Feature Request #601: add request_header_access and reply_header_access

This splits header_access into request_header_access and reply_header_access

diff --git a/CONTRIBUTORS b/CONTRIBUTORS
index 04b81f048f7cc177b5fdb5bc2aa83202c3e97f41..c367455f028b8d10c73605c2ab9525515085f273 100644 (file)
--- a/CONTRIBUTORS
+++ b/CONTRIBUTORS
@@ -90,5 +90,6 @@ and ideas to make this software available.
        Jerry Murdock <jmurdock@itraktech.com>
        Leeann Bent <lbent@cs.ucsd.edu>
        Bruce Murphy <pack-squid@rattus.net>
+       Francis Daly <francis@daoine.org>
 
        Duane Wessels <wessels@squid-cache.org>

diff --git a/doc/release-notes/release-3.0.sgml b/doc/release-notes/release-3.0.sgml
index abf52e52bab3d68faeff3934ad5822ab95390ac0..3c218a3521a4c910a5f998b04c5008174a3d34a1 100644 (file)
--- a/doc/release-notes/release-3.0.sgml
+++ b/doc/release-notes/release-3.0.sgml
@@ -2,7 +2,7 @@
 <article>
 <title>Squid 3.0 release notes</title>
 <author>Squid Developers</author>
-<date>$Id: release-3.0.sgml,v 1.16 2004/08/14 22:57:48 hno Exp $</date>
+<date>$Id: release-3.0.sgml,v 1.17 2004/12/08 00:24:41 hno Exp $</date>
 
 <abstract>
 This document contains the release notes for version 3.0 of Squid.
@@ -129,6 +129,7 @@ This fixes two issues:
        <tag>access_log</tag>The access_log directive now optionally includes specifications on what log format to use and acls matching which requests to log. Can be specified multiple times to log different requests to different files.
        <tag>logformat</tag>new directive to define custom log formats
        <tag>httpd_accel_*</tag>These directives have been replaced by http(s)_port options and cache_peer based request forwarding. Note that you can no longer run proxy and acceleration mode on the same port. If you previously did this you now need to define two ports, one for acceleration, one for proxying.
+       <tag>header_access</tag>This directive have been split into request_header_access and reply_header_access directives to allow for better control of what is allowed in reqests vs replies.
 </descrip>
 
 <sect>Known limitations

diff --git a/src/HttpHeaderTools.cc b/src/HttpHeaderTools.cc
index 920bc47f3846045253238108d844615aa71d6779..a4daefa14ede27a37416b69832f869802c818bfb 100644 (file)
--- a/src/HttpHeaderTools.cc
+++ b/src/HttpHeaderTools.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: HttpHeaderTools.cc,v 1.45 2003/09/21 00:30:46 robertc Exp $
+ * $Id: HttpHeaderTools.cc,v 1.46 2004/12/08 00:24:42 hno Exp $
  *
  * DEBUG: section 66    HTTP Header Tools
  * AUTHOR: Alex Rousskov
@@ -504,7 +504,7 @@ httpHeaderStrCmp(const char *h1, const char *h2, int len)
  * Returns 1 if the header is allowed.
  */
 static int
-httpHdrMangle(HttpHeaderEntry * e, HttpRequest * request)
+httpHdrMangle(HttpHeaderEntry * e, HttpRequest * request, int req_or_rep)
 {
     int retval;
 
@@ -512,7 +512,16 @@ httpHdrMangle(HttpHeaderEntry * e, HttpRequest * request)
     header_mangler *hm;
     ACLChecklist *checklist;
     assert(e);
-    hm = &Config.header_access[e->id];
+
+    if (ROR_REQUEST == req_or_rep) {
+        hm = &Config.request_header_access[e->id];
+    } else if (ROR_REPLY == req_or_rep) {
+        hm = &Config.reply_header_access[e->id];
+    } else {
+        /* error. But let's call it "request". */
+        hm = &Config.request_header_access[e->id];
+    }
+
     checklist = aclChecklistCreate(hm->access_list, request, NULL);
 
     if (1 == checklist->fastCheck()) {
@@ -536,12 +545,12 @@ httpHdrMangle(HttpHeaderEntry * e, HttpRequest * request)
 
