From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Wed, 5 Jun 2013 13:00:09 +0000 (-0600)
Subject: Bug 3717: assertion failed with dstdom_regex with IP based URL
X-Git-Tag: SQUID_3_3_6~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2935fea374a841eca08e8d6ca492dd8e4bedfd0c;p=thirdparty%2Fsquid.git

Bug 3717: assertion failed with dstdom_regex with IP based URL

A combination of ACL negation and async lookup leads to
Checklist.cc:287:"!needsAsync && !matchFinished" assertions.

The lower-level ACL code says "not a match because I need an async lookup" but
the negation-handling code in ACL::matches() ignores the "need an async
lookup" part and converts "not a match" into a "match". This patch prevents
that conversion, while allowing Checklist code to decide what to do with
an async lookup (depending on whether the directive being checked supports
slow ACLs).

Note that this change prevents admins from negating async lookups in
directives that do not support them: both "!foo" and "foo" will probably not
match in those directives if ACL foo needs an async lookup.
---

diff --git a/src/acl/Acl.cc b/src/acl/Acl.cc
index 5043159ef8..42944a68c6 100644
--- a/src/acl/Acl.cc
+++ b/src/acl/Acl.cc
@@ -335,13 +335,24 @@ ACLList::matches (ACLChecklist *checklist) const
     AclMatchedName = _acl->name;
     debugs(28, 3, "ACLList::matches: checking " << (op ? null_string : "!") << _acl->name);
 
-    if (_acl->checklistMatches(checklist) != op) {
-        debugs(28, 4, "ACLList::matches: result is false");
-        return false;
+    bool result = false;
+    if (_acl->checklistMatches(checklist) == 1) {
+        debugs(28, 5, _acl->name << " matched" << (op ? "." : ", negating."));
+        result = (op != 0);
+    } else if (checklist->finished()) {
+        debugs(28, 5, _acl->name << " failed.");
+        result = false;
+    } else if (checklist->asyncNeeded()) {
+        debugs(28, 5, _acl->name << " needs async lookup");
+        result = false;
+    } else {
+        debugs(28, 5, _acl->name << " mismatched" << (op ? "." : ", negating."));
+        result = (op == 0);
     }
 
-    debugs(28, 4, "ACLList::matches: result is true");
-    return true;
+   debugs(28, 4, (op ? null_string : "!") << _acl->name << " result is " <<
+          (result ? "true" : "false"));
+   return result;
 }
 
 /*********************/