Bug #1865: deny_info redirection with authentication related acls

this patch modifies deny_info to not redirect when authentication
is required. Any redirect deny_info lines is ignored if the request
was not authenticated.

Forward port of 2.6 patch.

diff --git a/src/ACL.h b/src/ACL.h
index 42d44abcfad67e86d883099a6e63585749472465..f9bbcae4d9d8212d59bdfe30d185d532a7aff7e2 100644 (file)
--- a/src/ACL.h
+++ b/src/ACL.h
@@ -1,6 +1,6 @@
 
 /*
- * $Id: ACL.h,v 1.17 2006/08/21 00:50:40 robertc Exp $
+ * $Id: ACL.h,v 1.18 2007/01/28 15:37:46 serassio Exp $
  *
  *
  * SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -52,7 +52,7 @@ SQUIDCEXTERN void aclDestroyAclList(acl_list **);
 SQUIDCEXTERN void aclParseAccessLine(ConfigParser &parser, acl_access **);
 SQUIDCEXTERN void aclParseAclList(ConfigParser &parser, acl_list **);
 SQUIDCEXTERN int aclIsProxyAuth(const char *name);
-SQUIDCEXTERN err_type aclGetDenyInfoPage(acl_deny_info_list ** head, const char *name);
+SQUIDCEXTERN err_type aclGetDenyInfoPage(acl_deny_info_list ** head, const char *name, int redirect_allowed);
 
 SQUIDCEXTERN void aclParseDenyInfoLine(struct _acl_deny_info_list **);
 

diff --git a/src/acl_noncore.cc b/src/acl_noncore.cc
index 5bee2d37dd53ebb3c69ee5b817cb81a74bfa4185..e455b89881a2d8da87923d74c70a3eb35fa1a91d 100644 (file)
--- a/src/acl_noncore.cc
+++ b/src/acl_noncore.cc
@@ -1,5 +1,5 @@
 /*
- * $Id: acl_noncore.cc,v 1.3 2006/08/21 00:50:41 robertc Exp $
+ * $Id: acl_noncore.cc,v 1.4 2007/01/28 15:37:46 serassio Exp $
  *
  * DEBUG: section 28    Access Control
  * AUTHOR: Duane Wessels
@@ -48,39 +48,29 @@
 
 /* does name lookup, returns page_id */
 err_type
-aclGetDenyInfoPage(acl_deny_info_list ** head, const char *name)
+aclGetDenyInfoPage(acl_deny_info_list ** head, const char *name, int redirect_allowed)
 {
     acl_deny_info_list *A = NULL;
-    acl_name_list *L = NULL;
 
     debug(28,9)("aclGetDenyInfoPage: got called for %s\n",name);
 
-    A = *head;
-
-    if (NULL == *head) {               /* empty list */
-        debug(28,9)("aclGetDenyInfoPage: called for an empty list\n");
-        return ERR_NONE;
-    }
 
-    while (A) {
-        L = A->acl_list;
+    for (A = *head; A; A = A->next) {
+        acl_name_list *L = NULL;
 
-        if (NULL == L) {               /* empty list should never happen, but in case */
+        if (!redirect_allowed && strchr(A->err_page_name, ':')) {
             debug(28,3)("aclGetDenyInfoPage: "
                         "WARNING, unexpected codepath taken\n");
             continue;
         }
 
-        while (L) {
+        for (L = A->acl_list; L; L = L->next) {
             if (!strcmp(name, L->name)) {
                 debug(28,8)("aclGetDenyInfoPage: match on %s\n",name);
                 return A->err_page_id;
             }
 