 /* Mangles headers for a list of headers. */
 void
-httpHdrMangleList(HttpHeader * l, HttpRequest * request)
+httpHdrMangleList(HttpHeader * l, HttpRequest * request, int req_or_rep)
 {
     HttpHeaderEntry *e;
     HttpHeaderPos p = HttpHeaderInitPos;
 
     while ((e = httpHeaderGetEntry(l, &p)))
-        if (0 == httpHdrMangle(e, request))
+        if (0 == httpHdrMangle(e, request, req_or_rep))
             httpHeaderDelAt(l, p);
 }

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 766811d516dedc7ffdda6c20f93a0eec372baa79..467f12cd85ad81eb64e8a94490a88b6d5e21751c 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1,6 +1,6 @@
 
 #
-# $Id: cf.data.pre,v 1.362 2004/11/06 22:20:47 hno Exp $
+# $Id: cf.data.pre,v 1.363 2004/12/08 00:24:42 hno Exp $
 #
 #
 # SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -3501,13 +3501,13 @@ DOC_START
        and firewall_ip.
 DOC_END
 
-NAME: header_access
+NAME: request_header_access
 IFDEF: HTTP_VIOLATIONS
 TYPE: http_header_access[]
-LOC: Config.header_access
+LOC: Config.request_header_access
 DEFAULT: none
 DOC_START
-       Usage: header_access header_name allow|deny [!]aclname ...
+       Usage: request_header_access header_name allow|deny [!]aclname ...
 
        WARNING: Doing this VIOLATES the HTTP standard.  Enabling
        this feature could make you liable for problems which it
@@ -3519,6 +3519,9 @@ DOC_START
        for each header, allowing you very fine-tuned header
        mangling.
 
+       This option only applies to request headers, i.e., from the
+       client to the server.
+
        You can only specify known headers for the header name.
        Other headers are reclassified as 'Other'. You can also
        refer to all the headers with 'All'.
@@ -3526,41 +3529,118 @@ DOC_START
        For example, to achieve the same behaviour as the old
        'http_anonymizer standard' option, you should use:
 
-               header_access From deny all
-               header_access Referer deny all
-               header_access Server deny all
-               header_access User-Agent deny all
-               header_access WWW-Authenticate deny all
-               header_access Link deny all
+               request_header_access From deny all
+               request_header_access Referer deny all
+               request_header_access Server deny all
+               request_header_access User-Agent deny all
+               request_header_access WWW-Authenticate deny all
+               request_header_access Link deny all
 
        Or, to reproduce the old 'http_anonymizer paranoid' feature
        you should use:
 
