From: Matthias Fischer Date: Sun, 26 Feb 2017 20:21:30 +0000 (+0100) Subject: squid 3.5.24: latest patch (14143) X-Git-Tag: v2.19-core110^2~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=39e71549764d91324cfc5b43e824ff0080bf8f02;p=people%2Fstevee%2Fipfire-2.x.git squid 3.5.24: latest patch (14143) Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer --- diff --git a/lfs/squid b/lfs/squid index 6d557517ce..8ac878cd0b 100644 --- a/lfs/squid +++ b/lfs/squid @@ -71,6 +71,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14142.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14143.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.24-fix-max-file-descriptors.patch cd $(DIR_APP) && autoreconf -vfi diff --git a/src/patches/squid/squid-3.5-14143.patch b/src/patches/squid/squid-3.5-14143.patch new file mode 100644 index 0000000000..49b3eb8efb --- /dev/null +++ b/src/patches/squid/squid-3.5-14143.patch @@ -0,0 +1,55 @@ +------------------------------------------------------------ +revno: 14143 +revision-id: squid3@treenet.co.nz-20170225055014-j7v5xax13u4jddr9 +parent: squid3@treenet.co.nz-20170208054033-pxqn8rs4yu713ijq +author: Christos Tsantilas +committer: Amos Jeffries +branch nick: 3.5 +timestamp: Sat 2017-02-25 18:50:14 +1300 +message: + Fix regression in CONNECT authentication after rev.14142 +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20170225055014-j7v5xax13u4jddr9 +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: bedc99ffdffd1e999c98c33faa830d4e9d1fc01d +# timestamp: 2017-02-25 05:51:22 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squid3@treenet.co.nz-20170208054033-\ +# pxqn8rs4yu713ijq +# +# Begin patch +=== modified file 'src/client_side_request.cc' +--- src/client_side_request.cc 2017-02-08 05:40:33 +0000 ++++ src/client_side_request.cc 2017-02-25 05:50:14 +0000 +@@ -1442,6 +1442,14 @@ + return false; + } + ++ // Do not bump during authentication: clients would not proxy-authenticate ++ // if we delay a 407 response and respond with 200 OK to CONNECT. ++ if (error && error->httpStatus == Http::scProxyAuthenticationRequired) { ++ http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log - ++ debugs(85, 5, HERE << "no SslBump during proxy authentication"); ++ return false; ++ } ++ + if (error) { + debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]); + http->sslBumpNeed(Ssl::bumpBump); +@@ -1449,14 +1457,6 @@ + return false; + } + +- // Do not bump during authentication: clients would not proxy-authenticate +- // if we delay a 407 response and respond with 200 OK to CONNECT. +- if (error && error->httpStatus == Http::scProxyAuthenticationRequired) { +- http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log - +- debugs(85, 5, HERE << "no SslBump during proxy authentication"); +- return false; +- } +- + debugs(85, 5, HERE << "SslBump possible, checking ACL"); + + ACLFilledChecklist *aclChecklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http); +