Bug 2723 fix: enable PURGE requests if PURGE method ACL is present.

PURGE requests were always denied, probably since 2009-06-28 (r9772) changes.

PURGE was denied because Config2.onoff.enable_purge changes done in
ACLMethodData::parse() are lost when Squid memsets Config2 to zero before
interpreting the changes. Config2 is meant for storing values _derived_ from
the primary configuration phase so it is reset after that phase is over.

This patch solves the above problem by storing ACLMethodData::parse() changes
in an ACLMethodData static member. The member is reset before
[re]configuration.

There is probably another problem with r9772 (or earlier) changes. Special
PURGE method processing is enabled whenever a PURGE ACL is detected in the
Squid configuration file, even if the ACL is unused or used in an http_access
option that does not match. This is specifically what r4363 tried to avoid in
year 2000:
     users complain that defining an ACL that is never used in
     an access list shouldn't trip this flag.

The patch does not solve this other problem. The right solution may be adding
a dedicated "purge" option that will have an ACL that controls what PURGE
requests, if any, are allowed to purge. That option would be in addition to
any http_access controls.

diff --git a/src/acl/MethodData.cc b/src/acl/MethodData.cc
index ad6cf3c9034b6cb5b1dc8ef01a543c9f55e4ab54..589056adbe1a970b8bda746cb9bd97de34afdc51 100644 (file)
--- a/src/acl/MethodData.cc
+++ b/src/acl/MethodData.cc
@@ -40,6 +40,8 @@
 #include "HttpRequestMethod.h"
 #include "wordlist.h"
 
+int ACLMethodData::ThePurgeCount = 0;
+
 ACLMethodData::ACLMethodData() : values (NULL)
 {}
 
@@ -89,10 +91,8 @@ ACLMethodData::parse()
 
     for (Tail = &values; *Tail; Tail = &((*Tail)->next));
     while ((t = strtokFile())) {
-        if(strcmp(t, "PURGE") == 0) {
-            // we need to use PURGE, can't just blanket-deny it.
-            Config2.onoff.enable_purge = 1;
-        }
+        if(strcmp(t, "PURGE") == 0)
+            ++ThePurgeCount; // configuration code wants to know
         CbDataList<HttpRequestMethod> *q = new CbDataList<HttpRequestMethod> (HttpRequestMethod(t, NULL));
         *(Tail) = q;
         Tail = &q->next;

diff --git a/src/acl/MethodData.h b/src/acl/MethodData.h
index 062efc81547134f0c02e14f113f0d82bc2ae8afb..f94f936e4ccd4dde0a910ddc28dcc769a97638fa 100644 (file)
--- a/src/acl/MethodData.h
+++ b/src/acl/MethodData.h
@@ -57,6 +57,8 @@ public:
     virtual ACLData<HttpRequestMethod> *clone() const;
 
     CbDataList<HttpRequestMethod> *values;
+
+    static int ThePurgeCount; ///< PURGE methods seen by parse()
 };
 
 MEMPROXY_CLASS_INLINE(ACLMethodData);

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 51b01dce3eae627f282ceb25204a7b851f931e6f..a8b3cb72b6fcbe1cb70d722ab42f65eed7275ed0 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -42,6 +42,7 @@
 #include "SwapDir.h"
 #include "ConfigParser.h"
 #include "acl/Acl.h"
+#include "acl/MethodData.h"
 #include "acl/Gadgets.h"
 #include "StoreFileSystem.h"
 #include "Parsing.h"
@@ -389,6 +390,7 @@ parseConfigFile(const char *file_name)
 
     configFreeMemory();
 
+    ACLMethodData::ThePurgeCount = 0;
     default_all();
 
     err_count = parseOneConfigFile(file_name, 0);
@@ -621,10 +623,9 @@ configDoConfigure(void)
 
 #endif
 
-    // we have reconfigured and in the process disabled any need for PURGE.
-    // turn it off now.
-    if(Config2.onoff.enable_purge == 2)
-        Config2.onoff.enable_purge = 0;
+    // we enable runtime PURGE checks if there is at least one PURGE method ACL
+    // TODO: replace with a dedicated "purge" ACL option?
+    Config2.onoff.enable_purge = ACLMethodData::ThePurgeCount > 0;
 
     Config2.onoff.mangle_request_headers = httpReqHdrManglersConfigured();