From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 9 Feb 2009 05:33:18 +0000 (+1300)
Subject: Bug 419: Hop by Hop headers MUST NOT be forwarded (attempt 2)
X-Git-Tag: SQUID_3_2_0_1~1202
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e1ea7456858b217f68677a53c81d56c64fdb2b3a;p=thirdparty%2Fsquid.git

Bug 419: Hop by Hop headers MUST NOT be forwarded (attempt 2)

This attempt builds on Henriks re-work of the client-request to
server-request cloning done since the last attempt was made at closing
this bug.

Adds all RFC 2616 listed Hop-by-hop headers to the clone selection test
as 'ignore' cases unless otherwise handled already.

The test for whether they exist in Connection: is moved to the default
case as an inline. Which reduces the code a fair bit and prevents the
side case where a specially handled header gets ignored because the
client explicitly added it to Connection: when it did not have to.

This method sets up a background default of not passing the hop-by-hop
headers while allowing any code which explicitly sets or copies the
headers across to operate as before without interference.
---

e1ea7456858b217f68677a53c81d56c64fdb2b3a
diff --cc src/HttpRequest.cc
index 399659f2a0,f74dd0c453..c575684a47
--- a/src/HttpRequest.cc
+++ b/src/HttpRequest.cc
@@@ -326,22 -326,24 +326,6 @@@ HttpRequest::prefixLen(
             header.len + 2;
  }
  
 -#if DEAD_CODE // 2009-01-20: inlined this with its ONLY caller (copyOneHeader...)
--/**
-- * Returns true if HTTP allows us to pass this header on.  Does not
-- * check anonymizer (aka header_access) configuration.
-- */
--int
--httpRequestHdrAllowed(const HttpHeaderEntry * e, String * strConn)
--{
--    assert(e);
--    /* check connection header */
--
-     if (strConn && strListIsMember(strConn, e->name.termedBuf(), ','))
 -    if (strConn && strListIsMember(strConn, e->name.buf(), ','))
--        return 0;
--
--    return 1;
--}
 -#endif
--
  /* sync this routine when you update HttpRequest struct */
  void
  HttpRequest::hdrCacheInit()
diff --cc src/HttpRequest.h
index 455bd74c8b,86c67a6f86..402450ab89
--- a/src/HttpRequest.h
+++ b/src/HttpRequest.h
@@@ -40,8 -40,8 +40,7 @@@
  #include "HttpRequestMethod.h"
  
  /*  Http Request */
--extern int httpRequestHdrAllowed(const HttpHeaderEntry * e, String * strConnection);
--extern int httpRequestHdrAllowedByName(http_hdr_type id);
++//DEAD?: extern int httpRequestHdrAllowedByName(http_hdr_type id);
  extern void httpRequestPack(void *obj, Packer *p);
  
  
diff --cc src/http.cc
index d2224092f2,5f38fd6c1f..84ebc47b3e
--- a/src/http.cc
+++ b/src/http.cc
@@@ -1655,20 -1647,22 +1655,22 @@@ HttpStateData::httpBuildRequestHeader(H
      strConnection.clean();
  }
  
+ /**
+  * Decides whether a particular header may be cloned from the received Clients request
+  * to our outgoing fetch request.
+  */
  void
- copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, String strConnection, HttpRequest * request, HttpRequest * orig_request, HttpHeader * hdr_out, int we_do_ranges, http_state_flags flags)
+ copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, const String strConnection, HttpRequest * request, const HttpRequest * orig_request, HttpHeader * hdr_out, const int we_do_ranges, const http_state_flags flags)
  {
 -    debugs(11, 5, "httpBuildRequestHeader: " << e->name.buf() << ": " << e->value.buf());
 +    debugs(11, 5, "httpBuildRequestHeader: " << e->name << ": " << e->value );
  
-     if (!httpRequestHdrAllowed(e, &strConnection)) {
-         debugs(11, 2, "'" << e->name << "' header denied by anonymize_headers configuration");
-         return;
-     }
- 
      switch (e->id) {
  
+ /** \title RFC 2616 sect 13.5.1 - Hop-by-Hop headers which Squid should not pass on. */
+ 
      case HDR_PROXY_AUTHORIZATION:
-         /* Only pass on proxy authentication to peers for which
+         /** \par Proxy-Authorization:
+          * Only pass on proxy authentication to peers for which
           * authentication forwarding is explicitly enabled
           */
  
@@@ -1778,7 -1796,15 +1804,15 @@@
          break;
  
      default:
-         /* pass on all other header fields */
+         /** \par default.
+          * pass on all other header fields
+          * which are NOT listed by the special Connection: header. */
+ 
+         if (strConnection.size()>0 && strListIsMember(&strConnection, e->name.buf(), ',')) {
 -            debugs(11, 2, "'" << e->name.buf() << "' header cropped by Connection: definition");
++            debugs(11, 2, "'" << e->name << "' header cropped by Connection: definition");
+             return;
+         }
+ 
          hdr_out->addEntry(e->clone());
      }
  }