From a4e35bd8ffe51cda83e63faab79bda5a838c7e1a Mon Sep 17 00:00:00 2001 From: Eduard Bagdasaryan Date: Thu, 2 Feb 2023 12:25:10 +0000 Subject: [PATCH] squidclient: Drop cache_object protocol support (#1251) Use `http` URL scheme for `mgr:command` cache manager requests instead. Also fixed a bug: When `mgr:command` was used together with a `-w X` command-line option, squidclient sent that proxy authentication password `X` in the `cache_object` URL instead of sending the `Y` password from the `-W Y` option (or no password at all if no `-W` option was given). If no Authorization header had been sent, Squid's cachemgr_passwd honored the `-w X` password sent in the cache_object URL. If Authorization header had been sent, Squid's cachemgr_passwd honored the corresponding `-W Y` password, ignoring any password sent in the cache_object URL. Now, squidclient uses Authorization HTTP header for sending cache manager authentication credentials with `mgr:command` requests. Those credentials are taken either from the `-U` and `-W` command-line options (if `mgr:command` parameter lacks an embedded password) or from the `-U` command line option and from the `mgr:command@password` parameter (otherwise). squidclient now sends Proxy authentication credentials if and only if `-u` and `-w` command line options are given. These credentials may be required to authenticate with the proxy, but they do not affect cache manager authentication driven by the cachemgr_passwd directive. Also prohibit specifying a command-line option with a password (`-w` or `-W`) without specifying the corresponding user name (`-u` or `-U`). Prior to this change, squidclient did not send the Proxy-Authorization or Authorization header if the corresponding user name was missing but did not complain about the problem. --- tools/squidclient/squidclient.cc | 34 +++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/tools/squidclient/squidclient.cc b/tools/squidclient/squidclient.cc index 16838a01a8..7de2d138b1 100644 --- a/tools/squidclient/squidclient.cc +++ b/tools/squidclient/squidclient.cc @@ -416,6 +416,14 @@ main(int argc, char *argv[]) break; } } + if (ProxyAuthorization.password && !ProxyAuthorization.user) { + std::cerr << "ERROR: Proxy authentication password (-w) is given, but username (-u) is missing\n"; + exit(EXIT_FAILURE); + } + if (OriginAuthorization.password && !OriginAuthorization.user) { + std::cerr << "ERROR: WWW authentication password (-W) is given, but username (-U) is missing\n"; + exit(EXIT_FAILURE); + } } #if _SQUID_WINDOWS_ { @@ -425,17 +433,20 @@ main(int argc, char *argv[]) } #endif /* Build the HTTP request */ + const char *pathPassword = nullptr; if (strncmp(url, "mgr:", 4) == 0) { char *t = xstrdup(url + 4); - const char *at = nullptr; - if (!strrchr(t, '@')) { // ignore any -w password if @ is explicit already. - at = ProxyAuthorization.password; + // XXX: Bail on snprintf() failures + snprintf(url, sizeof(url), "http://%s:%hu/squid-internal-mgr/%s", Transport::Config.hostname, Transport::Config.port, t); + if (const auto at = strrchr(url, '@')) { + if (!OriginAuthorization.user) { + std::cerr << "ERROR: Embedding a password in a cache manager command requires " << + "providing a username with -U: mgr:" << t << std::endl; + exit(EXIT_FAILURE); + } + *at = 0; // send password in Authorization header, not URL + pathPassword = at + 1; // the now-removed embedded @password overwrites OriginAuthorization.password further below } - // embed the -w proxy password into old-style cachemgr URLs - if (at) - snprintf(url, sizeof(url), "cache_object://%s/%s@%s", Transport::Config.hostname, t, at); - else - snprintf(url, sizeof(url), "cache_object://%s/%s", Transport::Config.hostname, t); xfree(t); } if (put_file) { @@ -512,8 +523,13 @@ main(int argc, char *argv[]) } if (ProxyAuthorization.user) ProxyAuthorization.commit(msg); - if (OriginAuthorization.user) + if (OriginAuthorization.user) { + const auto savedPassword = OriginAuthorization.password; + if (pathPassword) + OriginAuthorization.password = pathPassword; OriginAuthorization.commit(msg); + OriginAuthorization.password = savedPassword; // restore the global password setting + } #if HAVE_GSSAPI if (www_neg) { if (host) { -- 2.39.5