-               header_access Allow allow all
-               header_access Authorization allow all
-               header_access WWW-Authenticate allow all
-               header_access Cache-Control allow all
-               header_access Content-Encoding allow all
-               header_access Content-Length allow all
-               header_access Content-Type allow all
-               header_access Date allow all
-               header_access Expires allow all
-               header_access Host allow all
-               header_access If-Modified-Since allow all
-               header_access Last-Modified allow all
-               header_access Location allow all
-               header_access Pragma allow all
-               header_access Accept allow all
-               header_access Accept-Charset allow all
-               header_access Accept-Encoding allow all
-               header_access Accept-Language allow all
-               header_access Content-Language allow all
-               header_access Mime-Version allow all
-               header_access Retry-After allow all
-               header_access Title allow all
-               header_access Connection allow all
-               header_access Proxy-Connection allow all
-               header_access All deny all
+               request_header_access Allow allow all
+               request_header_access Authorization allow all
+               request_header_access WWW-Authenticate allow all
+               request_header_access Cache-Control allow all
+               request_header_access Content-Encoding allow all
+               request_header_access Content-Length allow all
+               request_header_access Content-Type allow all
+               request_header_access Date allow all
+               request_header_access Expires allow all
+               request_header_access Host allow all
+               request_header_access If-Modified-Since allow all
+               request_header_access Last-Modified allow all
+               request_header_access Location allow all
+               request_header_access Pragma allow all
+               request_header_access Accept allow all
+               request_header_access Accept-Charset allow all
+               request_header_access Accept-Encoding allow all
+               request_header_access Accept-Language allow all
+               request_header_access Content-Language allow all
+               request_header_access Mime-Version allow all
+               request_header_access Retry-After allow all
+               request_header_access Title allow all
+               request_header_access Connection allow all
+               request_header_access Proxy-Connection allow all
+               request_header_access All deny all
+
+       although many of those are HTTP reply headers, and so should be
+       controlled with the reply_header_access directive.
+
+       By default, all headers are allowed (no anonymizing is
+       performed).
+DOC_END
+
+NAME: reply_header_access
+IFDEF: HTTP_VIOLATIONS
+TYPE: http_header_access[]
+LOC: Config.reply_header_access
+DEFAULT: none
+DOC_START
+       Usage: reply_header_access header_name allow|deny [!]aclname ...
+
+       WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+       this feature could make you liable for problems which it
+       causes.
+
+       This option only applies to reply headers, i.e., from the
+       server to the client.
+
+       This is the same as request_header_access, but in the other
+       direction.
+
+       This option replaces the old 'anonymize_headers' and the
+       older 'http_anonymizer' option with something that is much
+       more configurable. This new method creates a list of ACLs
+       for each header, allowing you very fine-tuned header
+       mangling.
+
+       You can only specify known headers for the header name.
+       Other headers are reclassified as 'Other'. You can also
+       refer to all the headers with 'All'.
+
+       For example, to achieve the same behaviour as the old
+       'http_anonymizer standard' option, you should use:
+
+               reply_header_access From deny all
+               reply_header_access Referer deny all
+               reply_header_access Server deny all
+               reply_header_access User-Agent deny all
+               reply_header_access WWW-Authenticate deny all
+               reply_header_access Link deny all
+
+       Or, to reproduce the old 'http_anonymizer paranoid' feature
+       you should use:
+
+               reply_header_access Allow allow all
+               reply_header_access Authorization allow all
+               reply_header_access WWW-Authenticate allow all
+               reply_header_access Cache-Control allow all
+               reply_header_access Content-Encoding allow all
+               reply_header_access Content-Length allow all
+               reply_header_access Content-Type allow all
+               reply_header_access Date allow all
+               reply_header_access Expires allow all
+               reply_header_access Host allow all
+               reply_header_access If-Modified-Since allow all
+               reply_header_access Last-Modified allow all
+               reply_header_access Location allow all
+               reply_header_access Pragma allow all
+               reply_header_access Accept allow all
+               reply_header_access Accept-Charset allow all
+               reply_header_access Accept-Encoding allow all
+               reply_header_access Accept-Language allow all
+               reply_header_access Content-Language allow all
+               reply_header_access Mime-Version allow all
+               reply_header_access Retry-After allow all
+               reply_header_access Title allow all
+               reply_header_access Connection allow all
+               reply_header_access Proxy-Connection allow all
+               reply_header_access All deny all
+
+       although the HTTP request headers won't be usefully controlled
+       by this directive -- see request_header_access for details.
 
        By default, all headers are allowed (no anonymizing is
        performed).
@@ -3569,7 +3649,7 @@ DOC_END
 NAME: header_replace
 IFDEF: HTTP_VIOLATIONS
 TYPE: http_header_replace[]
-LOC: Config.header_access
+LOC: Config.request_header_access
 DEFAULT: none
 DOC_START
        Usage:   header_replace header_name message
@@ -3580,6 +3660,8 @@ DOC_START
        some fixed string. This replaces the old fake_user_agent
        option.
 
+       This only applies to request headers, not reply headers.
+
        By default, headers are removed if denied.
 DOC_END
 

diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index 2ce6e16ef711f0723293d1e2d7fe5a3b135958e7..bbb30517d3f497963bf04ba41ef8e8f3f00b8615 100644 (file)
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: client_side_reply.cc,v 1.74 2004/10/18 12:20:09 hno Exp $
+ * $Id: client_side_reply.cc,v 1.75 2004/12/08 00:24:42 hno Exp $
  *
  * DEBUG: section 88    Client-side Reply Routines
  * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c)
@@ -1434,7 +1434,7 @@ clientReplyContext::buildReplyHeader()
 
