup ErrorPageInternal
768 #define CVT_BUF_SZ 512
769
770 const char *
771 ErrorState::Convert(char token, bool building_deny_info_url, bool allowRecursion)
772 {
773 static MemBuf mb;
774 const char *p = NULL; /* takes priority over mb if set */
775 int do_quote = 1;
776 int no_urlescape = 0; /* if true then item is NOT to be further URL-encoded */
777 char ntoabuf[MAX_IPSTRLEN];
778
779 mb.reset();
780
781 switch (token) {
782
783 case 'a':
784 #if USE_AUTH
785 if (request && request->auth_user_request != NULL)
786 p = request->auth_user_request->username();
787 if (!p)
788 #endif
789 p = "-";
790 break;
791
792 case 'b':
793 mb.appendf("%u", getMyPort());
794 break;
795
796 case 'B':
797 if (building_deny_info_url) break;
798 if (request) {
799 const SBuf &tmp = Ftp::UrlWith2f(request);
800 mb.append(tmp.rawContent(), tmp.length());
801 } else
802 p = "[no URL]";
803 break;
804
805 case 'c':
806 if (building_deny_info_url) break;
807 p = errorPageName(type);
808 break;
809
810 case 'D':
811 if (!allowRecursion)
812 p = "%D"; // if recursion is not allowed, do not convert
813 #if USE_OPENSSL
814 // currently only SSL error details implemented
815 else if (detail) {
816 detail->useRequest(request);
817 const String &errDetail = detail->toString();
818 if (errDetail.size() > 0) {
819 MemBuf *detail_mb = ConvertText(errDetail.termedBuf(), false);
820 mb.append(detail_mb->content(), detail_mb->contentSize());
821 delete detail_mb;
822 do_quote = 0;
823 }
824 }
825 #endif
826 if (!mb.contentSize())
827 mb.append("[No Error Detail]", 17);
828 break;
829
830 case 'e':
831 mb.appendf("%d", xerrno);
832 break;
833
834 case 'E':
835 if (xerrno)
836 mb.appendf("(%d) %s", xerrno, strerror(xerrno));
837 else
838 mb.append("[No Error]", 10);
839 break;
840
841 case 'f':
842 if (building_deny_info_url) break;
843 /* FTP REQUEST LINE */
844 if (ftp.request)
845 p = ftp.request;
846 else
847 p = "nothing";
848 break;
849
850 case 'F':
851 if (building_deny_info_url) break;
852 /* FTP REPLY LINE */
853 if (ftp.reply)
854 p = ftp.reply;
855 else
856 p = "nothing";
857 break;
858
859 case 'g':
860 if (building_deny_info_url) break;
861 /* FTP SERVER RESPONSE */
862 if (ftp.listing) {
863 mb.append(ftp.listing->content(), ftp.listing->contentSize());
864 do_quote = 0;
865 } else if (ftp.server_msg) {
866 wordlistCat(ftp.server_msg, &mb);
867 }
868 break;
869
870 case 'h':
871 mb.appendf("%s", getMyHostname());
872 break;
873
874 case 'H':
875 if (request) {
876 if (request->hier.host[0] != '\0') // if non-empty string.
