From: Alex Rousskov Date: Mon, 27 Jul 2009 01:41:02 +0000 (-0600) Subject: Bug 2723 fix: enable PURGE requests if PURGE method ACL is present. X-Git-Tag: SQUID_3_2_0_1~836 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5491c11eb8d9454414cad9fe87ab064ab60cc74d;p=thirdparty%2Fsquid.git Bug 2723 fix: enable PURGE requests if PURGE method ACL is present. PURGE requests were always denied, probably since 2009-06-28 (r9772) changes. PURGE was denied because Config2.onoff.enable_purge changes done in ACLMethodData::parse() are lost when Squid memsets Config2 to zero before interpreting the changes. Config2 is meant for storing values _derived_ from the primary configuration phase so it is reset after that phase is over. This patch solves the above problem by storing ACLMethodData::parse() changes in an ACLMethodData static member. The member is reset before [re]configuration. There is probably another problem with r9772 (or earlier) changes. Special PURGE method processing is enabled whenever a PURGE ACL is detected in the Squid configuration file, even if the ACL is unused or used in an http_access option that does not match. This is specifically what r4363 tried to avoid in year 2000: users complain that defining an ACL that is never used in an access list shouldn't trip this flag. The patch does not solve this other problem. The right solution may be adding a dedicated "purge" option that will have an ACL that controls what PURGE requests, if any, are allowed to purge. That option would be in addition to any http_access controls. --- diff --git a/src/acl/MethodData.cc b/src/acl/MethodData.cc index ad6cf3c903..589056adbe 100644 --- a/src/acl/MethodData.cc +++ b/src/acl/MethodData.cc @@ -40,6 +40,8 @@ #include "HttpRequestMethod.h" #include "wordlist.h" +int ACLMethodData::ThePurgeCount = 0; + ACLMethodData::ACLMethodData() : values (NULL) {} @@ -89,10 +91,8 @@ ACLMethodData::parse() for (Tail = &values; *Tail; Tail = &((*Tail)->next)); while ((t = strtokFile())) { - if(strcmp(t, "PURGE") == 0) { - // we need to use PURGE, can't just blanket-deny it. - Config2.onoff.enable_purge = 1; - } + if(strcmp(t, "PURGE") == 0) + ++ThePurgeCount; // configuration code wants to know CbDataList *q = new CbDataList (HttpRequestMethod(t, NULL)); *(Tail) = q; Tail = &q->next; diff --git a/src/acl/MethodData.h b/src/acl/MethodData.h index 062efc8154..f94f936e4c 100644 --- a/src/acl/MethodData.h +++ b/src/acl/MethodData.h @@ -57,6 +57,8 @@ public: virtual ACLData *clone() const; CbDataList *values; + + static int ThePurgeCount; ///< PURGE methods seen by parse() }; MEMPROXY_CLASS_INLINE(ACLMethodData); diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 51b01dce3e..a8b3cb72b6 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -42,6 +42,7 @@ #include "SwapDir.h" #include "ConfigParser.h" #include "acl/Acl.h" +#include "acl/MethodData.h" #include "acl/Gadgets.h" #include "StoreFileSystem.h" #include "Parsing.h" @@ -389,6 +390,7 @@ parseConfigFile(const char *file_name) configFreeMemory(); + ACLMethodData::ThePurgeCount = 0; default_all(); err_count = parseOneConfigFile(file_name, 0); @@ -621,10 +623,9 @@ configDoConfigure(void) #endif - // we have reconfigured and in the process disabled any need for PURGE. - // turn it off now. - if(Config2.onoff.enable_purge == 2) - Config2.onoff.enable_purge = 0; + // we enable runtime PURGE checks if there is at least one PURGE method ACL + // TODO: replace with a dedicated "purge" ACL option? + Config2.onoff.enable_purge = ACLMethodData::ThePurgeCount > 0; Config2.onoff.mangle_request_headers = httpReqHdrManglersConfigured();