Bug #2028: FATAL error if using http_reply_access in combination with authentication

The attached patch bypasses http_reply_access on access denied messages
generated by this Squid, and also optimizes processing slightly in the
common case of not using any http_reply_access rules at all.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index c36acfcb539225dc67a66e7bf1d557419d4f585d..c419da66595e0af1d8abd8f4ed182a4f5e2e0ff2 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1,6 +1,6 @@
 
 #
-# $Id: cf.data.pre,v 1.462 2007/08/28 01:57:20 hno Exp $
+# $Id: cf.data.pre,v 1.463 2007/08/30 13:03:42 hno Exp $
 #
 # SQUID Web Proxy Cache                http://www.squid-cache.org/
 # ----------------------------------------------------------
@@ -2866,7 +2866,6 @@ NAME: http_reply_access
 TYPE: acl_access
 LOC: Config.accessList.reply
 DEFAULT: none
-DEFAULT_IF_NONE: allow all
 DOC_START
        Allow replies to client requests. This is complementary to http_access.
 

diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index 162c82b686dbd478b53ef421d4320ec65479897f..75edfdbe0c23c293e77cb2831c4f1d32649183bd 100644 (file)
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: client_side_reply.cc,v 1.136 2007/08/27 21:56:58 hno Exp $
+ * $Id: client_side_reply.cc,v 1.137 2007/08/30 13:03:43 hno Exp $
  *
  * DEBUG: section 88    Client-side Reply Routines
  * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c)
@@ -1753,6 +1753,12 @@ clientReplyContext::processReplyAccess ()
     assert(reply);
     buildMaxBodySize(reply);
 
+    /* Dont't block our own responses or HTTP status messages */
+    if (http->logType == LOG_TCP_DENIED || alwaysAllowResponse(reply->sline.status)) {
+       processReplyAccessResult(1);
+       return;
+    }
+
     if (http->isReplyBodyTooLarge(reply->content_length)) {
         ErrorState *err =
             clientBuildError(ERR_TOO_BIG, HTTP_FORBIDDEN, NULL,
@@ -1765,6 +1771,12 @@ clientReplyContext::processReplyAccess ()
     }
 
     headers_sz = reply->hdr_sz;
+
+    if (!Config.accessList.reply) {
+       processReplyAccessResult(1);
+       return;
+    }
+
     ACLChecklist *replyChecklist;
     replyChecklist = clientAclChecklistCreate(Config.accessList.reply, http);
     replyChecklist->reply = HTTPMSGLOCK(reply);
@@ -1787,11 +1799,7 @@ clientReplyContext::processReplyAccessResult(bool accessAllowed)
            << ", because it matched '" 
            << (AclMatchedName ? AclMatchedName : "NO ACL's") << "'" );
 
-    if (!accessAllowed && reply->sline.status != HTTP_FORBIDDEN
-            && !alwaysAllowResponse(reply->sline.status)) {
-        /* the if above is slightly broken, but there is no way
-         * to tell if this is a squid generated error page, or one from
-         *  upstream at this point. */
+    if (!accessAllowed) {
         ErrorState *err;
         err_type page_id;
         page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 1);