 #endif
 
-    httpHdrMangleList(hdr, request);
+    httpHdrMangleList(hdr, request, ROR_REPLY);
 }
 
 

diff --git a/src/enums.h b/src/enums.h
index dca54067c2f78d76e78fad351d3bf5adb9a694c9..ed2132d7d755be6d2d3cdb146fb7794bf248b658 100644 (file)
--- a/src/enums.h
+++ b/src/enums.h
@@ -1,6 +1,6 @@
 
 /*
- * $Id: enums.h,v 1.235 2004/08/30 03:28:59 robertc Exp $
+ * $Id: enums.h,v 1.236 2004/12/08 00:24:42 hno Exp $
  *
  *
  * SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -702,6 +702,12 @@ typedef enum {
     COMM_ERR_CLOSING = -9
 } comm_err_t;
 
+/* Distinguish between Request and Reply (for header mangling) */
+enum {
+    ROR_REQUEST,
+    ROR_REPLY
+};
+
 
 /* CygWin & Windows NT Port */
 #ifdef _SQUID_WIN32_

diff --git a/src/http.cc b/src/http.cc
index a0f773325e87a84458aa641d3e72efc837e927f1..8b6b9a7f846977e0b40ea5eccf3c038e63c1c364 100644 (file)
--- a/src/http.cc
+++ b/src/http.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: http.cc,v 1.435 2004/11/16 23:11:46 wessels Exp $
+ * $Id: http.cc,v 1.436 2004/12/08 00:24:42 hno Exp $
  *
  * DEBUG: section 11    Hypertext Transfer Protocol (HTTP)
  * AUTHOR: Harvest Derived
@@ -1401,7 +1401,7 @@ httpBuildRequestHeader(HttpRequest * request,
     }
 
     /* Now mangle the headers. */
-    httpHdrMangleList(hdr_out, request);
+    httpHdrMangleList(hdr_out, request, ROR_REQUEST);
 
     strConnection.clean();
 }

diff --git a/src/protos.h b/src/protos.h
index ddc964f18cc509a57a22883e1e0d016362427c08..5a645f47dd14afc63d2b7c6641e1e8737e1bae50 100644 (file)
--- a/src/protos.h
+++ b/src/protos.h
@@ -1,6 +1,6 @@
 
 /*
- * $Id: protos.h,v 1.498 2004/11/07 13:58:30 hno Exp $
+ * $Id: protos.h,v 1.499 2004/12/08 00:24:42 hno Exp $
  *
  *
  * SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -432,7 +432,7 @@ SQUIDCEXTERN HttpHeaderEntry *httpHeaderEntryClone(const HttpHeaderEntry * e);
 SQUIDCEXTERN void httpHeaderEntryPackInto(const HttpHeaderEntry * e, Packer * p);
 /* store report about current header usage and other stats */
 SQUIDCEXTERN void httpHeaderStoreReport(StoreEntry * e);
-SQUIDCEXTERN void httpHdrMangleList(HttpHeader *, HttpRequest *);
+SQUIDCEXTERN void httpHdrMangleList(HttpHeader *, HttpRequest *, int req_or_rep);
 
 /* Http Msg (currently in HttpReply.c @?@ ) */
 SQUIDCEXTERN int httpMsgIsolateHeaders(const char **parse_start, const char **blk_start, const char **blk_end);

diff --git a/src/structs.h b/src/structs.h
index 4b8ab0882c3009660d37ee3a3a56a72e45b90354..18ec6a27b5800d33c37f15caa2f0d33bf094de71 100644 (file)
--- a/src/structs.h
+++ b/src/structs.h
@@ -1,6 +1,6 @@
 
 /*
- * $Id: structs.h,v 1.495 2004/11/07 23:29:50 hno Exp $
+ * $Id: structs.h,v 1.496 2004/12/08 00:24:42 hno Exp $
  *
  *
  * SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -674,7 +674,8 @@ struct _SquidConfig
     mcast_miss;
 #endif
 
-    header_mangler header_access[HDR_ENUM_END];
+    header_mangler request_header_access[HDR_ENUM_END];
+    header_mangler reply_header_access[HDR_ENUM_END];
     char *coredump_dir;
     char *chroot_dir;
 #if USE_CACHE_DIGESTS