From b2742aebf117da24053d81dbc669faf5a18c9006 Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Sat, 31 Dec 2016 16:59:19 +0100 Subject: [PATCH] squidguard: Update to 1.5-beta MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Changelog: "Release 1.5 2010-09-09 Fixed inconsistent blocking (bug 59). Replaced defined routine in sgDB.c 2010-09-08 Added Russian translation from Vladimir Ipatov to squidGuard.cgi.in. 2009-10-19 Fixed two bypass problems with URLs which length is close to the limit defined by MAX_BUF. The resulting proxy line exceeds this limit and causes either squid or squidGuard to properly block a site. 2009-10-15 Fixed a problem with very long URLs. SquidGuard will go into emergency mode when a overlong URLs are encountered. The emergency mode causes an entire stop of blocking. This is not appropriate in this situation. 2009-09-30 Added patch by beber and gentoo (thank you!) to fix a problem when cross compiling (bug 56). 2009-09-27 Added patch by gentoo to fix alocal warnings (bug 57). 2009-09-15 Added a feature to send log messages to syslog based on the patch from Jun Jiang (thank you). (bug 42) In order to use syslog you have to run configure with the new option "--with-syslog". In the configuration file you need to add a line "syslog enable". If any other value but "enable" is used syslog is disabled and logging to squidGuard.log takes place as usual. The following log level are used: DEBUG, NOTICE, WARN, ERROR and EMERG. The local4 syslog facility is used by default. If you want to change this, use the configure option "--with-syslog-facility=". 2009-09-12 Anonymized passwords (for connecting to the ldap or mysql server) written to logfiles when squidGuard is starting. Added two configure options for choosing different location for the LDAP include and library files. 2009-08-25 Added patch to check IP addresses against LDAP. Patch by Denis Bonnenfant (bug 41) - thank you. 2009-08-23 Added patch to allow quoted strings in the configuration file (bug 53). For more information see README.QuotedStrings. Thanks to Iain Fothergill for providing the patch. Removed the fix for usernames starting with a number because it breaks the time declarations. 2009-05-08 Added patch by INL to enable blocking against DNS based blacklists (bug 55). Fixed re-opened bug 12: a problem with regular expressions. An entry like "www\.google\.de" did not block www.google.de which it was supposed to do. Solving this issue solved bug 46 as well. 2009-03-08 Fixed bug 52: Sometimes squidGuard crashes with an overflow error message for vsprintf. Thanks to Dirk Schoebel for suggesting the proper fix. Fixed bug 49: Using numeric username made squidGuard goes into emergency mode. This has been fixed. Usernames can now start with a number, be numeric and can additionally contain the following characters: @,à,é,è,ñ,á,ì,í,ò,ó,ù,ú." Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer --- lfs/squidguard | 32 +++-- .../01_squidguard-1.5-beta_db_v4_up.patch | 14 ++ ..._squidguard-1.5-beta_helper-protocol.patch | 125 ++++++++++++++++++ ...dguard-1.5-beta_remove-debug-logging.patch | 66 +++++++++ ...04_squidguard-1.5-beta_stdout-always.patch | 76 +++++++++++ ...unused_variables-noinput_and_nounput.patch | 56 ++++++++ .../squidguard/06_squidguard_version.patch | 8 ++ 7 files changed, 368 insertions(+), 9 deletions(-) create mode 100644 src/patches/squidguard/01_squidguard-1.5-beta_db_v4_up.patch create mode 100644 src/patches/squidguard/02_squidguard-1.5-beta_helper-protocol.patch create mode 100644 src/patches/squidguard/03_squidguard-1.5-beta_remove-debug-logging.patch create mode 100644 src/patches/squidguard/04_squidguard-1.5-beta_stdout-always.patch create mode 100644 src/patches/squidguard/05_squidguard-1.5-beta_fixes_htunescape-size_t-ldap_functions-unused_variables-noinput_and_nounput.patch create mode 100644 src/patches/squidguard/06_squidguard_version.patch diff --git a/lfs/squidguard b/lfs/squidguard index 38efab0ee4..5d5f04163e 100644 --- a/lfs/squidguard +++ b/lfs/squidguard @@ -24,7 +24,7 @@ include Config -VER = 1.4.1 +VER = 1.5-beta THISAPP = squidGuard-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 9ae7b62a63631bb2dd1f474cf2bbe4dc +$(DL_FILE)_MD5 = 85216992d14acb29d6f345608f21f268 install : $(TARGET) @@ -70,13 +70,27 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard-1.4-squid-helper-protocol.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidGuard-1.4-db5.patch - cd $(DIR_APP) && ./configure --prefix=/usr --datadir=/usr/share \ - --sysconfdir=/etc --localstatedir=/var --infodir=/usr/info --mandir=/usr/man \ + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard/01_squidguard-1.5-beta_db_v4_up.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard/02_squidguard-1.5-beta_helper-protocol.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard/03_squidguard-1.5-beta_remove-debug-logging.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard/04_squidguard-1.5-beta_stdout-always.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard/05_squidguard-1.5-beta_fixes_htunescape-size_t-ldap_functions-unused_variables-noinput_and_nounput.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard/06_squidguard_version.patch + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --datadir=/usr/share \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --infodir=/usr/info \ + --mandir=/usr/man \ --with-sg-config=/var/ipfire/urlfilter/squidGuard.conf \ - --with-sg-logdir=/var/log/squidGuard --with-sg-dbhome=/var/lib/squidguard \ - --with-db=/usr --with-db-inc=/usr/include --with-db-lib=/usr/lib + --with-sg-logdir=/var/log/squidGuard \ + --with-syslog=yes \ + --with-sg-dbhome=/var/lib/squidguard \ + --with-db=/usr \ + --with-db-inc=/usr/include \ + --with-db-lib=/usr/lib + cd $(DIR_APP) && make cd $(DIR_APP) && make install @@ -92,7 +106,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chmod 755 /var/ipfire/urlfilter/bin/prebuild.pl cp -f $(DIR_CONF)/urlfilter/autoupdate.pl /var/ipfire/urlfilter/bin/autoupdate.pl chmod 755 /var/ipfire/urlfilter/bin/autoupdate.pl - echo "1.7.1" > /var/ipfire/urlfilter/version + echo "1.5-beta" > /var/ipfire/urlfilter/version # Wrapper cp -f $(DIR_CONF)/urlfilter/redirect_wrapper /usr/sbin diff --git a/src/patches/squidguard/01_squidguard-1.5-beta_db_v4_up.patch b/src/patches/squidguard/01_squidguard-1.5-beta_db_v4_up.patch new file mode 100644 index 0000000000..bc50efd682 --- /dev/null +++ b/src/patches/squidguard/01_squidguard-1.5-beta_db_v4_up.patch @@ -0,0 +1,14 @@ +Make BerkeleyDB version 4.7 and higher working. + +diff -Nur a/src/sgDb.c b/src/sgDb.c +--- a/src/sgDb.c 2010-09-09 12:35:22.000000000 +0200 ++++ b/src/sgDb.c 2013-11-23 10:05:55.000000000 +0100 +@@ -112,7 +112,7 @@ + } + } + #endif +-#if DB_VERSION_MAJOR == 4 ++#if DB_VERSION_MAJOR >= 4 + if(globalUpdate || createdb || (dbfile != NULL && stat(dbfile,&st))){ + flag = DB_CREATE; + if(createdb) diff --git a/src/patches/squidguard/02_squidguard-1.5-beta_helper-protocol.patch b/src/patches/squidguard/02_squidguard-1.5-beta_helper-protocol.patch new file mode 100644 index 0000000000..a2f9177f5a --- /dev/null +++ b/src/patches/squidguard/02_squidguard-1.5-beta_helper-protocol.patch @@ -0,0 +1,125 @@ + +From Jeffries Amos http://bugs.squid-cache.org/show_bug.cgi?id=3978#c5 + +--- squidGuard-1.5-beta.orig/src/main.c 2013-12-12 11:47:31.000000000 +1300 ++++ squidGuard-1.5-beta.orig/src/main.c 2013-12-12 11:50:38.000000000 +1300 +@@ -185,7 +185,7 @@ + sgReloadConfig(); + } + if(failsafe_mode) { +- puts(""); ++ puts("ERR message=\"squidGuard failsafe mode\""); + fflush(stdout); + if(sig_hup){ + sgReloadConfig(); +@@ -194,7 +194,7 @@ + } + if(parseLine(buf,&squidInfo) != 1){ + sgLogError("ERROR: Error parsing squid line: %s",buf); +- puts(""); ++ puts("BH message=\"squidGuard error parsing squid line\""); + } + else { + src = Source; +@@ -206,14 +206,14 @@ + acl = sgAclCheckSource(src); + if((redirect = sgAclAccess(src,acl,&squidInfo)) == NULL){ + if(src == NULL || src->cont_search == 0){ +- puts(""); ++ puts("ERR"); + break; + } else + if(src->next != NULL){ + src = src->next; + continue; + } else { +- puts(""); ++ puts("ERR"); + break; + } + } else { +@@ -228,6 +228,10 @@ + fprintf(stdout,"%s %s/%s %s %s\n",redirect,squidInfo.src, + squidInfo.srcDomain,squidInfo.ident, + squidInfo.method); ++ if (isdigit(redirect[0]) && isdigit(redirect[1]) && isdigit(redirect[2]) && redirect[3]==':') { ++ fprintf(stdout,"OK status=%c%c%c url=\"%s\"\n", redirect[0], redirect[1], redirect[2], &redirect[4]); ++ } else ++ fprintf(stdout,"OK rewrite-url=\"%s\"\n",redirect); + /* sgLogDebug("DEBUG: %s %s/%s %s %s\n",redirect,squidInfo.src,squidInfo.srcDomain,squidInfo.ident,squidInfo.method); */ + break; + } +--- squidGuard-1.5-beta.orig/src/main.c.in 2013-12-12 11:47:31.000000000 +1300 ++++ squidGuard-1.5-beta.orig/src/main.c.in 2013-12-12 11:53:18.000000000 +1300 +@@ -185,7 +185,7 @@ + sgReloadConfig(); + } + if(failsafe_mode) { +- puts(""); ++ puts("ERR message=\"squidGuard failsafe mode\""); + fflush(stdout); + if(sig_hup){ + sgReloadConfig(); +@@ -194,7 +194,7 @@ + } + if(parseLine(buf,&squidInfo) != 1){ + sgLogError("ERROR: Error parsing squid line: %s",buf); +- puts(""); ++ puts("BH message=\"squidGuard error parsing