basic_smb_auth.sh delivers the credentials via environment in
a form "$USER%$PASSWORD", which is not expected from smbclient. This seem to
result from an obsolete or inferior documentation of smbclient. While it is
perfectly valid to deliver the credentials in this form via commandline
parameter -U, for example in
Jeff Licquia [Fri, 31 Jul 2015 06:22:11 +0000 (23:22 -0700)]
basic_smb_auth: doesn't handle passwords with backslashes
From; Jeff Licquia <jlicquia@scinet.springfieldclinic.com>
Subject; squid: SMB auth proxy has problems with some passwords
Date; Tue, 18 Jul 2000 12:45:01 -0500 (CDT)
The SMB authenticator doesn't handle passwords with backslashes in them
correctly. The fix appears to be easy; just put a -r in the "read SMBPASS"
line in smb_auth.sh.
John M Cooper [Fri, 31 Jul 2015 06:16:51 +0000 (23:16 -0700)]
basic_smb_auth: nmblookup fails when smb.conf contaisn WINS servers
From; John M Cooper
To; Debian Bug Tracking System
Subject; squid: smb_auth does not work with a wins server defined in smb.conf
Date; 28 Jan 2002 17:46:13 +0000
If you define a wins server in the file /etc/samba/smb.conf then the
smb_auth script gets the wrong Domain Controller IP address.
There should be a change to mb_auth.sh at line 50
basically adding in the extra "\..+" stops the number of Wins servers
from being returned from the nmblookup command.
* moves the regex pattern state storage to class RegexPattern
in base/RegexPattern.h which is MEMPROXY_CLASS pooled and
constructed with flags and pattern preset.
- for now the regcomp generated data is set separately.
* Replaces ACL storage class RegexList with a std::list
* converts refresh_pattern regex data to class RegexPattern for
its pattern and -i/+i flag details.
The squid_disk_module_candidates_* autoconf variable for disabled
disk I/O modules needs to be explicitly set to 'no' to perform the
disabling. Do this for all modules that were not doing so when module
dependencies were broken or absent.
Also, convert the IpcIo module from a hard ERROR, to a soft auto-disable
when SHM support is not present.
Add temporary SBufToCstring() helper functions for SBuf transition
These functions provide safe replacement for xstrdup() and xstrncpy()
that guarantees 0-termination of the output c-string but do not have
any side effects or behaviour guarantees affecting the source SBuf
internal state.
This lack of side effects is important for the transitional period
where a lot of buffer contents will be copied out of SBuf but are
'read-only' and need to avoid overheads such as the reallocating
twice (or more) that would occur if using SBuf::c_str().
Effective immediately we have a ban on using the xstr*() group of
helper functions to copy data out of SBuf::raw*() accessors. The
xstr*() and all other common system str*() use c-string dependent
operations internally which on non-0-terminated SBuf internals can
result in nasty performance issues (ie. strlen() of 2 MB 'string').
Increasingly code used inside squid.conf parsing is capable of throwing
exceptions to signal errors. Catch any unexpected exceptions that reach
the config parse initiator(s) and report as a FATAL event before self
destructing.
Alex Rousskov [Sun, 26 Jul 2015 18:26:52 +0000 (12:26 -0600)]
Fix ICAP transactions that read a lot of data
by ensuring the read buffer has space [unless it is really full].
Trunk r13995 (Parser-NG: Convert the ICAP read buffer to an SBuf)
broke ICAP transactions that read a lot of data because the new
SBuf::consume() method often does not free buffer space, unlike the
old MemBuf::consume(). Affected transactions failed with mayReadMore()
exceptions because their readBuf.spaceSize() was zero while they
needed to read more data.
Any append,parse,consume;append,parse,consume;... user of SBuf cannot
rely on SBuf::spaceSize() to be meaningful because even consuming the
entire SBuf contents may leave spaceSize() at zero! Instead such code
has to use SBuf::length() to keep buffer from growing too big and
SBuf::rawSpace(1) to ensure some space is available for reading when
the buffer is not too big.
auto-enable for DiskIO modules has been done before the AM_CONDITIONAL
are defined. The checks need to test for explicit "yes" values since
disabled modules will have value "" rather than "no" or "auto" like
other components.
When parsing SMB LanManager packets with invalid protocol ID and the
default set of Squid supported protocols. It may access memory outside
the buffer storing protocol names.
smblib is only used by already deprecated helpers which are deprecated
due to far more significant NTLM protocol issues. It will also only
result in packets being rejected later with invalid protocol names. So
this is a minor bug rather than a vulnerability.
Support %un (any available user name) format code for external ACLs.
The same %un code, with the same meaning is already supported in access.log.
In an external ACL request, it expands to the first available user name
from the following list of information sources:
- authenticated user name, like %ul or %LOGIN
- user name supplied by an external ACL to Squid via the "user=..."
key=value pair, like %ue or %EXT_USER
- SSL client name, like %us
- ident user name, like %ui
Based on Amos Jeffries 2011 patch and "arronax28" design:
http://www.squid-cache.org/mail-archive/squid-dev/201112/0080.html
with TODO completion by Measurement Factory
Improve handling of client connections on shutdown
When Squid which are processing a lot of traffic, using persistent
client connections, or dealing with long duration requests are shutdown
they can exit with a lot of connections still open. The
shutdown_lifetime directive exists to allow time for existing
transactions to complete, but this is not always possible and has no
effect on idle connections.
The result is a large dump of aborted FD entries being logged as the TCP
sockets get abruptly reset. Potentially active transactions cache
objects being "corrupted" in the process.
Makes ConnStateData and its children implement Runner API callbacks
to receive signals about Squid shutdown. Which allows their close()
handlers to be run properly and make use of AsyncCalls API. Idle client
connections are closed immediately on the startShutdown() signal, so
their closure CPU cycles happens during the shutdown grace period.
An extra 0-delay event step is added to SignalEngine shutdown sequence
with a new Runner registry hook 'endingShutdown' is added to signal that
the shutdown_lifetime grace period is over for closure of active
transactions. All network FD sockets should be considered unusable for
read()/write() at that point since close handlers may have already been
scheduled by other Runners. AsyncCall's may still be scheduled to
release resources.
Also adds a DeregisterRunner() API action to remove Runners dynamically
from the registered set.
* shutdown grace period ends:
- remaining client connections closed
* shutdown finishes:
- main signal and Async loop halted
- all memory free'd
Server connections which are PINNED or in active use during the
endingShutdown execution will be closed cleanly as a side-effect of the
client closures. Otherwise there is no change (yet) to server connections
or other FD sockets behaviour on shutdown.
Cleanup: replace urlCanonical() with HttpRequest::effectiveReuqestUri()
We have previously been using the term "canonical URL" in Squid to mean
absolute-URI, but not in all cases and may sometimes mean authority-form.
RFC 7230 introduces a new term "Effective Request URI" which directly
matches our desired usage.
* make urlCanonical() global function a method of class HttpRequest
since it depends on request method for its particular form syntax
* remove the now unnecessary canonical member and HttpRequest::SetHost()
* convert HttpRequest::storeId(), Ftp::UrlWith2f(), and ps_state::url()
to SBuf usage to avoid performance regressions in their use.
* replace many uses of xstrdup() with xstrndup() for performance where
the copy cannot be avoided entirely.
* avoid using urlParse() to do a simple URL data-copy in ICAP handling
* update stub_HttpRequest.cc to match full class HttpRequest API
Bounds limiting was restricting configuration to <1.2 since those are
the currently available TLS versions. But 1.3 is upcoming and may be
used within the lifetime of this Squid version.
projects / thirdparty / squid.git / log
