From 14e563cbdfeb60fa8c164ea8bcdd5e0a4474fc16 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 25 Feb 2011 02:52:27 +1300
Subject: [PATCH] Display correct information on dstdomain clashes

Abort with an error when a wildcard entry is going to be
discarded because of a sub-domain entry.
Also whenever there is a mixup between a domain and its
sub-domain wildcard alternative.

Rais a non-fatal warning when a useless subdomain entry
is being discarded and its super-set wildcard kept.

Care is taken to present the singular subdomain for
possible removal and keep the wildcard.
---
 src/acl/DomainData.cc | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/src/acl/DomainData.cc b/src/acl/DomainData.cc
index 386ac467c3..411bc44079 100644
--- a/src/acl/DomainData.cc
+++ b/src/acl/DomainData.cc
@@ -95,13 +95,20 @@ aclDomainCompare(T const &a, T const &b)
         char *const d3 = d2;
         char *const d4 = d1;
         ret = aclHostDomainCompare(d3, d4);
-    }
-
-    /* FIXME this warning may display d1 and d2 when it should display d3 and d4 */
-    if (ret == 0) {
-        debugs(28, 0, "WARNING: '" << d1 << "' is a subdomain of '" << d2 << "'");
-        debugs(28, 0, "WARNING: because of this '" << (char *) a << "' is ignored to keep splay tree searching predictable");
-        debugs(28, 0, "WARNING: You should probably remove '" << d1 << "' from the ACL named '" << AclMatchedName << "'");
+        if (ret == 0) {
+            // When a.example.com comes after .example.com in an ACL
+            // sub-domain is ignored. That is okay. Just important
+            debugs(28, DBG_IMPORTANT, "WARNING: '" << d3 << "' is a subdomain of '" << d4 << "'");
+            debugs(28, DBG_IMPORTANT, "WARNING: because of this '" << d3 << "' is ignored to keep splay tree searching predictable");
+            debugs(28, DBG_IMPORTANT, "WARNING: You should remove '" << (*d3=='.'?d4:d3) << "' from the ACL named '" << AclMatchedName << "'");
+        }
+    } else if (ret == 0) {
+        // When a.example.com comes before .example.com in an ACL
+        // discarding the wildcard is critically bad.
+        debugs(28, DBG_CRITICAL, "ERROR: '" << d1 << "' is a subdomain of '" << d2 << "'");
+        debugs(28, DBG_CRITICAL, "ERROR: because of this '" << d2 << "' is ignored to keep splay tree searching predictable");
+        debugs(28, DBG_CRITICAL, "ERROR: You should remove '" << (*d1=='.'?d2:d1) << "' from the ACL named '" << AclMatchedName << "'");
+        self_destruct();
     }
 
     return ret;
-- 
2.39.5