squid line\""); + } + else { + src = Source; +@@ -206,14 +206,14 @@ + acl = sgAclCheckSource(src); + if((redirect = sgAclAccess(src,acl,&squidInfo)) == NULL){ + if(src == NULL || src->cont_search == 0){ +- puts(""); ++ puts("ERR"); + break; + } else + if(src->next != NULL){ + src = src->next; + continue; + } else { +- puts(""); ++ puts("ERR"); + break; + } + } else { +@@ -225,9 +225,11 @@ + squidInfo.ident[0] = '-'; + squidInfo.ident[1] = '\0'; + } +- fprintf(stdout,"%s %s/%s %s %s\n",redirect,squidInfo.src, +- squidInfo.srcDomain,squidInfo.ident, +- squidInfo.method); ++ if (isdigit(redirect[0]) && isdigit(redirect[1]) && isdigit(redirect[2]) && redirect[3]==':') { ++ fprintf(stdout,"OK status=%c%c%c url=\"%s\"\n", redirect[0], redirect[1], redirect[2], &redirect[4]); ++ } else ++ fprintf(stdout,"OK rewrite-url=\"%s\"\n",redirect); ++ + /* sgLogDebug("DEBUG: %s %s/%s %s %s\n",redirect,squidInfo.src,squidInfo.srcDomain,squidInfo.ident,squidInfo.method); */ + break; + } +--- squidGuard-1.5-beta.orig/src/sgDiv.c 2013-12-12 11:47:31.000000000 +1300 ++++ squidGuard-1.5-beta.orig/src/sgDiv.c 2013-12-12 11:48:36.000000000 +1300 +@@ -782,7 +782,7 @@ + } + sgLogError("ERROR: Going into emergency mode"); + while(fgets(buf, MAX_BUF, stdin) != NULL){ +- puts(""); ++ puts("ERR"); + fflush(stdout); + } + sgLogError("ERROR: Ending emergency mode, stdin empty"); +--- squidGuard-1.5-beta.orig/src/sgDiv.c.in 2013-12-12 11:47:31.000000000 +1300 ++++ squidGuard-1.5-beta.orig/src/sgDiv.c.in 2013-12-12 11:48:36.000000000 +1300 +@@ -782,7 +782,7 @@ + } + sgLogError("ERROR: Going into emergency mode"); + while(fgets(buf, MAX_BUF, stdin) != NULL){ +- puts(""); ++ puts("ERR"); + fflush(stdout); + } + sgLogError("ERROR: Ending emergency mode, stdin empty"); diff --git a/src/patches/squidguard/03_squidguard-1.5-beta_remove-debug-logging.patch b/src/patches/squidguard/03_squidguard-1.5-beta_remove-debug-logging.patch new file mode 100644 index 0000000000..ba2840baca --- /dev/null +++ b/src/patches/squidguard/03_squidguard-1.5-beta_remove-debug-logging.patch @@ -0,0 +1,66 @@ +--- a/src/sg.y.in 2014-04-14 16:23:39.183396677 +0200 ++++ b/src/sg.y.in 2014-04-14 16:24:19.000000000 +0200 +@@ -795,9 +795,9 @@ + { + struct Source *sp; + sp = lastSource; +- ++/* DEBUG + @NOLOG1@ sgLogError("DEBUG: sgSourceLdapIpSearch called with: %s", url); @NOLOG2@ +- ++*/ + if(!ldap_is_ldap_url(url)) { + sgLogError("%s: can't parse LDAP url %s",progname, url); + return; +@@ -1311,10 +1311,12 @@ + } + sp->domainlistDb = (struct sgDb *) sgCalloc(1,sizeof(struct sgDb)); + sp->domainlistDb->type=SGDBTYPE_DOMAINLIST; ++/* DEBUG + sgLogError("init domainlist %s",sp->domainlist); ++*/ + sgDbInit(sp->domainlistDb,sp->domainlist); + if(sp->domainlistDb->entries == 0) { /* empty database */ +- sgLogError("domainlist empty, removed from memory"); ++ sgLogError("domainlist %s empty, removed from memory",sp->domainlist); + sgFree(sp->domainlistDb); + sp->domainlistDb = NULL; + } +@@ -1356,10 +1356,12 @@ + } + sp->urllistDb = (struct sgDb *) sgCalloc(1,sizeof(struct sgDb)); + sp->urllistDb->type=SGDBTYPE_URLLIST; ++/* DEBUG + sgLogError("init urllist %s",sp->urllist); ++*/ + sgDbInit(sp->urllistDb,sp->urllist); + if(sp->urllistDb->entries == 0) { /* empty database */ +- sgLogError("urllist empty, removed from memory"); ++ sgLogError("urllist empty %s, removed from memory",sp->urllist); + sgFree(sp->urllistDb); + sp->urllistDb = NULL; + } +@@ -2773,9 +2773,9 @@ + char *interval; + struct UserInfo *userinfo; + static struct UserInfo info; +- ++/* DEBUG + @NOLOG1@ sgLogError("DEBUG: sgFindUser called with: %s", ident); @NOLOG2@ +- ++*/ + /* defined in the userDB? */ + if(defined(src->userDb, ident, (char **) &userinfo) == 1) { + #ifdef HAVE_LIBLDAP +--- a/src/sgDb.c 2014-04-17 08:53:29.961367395 +0200 ++++ b/src/sgDb.c 2014-04-17 08:53:58.000000000 +0200 +@@ -48,7 +48,9 @@ + strcat(dbfile,".db"); + if(stat(dbfile,&st) == 0){ + if(!createdb){ ++/* DEBUG + sgLogNotice("INFO: loading dbfile %s",dbfile); ++*/ + } + } else { + if(!createdb){ diff --git a/src/patches/squidguard/04_squidguard-1.5-beta_stdout-always.patch b/src/patches/squidguard/04_squidguard-1.5-beta_stdout-always.patch new file mode 100644 index 0000000000..dbc13e20ef --- /dev/null +++ b/src/patches/squidguard/04_squidguard-1.5-beta_stdout-always.patch @@ -0,0 +1,76 @@ +Original input to stdout, to be useable with multiple redirectors +when option -f is given on squidGuard start +We have to remember the raw original URL as the URL is modified for testing +purpose. So the exisiting HTML entities like %3F (?), %26 (&), %3D (=) etc. are changed +which breaks the URL for further processing if it is send to stdout like we do it for the +redirector chain (THIS patch). +diff -Nur a/src/main.c.in b/src/main.c.in +--- a/src/main.c.in 2009-09-27 21:41:50.000000000 +0200 ++++ b/src/main.c.in 2013-06-01 21:18:55.000000000 +0200 +@@ -59,6 +59,7 @@ + char **globalEnvp ; + int globalDebugTimeDelta = 0; + int globalDebug = 0; ++int globalFullStdout = 0; + int globalPid = 0; + int globalUpdate = 0; + int passthrough = 0; +@@ -89,6 +90,7 @@ + struct Acl *acl; + struct timeval start_time,ready_time,stop_time; + char buf[MAX_BUF]; ++ char origraw[MAX_BUF]; + char *redirect,tmp[MAX_BUF]; + char *configFile = NULL; + time_t t; +@@ -101,11 +102,14 @@ + #ifdef USE_SYSLOG + openlog("squidGuard", LOG_PID | LOG_NDELAY | LOG_CONS, LOG_ at LOGFAC@); + #endif +- while ((ch = getopt(argc, argv, "hbduPC:t:c:v")) != EOF) ++ while ((ch = getopt(argc, argv, "hbdfuPC:t:c:v")) != EOF) + switch (ch) { + case 'd': + globalDebug = 1; + break; ++ case 'f': ++ globalFullStdout = 1; ++ break; + case 'c': + configFile = optarg; + break; +@@ -192,6 +193,8 @@ + } + continue; + } ++ strcpy(origraw,buf); ++ if (strlen(origraw) && (origraw[strlen(origraw)-1] == '\n')) origraw[strlen(origraw)-1] = 0; + if(parseLine(buf,&squidInfo) != 1){ + sgLogError("ERROR: Error parsing squid line: %s",buf); + puts("BH message=\"squidGuard error parsing squid line\""); +@@ -206,7 +210,12 @@ + acl = sgAclCheckSource(src); + if((redirect = sgAclAccess(src,acl,&squidInfo)) == NULL){ + if(src == NULL || src->cont_search == 0){ ++ if (globalFullStdout) { ++ puts(origraw); ++ } ++ else { + puts("ERR"); ++ } + break; + } else + if(src->next != NULL){ +@@ -213,7 +214,12 @@ + src = src->next; + continue; + } else { ++ if (globalFullStdout) { ++ puts(origraw); ++ } ++ else { + puts("ERR"); ++ } + break; + } + } else { diff --git a/src/patches/squidguard/05_squidguard-1.5-beta_fixes_htunescape-size_t-ldap_functions-unused_variables-noinput_and_nounput.patch b/src/patches/squidguard/05_squidguard-1.5-beta_fixes_htunescape-size_t-ldap_functions-unused_variables-noinput_and_nounput.patch new file mode 100644 index 0000000000..33732deea1 --- /dev/null +++ b/src/patches/squidguard/05_squidguard-1.5-beta_fixes_htunescape-size_t-ldap_functions-unused_variables-noinput_and_nounput.patch @@ -0,0 +1,56 @@ +--- a/src/sg.l Sat Jan 30 13:51:12 2016 ++++ b/src/sg.l Sat Jan 30 14:01:28 2016 +@@ -23,6 +23,8 @@ + + %} + ++%option noinput ++%option nounput + ignore [,\t\r ]+ + s [\t ] + d [0-9] +--- a/src/sg.y.in Sat Jan 30 13:52:26 2016 ++++ b/src/sg.y.in Sat Jan 30 14:00:50 2016 +@@ -26,6 +26,7 @@ + + #ifdef HAVE_LIBLDAP + #include "lber.h" ++#define LDAP_DEPRECATED 1 + #include "ldap.h" + #endif + +@@ -1097,7 +1098,6 @@ + foundip = 1; + unblockedip = 1; + if(s->ipquota.seconds != 0){ +- struct IpInfo uq; + time_t t = time(NULL) + globalDebugTimeDelta; + sgLogError("status %d time %d lasttime %d consumed %d", ipquota->status, ipquota->time, ipquota->last, ipquota->consumed); + sgLogError("renew %d seconds %d", s->ipquota.renew, s->ipquota.seconds); +@@ -1157,7 +1157,6 @@ + founduser = 1; + unblockeduser = 1; + if(s->userquota.seconds != 0){ +- struct UserInfo uq; + time_t t = time(NULL) + globalDebugTimeDelta; + //sgLogError("status %d time %d lasttime %d consumed %d", userquota->status, userquota->time, userquota->last, userquota->consumed); + //sgLogError("renew %d seconds %d", s->userquota.renew, s->userquota.seconds); +--- a/src/sgDiv.c.in Sat Jan 30 13:52:10 2016 ++++ b/src/sgDiv.c.in Sat Jan 30 13:59:16 2016 +@@ -18,6 +18,7 @@ + + #include "sg.h" + #include "sgEx.h" ++#include "HTEscape.h" + + /* #define METEST 8; */ + +@@ -692,7 +693,7 @@ + struct UserInfo *userquota; + if(defined(s->userDb, req->ident, (char **) &userquota) == 1){ + char qbuf[150]; +- sprintf(qbuf, "%d-%d-%d-%d-%d-%d", s->userquota.renew, s->userquota.seconds, userquota->status, userquota->time, userquota->last, userquota->consumed); ++ sprintf(qbuf, "%d-%d-%d-%d-%d-%d", s->userquota.renew, (int)s->userquota.seconds, userquota->status, (int)userquota->time, (int)userquota->last, userquota->consumed); + strcat(buf, qbuf); + } else { + strcat(buf, "noquota"); diff --git a/src/patches/squidguard/06_squidguard_version.patch b/src/patches/squidguard/06_squidguard_version.patch new file mode 100644 index 0000000000..351804c49a --- /dev/null +++ b/src/patches/squidguard/06_squidguard_version.patch @@ -0,0 +1,8 @@ +--- a/src/version.h Thu Apr 17 17:00:48 2008 ++++ b/src/version.h Fri May 08 20:44:48 2009 +@@ -16,4 +16,4 @@ + (GPL) along with this program. + */ + +-#define VERSION "1.5-alpha" ++#define VERSION "1.5-beta" -- 2.39.2