Fixed bypass of SSL certificate validation errors.

The bypass code was calling ACLChecklist::fastCheck() multiple times
if multiple certificate errors were found. That method should not be
called multiple times because it changes the internal ACLChecklist
state, producing wrong answers for repeated calls.

This patch fixes the ACLChecklist::fastCheck() method so it can be called
multiple times. Each fastCheck() call results in an independent access
list check.

This is a Measurement Factory project

diff --git a/src/acl/Checklist.cc b/src/acl/Checklist.cc
index 17a203c066674367f37d289753f71f60e34cf9b5..99310c2d75e748fb7c5b37a854be241d2ff30cc5 100644 (file)
--- a/src/acl/Checklist.cc
+++ b/src/acl/Checklist.cc
@@ -340,26 +340,20 @@ ACLChecklist::fastCheck()
     PROF_start(aclCheckFast);
     currentAnswer(ACCESS_DENIED);
     debugs(28, 5, "aclCheckFast: list: " << accessList);
-
-    while (accessList) {
-        preCheck();
-        matchAclListFast(accessList->aclList);
-
-        if (finished()) {
+    const acl_access *acl = cbdataReference(accessList);
+    while (acl != NULL && cbdataReferenceValid(acl)) {
+        currentAnswer(acl->allow);
+        if (matchAclListFast(acl->aclList)) {
             PROF_stop(aclCheckFast);
-            cbdataReferenceDone(accessList);
+            cbdataReferenceDone(acl);
             return currentAnswer() == ACCESS_ALLOWED;
         }
 
         /*
          * Reference the next access entry
          */
-        const acl_access *A = accessList;
-
-        assert (A);
-
-        accessList = cbdataReference(A->next);
-
+        const acl_access *A = acl;
+        acl = cbdataReference(acl->next);
         cbdataReferenceDone(A);
     }
 

diff --git a/src/acl/Checklist.h b/src/acl/Checklist.h
index 433569eddad0c9a6562b106dab9b1fb7db26ed50..8b5702b5113d92675e8c4633a28133c810c321b0 100644 (file)
--- a/src/acl/Checklist.h
+++ b/src/acl/Checklist.h
@@ -102,7 +102,7 @@ public:
      * This means any proxy_auth, external_acl, DNS lookups, Ident lookups etc
      * which have not already been performed and cached will not be checked.
      *
-     * If there is no access list to check the default is to return DENIED.
+     * If there is no access list to check the default is to return ALLOWED.
      * However callers should perform their own check and default based on local
      * knowledge of the ACL usage rather than depend on this default.
      * That will also save on work setting up ACLChecklist fields for a no-op.