HTTP/1.1: Remove refresh_pattern ignore-auth violation

The original intent for this option was to improve caching. However
HTTP/1.1 permits caching of authenticated messages under conditions
which Squid does check for and obey already.

The legacy popularity of this option from old Squid without the HTTP/1.1
compliant behaviour is now just forming a security and privacy abuse.

diff --git a/doc/release-notes/release-3.6.sgml b/doc/release-notes/release-3.6.sgml
index 3d6156753097aea85d42597b088a2baa80e7ea46..3399e30b90ddcab20f95b87e83674c1233c52931 100644 (file)
--- a/doc/release-notes/release-3.6.sgml
+++ b/doc/release-notes/release-3.6.sgml
@@ -154,6 +154,10 @@ This section gives a thorough account of those changes in three categories:
 <sect1>Removed tags<label id="removedtags">
 <p>
 <descrip>
+       <tag>refresh_pattern</tag>
+       <p>Option <em>ignore-auth</em> removed. Its original intent was
+          to improve caching. HTTP/1.1 permits caching of authenticated
+          messages under conditions which Squid does check for and obey.
 
 </descrip>
 

diff --git a/src/RefreshPattern.h b/src/RefreshPattern.h
index da2c5237c67e69318755de88a2baa83ef548db60..31cc5c739f50d614c3c12973913c43dd302c5ab4 100644 (file)
--- a/src/RefreshPattern.h
+++ b/src/RefreshPattern.h
@@ -34,7 +34,6 @@ public:
         bool ignore_no_store;
         bool ignore_must_revalidate;
         bool ignore_private;
-        bool ignore_auth;
 #endif
     } flags;
     int max_stale;

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 1b2cb523648827c24862939fac2d9bd24d0653d4..d38c87e94bbd255fb8f896c4b58600709fdf2941 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -799,16 +799,6 @@ configDoConfigure(void)
 
             break;
         }
-
-        for (R = Config.Refresh; R; R = R->next) {
-            if (!R->flags.ignore_auth)
-                continue;
-
-            debugs(22, DBG_IMPORTANT, "WARNING: use of 'ignore-auth' in 'refresh_pattern' violates HTTP");
-
-            break;
-        }
-
     }
 #endif
 #if !USE_HTTP_VIOLATIONS
@@ -2636,10 +2626,6 @@ dump_refreshpattern(StoreEntry * entry, const char *name, RefreshPattern * head)
 
         if (head->flags.ignore_private)
             storeAppendPrintf(entry, " ignore-private");
-
-        if (head->flags.ignore_auth)
-            storeAppendPrintf(entry, " ignore-auth");
-
 #endif
 
         storeAppendPrintf(entry, "\n");
@@ -2669,7 +2655,6 @@ parse_refreshpattern(RefreshPattern ** head)
     int ignore_no_store = 0;
     int ignore_must_revalidate = 0;
     int ignore_private = 0;
-    int ignore_auth = 0;
 #endif
 
     int i;
@@ -2751,7 +2736,7 @@ parse_refreshpattern(RefreshPattern ** head)
         else if (!strcmp(token, "ignore-private"))
             ignore_private = 1;
         else if (!strcmp(token, "ignore-auth"))
-            ignore_auth = 1;
+            debugs(22, DBG_PARSE_NOTE(2), "UPGRADE: refresh_pattern option 'ignore-auth' is obsolete. Remove it.");
         else if (!strcmp(token, "reload-into-ims")) {
             reload_into_ims = 1;
             refresh_nocache_hack = 1;
@@ -2819,10 +2804,6 @@ parse_refreshpattern(RefreshPattern ** head)
 
     if (ignore_private)
         t->flags.ignore_private = true;
-
-    if (ignore_auth)
-        t->flags.ignore_auth = true;
-
 #endif
 
     t->next = NULL;

diff --git a/src/http.cc b/src/http.cc
index 1757073d7f9faf47f88f068b85033a60c9a332fd..e165318301070f354e0b005a9ec482e31d9d2776 100644 (file)
--- a/src/http.cc
+++ b/src/http.cc
@@ -389,7 +389,7 @@ HttpStateData::cacheableReply()
 
     // RFC 2068, sec 14.9.4 - MUST NOT cache any response with Authentication UNLESS certain CC controls are present
     // allow HTTP violations to IGNORE those controls (ie re-block caching Auth)
-    if (request && (request->flags.auth || request->flags.authSent) && !REFRESH_OVERRIDE(ignore_auth)) {
+    if (request && (request->flags.auth || request->flags.authSent)) {
         if (!rep->cache_control) {
             debugs(22, 3, HERE << "NO because Authenticated and server reply missing Cache-Control");
             return 0;
@@ -408,7 +408,7 @@ HttpStateData::cacheableReply()
 
             // HTTPbis pt6 section 3.2: a response CC:must-revalidate is present
         } else if (rep->cache_control->mustRevalidate() && !REFRESH_OVERRIDE(ignore_must_revalidate)) {
-            debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public");
+            debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:must-revalidate");
             mayStore = true;
 
 #if USE_HTTP_VIOLATIONS