From d94cbaa8133459501d384c03f2fdc266704a4b34 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 11 Feb 2015 18:24:06 -0800
Subject: [PATCH] HTTP/1.1: Remove refresh_pattern ignore-auth violation

The original intent for this option was to improve caching. However
HTTP/1.1 permits caching of authenticated messages under conditions
which Squid does check for and obey already.

The legacy popularity of this option from old Squid without the HTTP/1.1
compliant behaviour is now just forming a security and privacy abuse.
---
 doc/release-notes/release-3.6.sgml |  4 ++++
 src/RefreshPattern.h               |  1 -
 src/cache_cf.cc                    | 21 +--------------------
 src/http.cc                        |  4 ++--
 4 files changed, 7 insertions(+), 23 deletions(-)

diff --git a/doc/release-notes/release-3.6.sgml b/doc/release-notes/release-3.6.sgml
index 3d61567530..3399e30b90 100644
--- a/doc/release-notes/release-3.6.sgml
+++ b/doc/release-notes/release-3.6.sgml
@@ -154,6 +154,10 @@ This section gives a thorough account of those changes in three categories:
 <sect1>Removed tags<label id="removedtags">
 <p>
 <descrip>
+	<tag>refresh_pattern</tag>
+	<p>Option <em>ignore-auth</em> removed. Its original intent was
+	   to improve caching. HTTP/1.1 permits caching of authenticated
+	   messages under conditions which Squid does check for and obey.
 
 </descrip>
 
diff --git a/src/RefreshPattern.h b/src/RefreshPattern.h
index da2c5237c6..31cc5c739f 100644
--- a/src/RefreshPattern.h
+++ b/src/RefreshPattern.h
@@ -34,7 +34,6 @@ public:
         bool ignore_no_store;
         bool ignore_must_revalidate;
         bool ignore_private;
-        bool ignore_auth;
 #endif
     } flags;
     int max_stale;
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 1b2cb52364..d38c87e94b 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -799,16 +799,6 @@ configDoConfigure(void)
 
             break;
         }
-
-        for (R = Config.Refresh; R; R = R->next) {
-            if (!R->flags.ignore_auth)
-                continue;
-
-            debugs(22, DBG_IMPORTANT, "WARNING: use of 'ignore-auth' in 'refresh_pattern' violates HTTP");
-
-            break;
-        }
-
     }
 #endif
 #if !USE_HTTP_VIOLATIONS
@@ -2636,10 +2626,6 @@ dump_refreshpattern(StoreEntry * entry, const char *name, RefreshPattern * head)
 
         if (head->flags.ignore_private)
             storeAppendPrintf(entry, " ignore-private");
-
-        if (head->flags.ignore_auth)
-            storeAppendPrintf(entry, " ignore-auth");
-
 #endif
 
         storeAppendPrintf(entry, "\n");
@@ -2669,7 +2655,6 @@ parse_refreshpattern(RefreshPattern ** head)
     int ignore_no_store = 0;
     int ignore_must_revalidate = 0;
     int ignore_private = 0;
-    int ignore_auth = 0;
 #endif
 
     int i;
@@ -2751,7 +2736,7 @@ parse_refreshpattern(RefreshPattern ** head)
         else if (!strcmp(token, "ignore-private"))
             ignore_private = 1;
         else if (!strcmp(token, "ignore-auth"))
-            ignore_auth = 1;
+            debugs(22, DBG_PARSE_NOTE(2), "UPGRADE: refresh_pattern option 'ignore-auth' is obsolete. Remove it.");
         else if (!strcmp(token, "reload-into-ims")) {
             reload_into_ims = 1;
             refresh_nocache_hack = 1;
@@ -2819,10 +2804,6 @@ parse_refreshpattern(RefreshPattern ** head)
 
     if (ignore_private)
         t->flags.ignore_private = true;
-
-    if (ignore_auth)
-        t->flags.ignore_auth = true;
-
 #endif
 
     t->next = NULL;
diff --git a/src/http.cc b/src/http.cc
index 1757073d7f..e165318301 100644
--- a/src/http.cc
+++ b/src/http.cc
@@ -389,7 +389,7 @@ HttpStateData::cacheableReply()
 
     // RFC 2068, sec 14.9.4 - MUST NOT cache any response with Authentication UNLESS certain CC controls are present
     // allow HTTP violations to IGNORE those controls (ie re-block caching Auth)
-    if (request && (request->flags.auth || request->flags.authSent) && !REFRESH_OVERRIDE(ignore_auth)) {
+    if (request && (request->flags.auth || request->flags.authSent)) {
         if (!rep->cache_control) {
             debugs(22, 3, HERE << "NO because Authenticated and server reply missing Cache-Control");
             return 0;
@@ -408,7 +408,7 @@ HttpStateData::cacheableReply()
 
             // HTTPbis pt6 section 3.2: a response CC:must-revalidate is present
         } else if (rep->cache_control->mustRevalidate() && !REFRESH_OVERRIDE(ignore_must_revalidate)) {
-            debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public");
+            debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:must-revalidate");
             mayStore = true;
 
 #if USE_HTTP_VIOLATIONS
-- 
2.47.2