877 p = request->hier.host;
878 else
879 p = request->url.host();
880 } else if (!building_deny_info_url)
881 p = "[unknown host]";
882 break;
883
884 case 'i':
885 mb.appendf("%s", src_addr.toStr(ntoabuf,MAX_IPSTRLEN));
886 break;
887
888 case 'I':
889 if (request && request->hier.tcpServer != NULL)
890 p = request->hier.tcpServer->remote.toStr(ntoabuf,MAX_IPSTRLEN);
891 else if (!building_deny_info_url)
892 p = "[unknown]";
893 break;
894
895 case 'l':
896 if (building_deny_info_url) break;
897 mb.append(error_stylesheet.content(), error_stylesheet.contentSize());
898 do_quote = 0;
899 break;
900
901 case 'L':
902 if (building_deny_info_url) break;
903 if (Config.errHtmlText) {
904 mb.appendf("%s", Config.errHtmlText);
905 do_quote = 0;
906 } else
907 p = "[not available]";
908 break;
909
910 case 'm':
911 if (building_deny_info_url) break;
912 #if USE_AUTH
913 if (auth_user_request.getRaw())
914 p = auth_user_request->denyMessage("[not available]");
915 else
916 p = "[not available]";
917 #else
918 p = "-";
919 #endif
920 break;
921
922 case 'M':
923 if (request) {
924 const SBuf &m = request->method.image();
925 mb.append(m.rawContent(), m.length());
926 } else if (!building_deny_info_url)
927 p = "[unknown method]";
928 break;
929
930 case 'O':
931 if (!building_deny_info_url)
932 do_quote = 0;
933 case 'o':
934 p = request ? request->extacl_message.termedBuf() : external_acl_message;
935 if (!p && !building_deny_info_url)
936 p = "[not available]";
937 break;
938
939 case 'p':
940 if (request) {
941 mb.appendf("%u", request->url.port());
942 } else if (!building_deny_info_url) {
943 p = "[unknown port]";
944 }
945 break;
946
947 case 'P':
948 if (request) {
949 p = request->url.getScheme().c_str();
950 } else if (!building_deny_info_url) {
951 p = "[unknown protocol]";
952 }
953 break;
954
955 case 'R':
956 if (building_deny_info_url) {
957 if (request != NULL) {
958 SBuf tmp = request->url.path();
959 p = tmp.c_str();
960 no_urlescape = 1;
961 } else
962 p = "[no request]";
963 break;
964 }
965 if (request != NULL) {
966 mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n",
967 SQUIDSBUFPRINT(request->method.image()),
968 SQUIDSBUFPRINT(request->url.path()),
969 AnyP::ProtocolType_str[request->http_ver.protocol],
970 request->http_ver.major, request->http_ver.minor);
971 request->header.packInto(&mb, true); //hide authorization data
972 } else if (request_hdrs) {
973 p = request_hdrs;
974 } else {
975 p = "[no request]";
976 }
977 break;
978
979 case 's':
980 /* for backward compat we make %s show the full URL. Drop this in some future release. */
981 if (building_deny_info_url) {
982 if (request) {
983 const SBuf &tmp = request->effectiveRequestUri();
984 mb.append(tmp.rawContent(), tmp.length());
985 } else
986 p = url;
987 debugs(0, DBG_CRITICAL, "WARNING: deny_info now accepts coded tags. Use %u to get the full URL instead of %s");
988 } else
989 p = visible_appname_string;
990 break;
991
992 case 'S':
993 if (building_deny_info_url) {
994 p = visible_appname_string;
995 break;
996 }
997 /* signature may contain %-escapes, recursion */
998 if (page_id != ERR_SQUID_SIGNATURE) {
999 const int saved_id = page_id;
1000 page_id = ERR_SQUID_SIGNATURE;
1001 MemBuf *sign_mb = BuildContent();
1002 mb.append(sign_mb->content(), sign_mb->contentSize());
1003 sign_mb->clean();
1004 delete sign_mb;
1005 page_id = saved_id;
1006 do_quote = 0;
1007 } else {
1008 /* wow, somebody put %S into ERR_SIGNATURE, stop recursion */
1009 p = "[%S]";
1010 }
1011 break;
1012
1013 case 't':
1014 mb.appendf("%s", Time::FormatHttpd(squid_curtime));
1015 break;
1016
1017 case 'T':
1018 mb.appendf("%s", mkrfc1123(squid_curtime));
1019 break;
1020
1021 case 'U':
1022 /* Using the fake-https version of absolute-URI so error pages see https:// */
1023 /* even when the url-path cannot be shown as more than '*' */
1024 if (request)
1025 p = urlCanonicalFakeHttps(request);
1026 else if (url)
1027 p = url;
1028 else if (!building_deny_info_url)
1029 p = "[no URL]";
1030 break;
1031
1032 case 'u':
1033 if (request) {
