From: hno <> Date: Thu, 30 Aug 2007 19:03:42 +0000 (+0000) Subject: Bug #2028: FATAL error if using http_reply_access in combination with authentication X-Git-Tag: SQUID_3_0_PRE7~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=230a8cc66d7c5f7880ccd0444041d58d5d53efa8;p=thirdparty%2Fsquid.git Bug #2028: FATAL error if using http_reply_access in combination with authentication The attached patch bypasses http_reply_access on access denied messages generated by this Squid, and also optimizes processing slightly in the common case of not using any http_reply_access rules at all. --- diff --git a/src/cf.data.pre b/src/cf.data.pre index c36acfcb53..c419da6659 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.462 2007/08/28 01:57:20 hno Exp $ +# $Id: cf.data.pre,v 1.463 2007/08/30 13:03:42 hno Exp $ # # SQUID Web Proxy Cache http://www.squid-cache.org/ # ---------------------------------------------------------- @@ -2866,7 +2866,6 @@ NAME: http_reply_access TYPE: acl_access LOC: Config.accessList.reply DEFAULT: none -DEFAULT_IF_NONE: allow all DOC_START Allow replies to client requests. This is complementary to http_access. diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc index 162c82b686..75edfdbe0c 100644 --- a/src/client_side_reply.cc +++ b/src/client_side_reply.cc @@ -1,6 +1,6 @@ /* - * $Id: client_side_reply.cc,v 1.136 2007/08/27 21:56:58 hno Exp $ + * $Id: client_side_reply.cc,v 1.137 2007/08/30 13:03:43 hno Exp $ * * DEBUG: section 88 Client-side Reply Routines * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c) @@ -1753,6 +1753,12 @@ clientReplyContext::processReplyAccess () assert(reply); buildMaxBodySize(reply); + /* Dont't block our own responses or HTTP status messages */ + if (http->logType == LOG_TCP_DENIED || alwaysAllowResponse(reply->sline.status)) { + processReplyAccessResult(1); + return; + } + if (http->isReplyBodyTooLarge(reply->content_length)) { ErrorState *err = clientBuildError(ERR_TOO_BIG, HTTP_FORBIDDEN, NULL, @@ -1765,6 +1771,12 @@ clientReplyContext::processReplyAccess () } headers_sz = reply->hdr_sz; + + if (!Config.accessList.reply) { + processReplyAccessResult(1); + return; + } + ACLChecklist *replyChecklist; replyChecklist = clientAclChecklistCreate(Config.accessList.reply, http); replyChecklist->reply = HTTPMSGLOCK(reply); @@ -1787,11 +1799,7 @@ clientReplyContext::processReplyAccessResult(bool accessAllowed) << ", because it matched '" << (AclMatchedName ? AclMatchedName : "NO ACL's") << "'" ); - if (!accessAllowed && reply->sline.status != HTTP_FORBIDDEN - && !alwaysAllowResponse(reply->sline.status)) { - /* the if above is slightly broken, but there is no way - * to tell if this is a squid generated error page, or one from - * upstream at this point. */ + if (!accessAllowed) { ErrorState *err; err_type page_id; page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 1);