From: hno <>
Date: Wed, 3 May 2000 01:55:45 +0000 (+0000)
Subject: hno squid-2.3.DEVEL2.CONNECT_miss_access.patch
X-Git-Tag: SQUID_3_0_PRE1~2020
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f1003989c8b25be4bf39faab0e6c5be58a0858b2;p=thirdparty%2Fsquid.git

hno squid-2.3.DEVEL2.CONNECT_miss_access.patch
Squid-2.3.DEVEL2: CONNECT was not under the control of miss_access

Adds miss_access control to the CONNECT method.
---

diff --git a/ChangeLog b/ChangeLog
index 13550eb2d9..63b7b91ae0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,7 @@ Changes to Squid-2.4.DEVEL3 ():
 	  the last path component of cache_dir.
 	- no_cache is now a full ACL check without, allowing most ACL types
 	  to be used.
+	- The CONNECT method now obeys miss_access requirements
 
 Changes to Squid-2.4.DEVEL2 ():
 
diff --git a/src/ssl.cc b/src/ssl.cc
index 101bd62269..d7404c86ea 100644
--- a/src/ssl.cc
+++ b/src/ssl.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: ssl.cc,v 1.103 2000/05/02 19:35:23 hno Exp $
+ * $Id: ssl.cc,v 1.104 2000/05/02 19:55:45 hno Exp $
  *
  * DEBUG: section 26    Secure Sockets Layer Proxy
  * AUTHOR: Duane Wessels
@@ -425,6 +425,31 @@ sslStart(int fd, const char *url, request_t * request, size_t * size_ptr)
     SslStateData *sslState = NULL;
     int sock;
     ErrorState *err = NULL;
+    aclCheck_t ch;
+    int answer;
+    /*
+       * client_addr == no_addr indicates this is an "internal" request
+       * from peer_digest.c, asn.c, netdb.c, etc and should always
+       * be allowed.  yuck, I know.
+       */
+    if (request->client_addr.s_addr != no_addr.s_addr) {
+	/*
+	   * Check if this host is allowed to fetch MISSES from us (miss_access)
+	   */
+	memset(&ch, '\0', sizeof(aclCheck_t));
+	ch.src_addr = request->client_addr;
+	ch.my_addr = request->my_addr;
+	ch.my_port = request->my_port;
+	ch.request = request;
+	answer = aclCheckFast(Config.accessList.miss, &ch);
+	if (answer == 0) {
+	    err = errorCon(ERR_FORWARDING_DENIED, HTTP_FORBIDDEN);
+	    err->request = requestLink(request);
+	    err->src_addr = request->client_addr;
+	    errorSend(fd, err);
+	    return;
+	}
+    }
     debug(26, 3) ("sslStart: '%s %s'\n",
 	RequestMethodStr[request->method], url);
     Counter.server.all.requests++;
diff --git a/src/tunnel.cc b/src/tunnel.cc
index 111352f23f..e79b5270c3 100644
--- a/src/tunnel.cc
+++ b/src/tunnel.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: tunnel.cc,v 1.103 2000/05/02 19:35:23 hno Exp $
+ * $Id: tunnel.cc,v 1.104 2000/05/02 19:55:45 hno Exp $
  *
  * DEBUG: section 26    Secure Sockets Layer Proxy
  * AUTHOR: Duane Wessels
@@ -425,6 +425,31 @@ sslStart(int fd, const char *url, request_t * request, size_t * size_ptr)
     SslStateData *sslState = NULL;
     int sock;
     ErrorState *err = NULL;
+    aclCheck_t ch;
+    int answer;
+    /*
+       * client_addr == no_addr indicates this is an "internal" request
+       * from peer_digest.c, asn.c, netdb.c, etc and should always
+       * be allowed.  yuck, I know.
+       */
+    if (request->client_addr.s_addr != no_addr.s_addr) {
+	/*
+	   * Check if this host is allowed to fetch MISSES from us (miss_access)
+	   */
+	memset(&ch, '\0', sizeof(aclCheck_t));
+	ch.src_addr = request->client_addr;
+	ch.my_addr = request->my_addr;
+	ch.my_port = request->my_port;
+	ch.request = request;
+	answer = aclCheckFast(Config.accessList.miss, &ch);
+	if (answer == 0) {
+	    err = errorCon(ERR_FORWARDING_DENIED, HTTP_FORBIDDEN);
+	    err->request = requestLink(request);
+	    err->src_addr = request->client_addr;
+	    errorSend(fd, err);
+	    return;
+	}
+    }
     debug(26, 3) ("sslStart: '%s %s'\n",
 	RequestMethodStr[request->method], url);
     Counter.server.all.requests++;