1034 const SBuf &tmp = request->effectiveRequestUri();
1035 mb.append(tmp.rawContent(), tmp.length());
1036 } else if (url)
1037 p = url;
1038 else if (!building_deny_info_url)
1039 p = "[no URL]";
1040 break;
1041
1042 case 'w':
1043 if (Config.adminEmail)
1044 mb.appendf("%s", Config.adminEmail);
1045 else if (!building_deny_info_url)
1046 p = "[unknown]";
1047 break;
1048
1049 case 'W':
1050 if (building_deny_info_url) break;
1051 if (Config.adminEmail && Config.onoff.emailErrData)
1052 Dump(&mb);
1053 no_urlescape = 1;
1054 break;
1055
1056 case 'x':
1057 #if USE_OPENSSL
1058 if (detail)
1059 mb.appendf("%s", detail->errorName());
1060 else
1061 #endif
1062 if (!building_deny_info_url)
1063 p = "[Unknown Error Code]";
1064 break;
1065
1066 case 'z':
1067 if (building_deny_info_url) break;
1068 if (dnsError.size() > 0)
1069 p = dnsError.termedBuf();
1070 else if (ftp.cwd_msg)
1071 p = ftp.cwd_msg;
1072 else
1073 p = "[unknown]";
1074 break;
1075
1076 case 'Z':
1077 if (building_deny_info_url) break;
1078 if (err_msg)
1079 p = err_msg;
1080 else
1081 p = "[unknown]";
1082 break;
1083
1084 case '%':
1085 p = "%";
1086 break;
1087
1088 default:
1089 mb.appendf("%%%c", token);
1090 do_quote = 0;
1091 break;
1092 }
1093
1094 if (!p)
1095 p = mb.buf; /* do not use mb after this assignment! */
1096
1097 assert(p);
1098
1099 debugs(4, 3, "errorConvert: %%" << token << " --> '" << p << "'" );
1100
1101 if (do_quote)
1102 p = html_quote(p);
1103
1104 if (building_deny_info_url && !no_urlescape)
1105 p = rfc1738_escape_part(p);
1106
1107 return p;
1108 }
1109
1110 void
1111 ErrorState::DenyInfoLocation(const char *name, HttpRequest *, MemBuf &result)
1112 {
1113 char const *m = name;
1114 char const *p = m;
1115 char const *t;
1116
1117 if (m[0] == '3')
1118 m += 4; // skip "3xx:"
1119
1120 while ((p = strchr(m, '%'))) {
1121 result.append(m, p - m); /* copy */
1122 t = Convert(*++p, true, true); /* convert */
1123 result.appendf("%s", t); /* copy */
1124 m = p + 1; /* advance */
1125 }
1126
1127 if (*m)
1128 result.appendf("%s", m); /* copy tail */
1129
1130 assert((size_t)result.contentSize() == strlen(result.content()));
1131 }
1132
1133 HttpReply *
1134 ErrorState::BuildHttpReply()
1135 {
1136 HttpReply *rep = new HttpReply;
1137 const char *name = errorPageName(page_id);
1138 /* no LMT for error pages; error pages expire immediately */
1139
1140 if (name[0] == '3' || (name[0] != '2' && name[0] != '4' && name[0] != '5' && strchr(name, ':'))) {
1141 /* Redirection */
1142 Http::StatusCode status = Http::scFound;
1143 // Use configured 3xx reply status if set.
1144 if (name[0] == '3')
1145 status = httpStatus;
1146 else {
1147 // Use 307 for HTTP/1.1 non-GET/HEAD requests.
1148 if (request != NULL && request->method != Http::METHOD_GET && request->method != Http::METHOD_HEAD && request->http_ver >= Http::ProtocolVersion(1,1))
1149 status = Http::scTemporaryRedirect;
1150 }
1151
1152 rep->setHeaders(status, NULL, "text/html;charset=utf-8", 0, 0, -1);
1153
1154 if (request) {
1155 MemBuf redirect_location;
1156 redirect_location.init();
1157 DenyInfoLocation(name, request, redirect_location);
1158 httpHeaderPutStrf(&rep->header, Http::HdrType::LOCATION, "%s", redirect_location.content() );
1159 }
1160
1161 httpHeaderPutStrf(&rep->header, Http::HdrType::X_SQUID_ERROR, "%d %s", httpStatus, "Access Denied");
1162 } else {
1163 MemBuf *content = BuildContent();
1164 rep->setHeaders(httpStatus, NULL, "text/html;charset=utf-8", content->contentSize(), 0, -1);
1165 /*
1166 * include some information for downstream caches. Implicit
1167 * replaceable content. This isn't quite sufficient. xerrno is not
1168 * necessarily meaningful to another system, so we really should
1169 * expand it. Additionally, we should identify ourselves. Someone
1170 * might want to know. Someone _will_ want to know OTOH, the first
1171 * X-CACHE-MISS entry should tell us who.
1172 */
1173 httpHeaderPutStrf(&rep->header, Http::HdrType::X_SQUID_ERROR, "%s %d", name, xerrno);
1174
1175 #if USE_ERR_LOCALES
1176 /*
1177 * If error page auto-negotiate is enabled in any way, send the Vary.