-            L = L->next;
         }
-
-        A = A->next;
     }
 
     debug(28,8)("aclGetDenyInfoPage: no match\n");

diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index b1acc33fa7d6aa9e5233b8f438fd39fbe7084731..d35bd6c1e20be1c9f104dbb58279fec31cb6983e 100644 (file)
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: client_side_reply.cc,v 1.114 2006/10/02 11:35:39 adrian Exp $
+ * $Id: client_side_reply.cc,v 1.115 2007/01/28 15:37:46 serassio Exp $
  *
  * DEBUG: section 88    Client-side Reply Routines
  * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c)
@@ -1791,7 +1791,7 @@ clientReplyContext::processReplyAccessResult(bool accessAllowed)
          *  upstream at this point. */
         ErrorState *err;
         err_type page_id;
-        page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName);
+        page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 1);
 
         if (page_id == ERR_NONE)
             page_id = ERR_ACCESS_DENIED;

diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index b4e388e16763e141514a569904afdac1724a11af..a21adfe71f4aaedbfdbc3450cc75b56dc9b4b170 100644 (file)
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: client_side_request.cc,v 1.77 2006/10/31 23:30:57 wessels Exp $
+ * $Id: client_side_request.cc,v 1.78 2007/01/28 15:37:46 serassio Exp $
  * 
  * DEBUG: section 85    Client-side Request Routines
  * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c)
@@ -251,7 +251,9 @@ ClientHttpRequest::~ClientHttpRequest()
      * - storeReleaseRequest was always called if entry was valid 
      */
     assert(logType < LOG_TYPE_MAX);
+
     logRequest();
+
     loggingEntry(NULL);
 
     if (request)
@@ -260,14 +262,18 @@ ClientHttpRequest::~ClientHttpRequest()
     freeResources();
 
 #if ICAP_CLIENT
+
     if (icap)
         delete icap;
+
 #endif
+
     if (calloutContext)
         delete calloutContext;
 
     /* moving to the next connection is handled by the context free */
     dlinkDelete(&active, &ClientActiveRequests);
+
     PROF_stop(httpRequestFree);
 }
 
@@ -418,21 +424,26 @@ ClientRequestContext::clientAccessCheckDone(int answer)
 
     if (answer != ACCESS_ALLOWED) {
         /* Send an error */
+        int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName));
         debug(85, 5) ("Access Denied: %s\n", http->uri);
         debug(85, 5) ("AclMatchedName = %s\n",
                       AclMatchedName ? AclMatchedName : "<null>");
-        debug(85, 5) ("Proxy Auth Message = %s\n",
-                      proxy_auth_msg ? proxy_auth_msg : "<null>");
+
+        if (require_auth)
+            debug(33, 5) ("Proxy Auth Message = %s\n",
+                          proxy_auth_msg ? proxy_auth_msg : "<null>");
+
         /*
          * NOTE: get page_id here, based on AclMatchedName because if
          * USE_DELAY_POOLS is enabled, then AclMatchedName gets clobbered in
          * the clientCreateStoreEntry() call just below.  Pedro Ribeiro
          * <pribeiro@isel.pt>
          */
-        page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName);
+        page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
+
         http->logType = LOG_TCP_DENIED;
 
-        if (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) {
+        if (require_auth) {
             if (!http->flags.accel) {
                 /* Proxy authorisation needed */
                 status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
@@ -526,6 +537,7 @@ ClientRequestContext::icapAclCheckDone(ICAPServiceRep::Pointer service)
      * to the user, or keep going without ICAP.
      */
     fatal("Fix this case in ClientRequestContext::icapAclCheckDone()");
+
     // And when fixed, check whether the service is down in doIcap and
     // if it is, abort early, without creating ICAPClientReqmodPrecache.
     // See Server::startIcap() and its use.

diff --git a/src/forward.cc b/src/forward.cc
index a8b31ce5bdc34d99d355e4a983363a364e425c6f..701cdfc8109f91067c447ab5a4bfeb762ef70eab 100644 (file)
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: forward.cc,v 1.151 2006/09/13 15:54:21 adrian Exp $
+ * $Id: forward.cc,v 1.152 2007/01/28 15:37:46 serassio Exp $
  *
  * DEBUG: section 17    Request Forwarding
  * AUTHOR: Duane Wessels
@@ -199,7 +199,7 @@ FwdState::fwdStart(int client_fd, StoreEntry *entry, HttpRequest *request)
 
         if (answer == 0) {
             err_type page_id;
-            page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName);
+            page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 1);
 
             if (page_id == ERR_NONE)
                 page_id = ERR_FORWARDING_DENIED;