1178 * RFC 2616 section 13.6 and 14.44 says MAY and SHOULD do this.
1179 * We have even better reasons though:
1180 * see http://wiki.squid-cache.org/KnowledgeBase/VaryNotCaching
1181 */
1182 if (!Config.errorDirectory) {
1183 /* We 'negotiated' this ONLY from the Accept-Language. */
1184 rep->header.delById(Http::HdrType::VARY);
1185 rep->header.putStr(Http::HdrType::VARY, "Accept-Language");
1186 }
1187
1188 /* add the Content-Language header according to RFC section 14.12 */
1189 if (err_language) {
1190 rep->header.putStr(Http::HdrType::CONTENT_LANGUAGE, err_language);
1191 } else
1192 #endif /* USE_ERROR_LOCALES */
1193 {
1194 /* default templates are in English */
1195 /* language is known unless error_directory override used */
1196 if (!Config.errorDirectory)
1197 rep->header.putStr(Http::HdrType::CONTENT_LANGUAGE, "en");
1198 }
1199
1200 rep->body.setMb(content);
1201 /* do not memBufClean() or delete the content, it was absorbed by httpBody */
1202 }
1203
1204 // Make sure error codes get back to the client side for logging and
1205 // error tracking.
1206 if (request) {
1207 int edc = ERR_DETAIL_NONE; // error detail code
1208 #if USE_OPENSSL
1209 if (detail)
1210 edc = detail->errorNo();
1211 else
1212 #endif
1213 if (detailCode)
1214 edc = detailCode;
1215 else
1216 edc = xerrno;
1217 request->detailError(type, edc);
1218 }
1219
1220 return rep;
1221 }
1222
1223 MemBuf *
1224 ErrorState::BuildContent()
1225 {
1226 const char *m = NULL;
1227
1228 assert(page_id > ERR_NONE && page_id < error_page_count);
1229
1230 #if USE_ERR_LOCALES
1231 ErrorPageFile *localeTmpl = NULL;
1232
1233 /** error_directory option in squid.conf overrides translations.
1234 * Custom errors are always found either in error_directory or the templates directory.
1235 * Otherwise locate the Accept-Language header
1236 */
1237 if (!Config.errorDirectory && page_id < ERR_MAX) {
1238 if (err_language && err_language != Config.errorDefaultLanguage)
1239 safe_free(err_language);
1240
1241 localeTmpl = new ErrorPageFile(err_type_str[page_id], static_cast<err_type>(page_id));
1242 if (localeTmpl->loadFor(request)) {
1243 m = localeTmpl->text();
1244 assert(localeTmpl->language());
1245 err_language = xstrdup(localeTmpl->language());
1246 }
1247 }
1248 #endif /* USE_ERR_LOCALES */
1249
1250 /** \par
1251 * If client-specific error templates are not enabled or available.
1252 * fall back to the old style squid.conf settings.
1253 */
1254 if (!m) {
1255 m = error_text[page_id];
1256 #if USE_ERR_LOCALES
1257 if (!Config.errorDirectory)
1258 err_language = Config.errorDefaultLanguage;
1259 #endif
1260 debugs(4, 2, HERE << "No existing error page language negotiated for " << errorPageName(page_id) << ". Using default error file.");
1261 }
1262
1263 MemBuf *result = ConvertText(m, true);
1264 #if USE_ERR_LOCALES
1265 if (localeTmpl)
1266 delete localeTmpl;
1267 #endif
1268 return result;
1269 }
1270
1271 MemBuf *ErrorState::ConvertText(const char *text, bool allowRecursion)
1272 {
1273 MemBuf *content = new MemBuf;
1274 const char *p;
1275 const char *m = text;
1276 assert(m);
1277 content->init();
1278
1279 while ((p = strchr(m, '%'))) {
1280 content->append(m, p - m); /* copy */
1281 const char *t = Convert(*++p, false, allowRecursion); /* convert */
1282 content->appendf("%s", t); /* copy */
1283 m = p + 1; /* advance */
1284 }
1285
1286 if (*m)
1287 content->appendf("%s", m); /* copy tail */
1288
1289 content->terminate();
1290
1291 assert((size_t)content->contentSize() == strlen(content->content()));
1292
1293 return content;
1294 }
1295
Mirror of https://github.com/squid-cache/squid.git