$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14155.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14156.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14157.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14158.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14159.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14160.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14161.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14162.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14163.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14164.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14165.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14166.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14167.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.25-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi
--- /dev/null
+------------------------------------------------------------
+revno: 14155
+revision-id: squid3@treenet.co.nz-20170504061416-ks61dfut8wyml2qu
+parent: squid3@treenet.co.nz-20170402121452-ox6d8ttzlmbov3xm
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4682
+author: Christos Tsantilas <chtsanti@users.sourceforge.net>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Thu 2017-05-04 18:14:16 +1200
+message:
+ Bug 4682: Fix ssl_bump "bump" action documentation
+
+ Fixes squid documentation to correctly describe the squid behavior when the
+ "bump" action is selected on step SslBump1. In this case squid selects
+ the client-first bumping mode.
+
+ This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170504061416-ks61dfut8wyml2qu
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: f3b4861a085e069948da25398782237609037c5f
+# timestamp: 2017-05-04 06:16:54 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170402121452-\
+# ox6d8ttzlmbov3xm
+#
+# Begin patch
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre 2017-03-31 23:38:31 +0000
++++ src/cf.data.pre 2017-05-04 06:14:16 +0000
+@@ -2669,8 +2669,11 @@
+ This is the default action.
+
+ bump
+- Establish a secure connection with the server and, using a
+- mimicked server certificate, with the client.
++ When used on step SslBump1, establishes a secure connection
++ with the client first, then connect to the server.
++ When used on step SslBump2 or SslBump3, establishes a secure
++ connection with the server and, using a mimicked server
++ certificate, with the client.
+
+ peek
+ Receive client (step SslBump1) or server (step SslBump2)
+
--- /dev/null
+------------------------------------------------------------
+revno: 14156
+revision-id: squid3@treenet.co.nz-20170508110920-73gma737u4x6ce87
+parent: squid3@treenet.co.nz-20170504061416-ks61dfut8wyml2qu
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4695
+author: Lubos Uhliarik <luhliari@redhat.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-08 23:09:20 +1200
+message:
+ Bug 4695: squidpurge: GCC 7 build errors
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170508110920-73gma737u4x6ce87
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: a0f0c573b5be3d81cf0f8e65ae52bf27bd08dba5
+# timestamp: 2017-05-08 11:51:08 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170504061416-\
+# ks61dfut8wyml2qu
+#
+# Begin patch
+=== modified file 'tools/purge/purge.cc'
+--- tools/purge/purge.cc 2017-01-01 00:16:45 +0000
++++ tools/purge/purge.cc 2017-05-08 11:09:20 +0000
+@@ -272,7 +272,7 @@
+ snprintf( md5, sizeof(md5), "%-32s", "(no_md5_data_available)" );
+ }
+
+- char timeb[64];
++ char timeb[256];
+ if ( meta && (findings = meta->search( STORE_META_STD )) ) {
+ StoreMetaStd temp;
+ // make data aligned, avoid SIGBUS on RISC machines (ARGH!)
+@@ -283,7 +283,7 @@
+ } else if ( meta && (findings = meta->search( STORE_META_STD_LFS )) ) {
+ StoreMetaStdLFS temp;
+ // make data aligned, avoid SIGBUS on RISC machines (ARGH!)
+- memcpy( &temp, findings->data, sizeof(StoreMetaStd) );
++ memcpy( &temp, findings->data, sizeof(StoreMetaStdLFS) );
+ snprintf( timeb, sizeof(timeb), "%08lx %08lx %08lx %08lx %04x %5hu ",
+ (unsigned long)temp.timestamp, (unsigned long)temp.lastref,
+ (unsigned long)temp.expires, (unsigned long)temp.lastmod, temp.flags, temp.refcount );
+
--- /dev/null
+------------------------------------------------------------
+revno: 14157
+revision-id: squid3@treenet.co.nz-20170529042116-kp9naxxmdsqicpjv
+parent: squid3@treenet.co.nz-20170508110920-73gma737u4x6ce87
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4589
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 16:21:16 +1200
+message:
+ Bug 4589: ssl_crtd: returning zero on failure
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170529042116-kp9naxxmdsqicpjv
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: ad29dd184416dc47dee80234c541185cca166bb3
+# timestamp: 2017-05-29 04:39:57 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170508110920-\
+# 73gma737u4x6ce87
+#
+# Begin patch
+=== modified file 'src/ssl/ssl_crtd.cc'
+--- src/ssl/ssl_crtd.cc 2017-01-01 00:16:45 +0000
++++ src/ssl/ssl_crtd.cc 2017-05-29 04:21:16 +0000
+@@ -350,7 +350,7 @@
+ }
+ } catch (std::runtime_error & error) {
+ std::cerr << argv[0] << ": " << error.what() << std::endl;
+- return 0;
++ return -1;
+ }
+ return 0;
+ }
+
--- /dev/null
+------------------------------------------------------------
+revno: 14158
+revision-id: squid3@treenet.co.nz-20170529043611-1hyb93ivtu5wrdwg
+parent: squid3@treenet.co.nz-20170529042116-kp9naxxmdsqicpjv
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3102
+author: Martin von Gagern <martin.vgagern@gmx.net>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 16:36:11 +1200
+message:
+ Bug 3102: FTP directory listing drops fist character of file names
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170529043611-1hyb93ivtu5wrdwg
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 60a5f01fc9c9967c55c651c31546cb1067325705
+# timestamp: 2017-05-29 04:39:59 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170529042116-\
+# kp9naxxmdsqicpjv
+#
+# Begin patch
+=== modified file 'src/clients/FtpGateway.cc'
+--- src/clients/FtpGateway.cc 2017-02-26 08:50:09 +0000
++++ src/clients/FtpGateway.cc 2017-05-29 04:36:11 +0000
+@@ -626,10 +626,17 @@
+ while (strchr(w_space, *copyFrom))
+ ++copyFrom;
+ } else {
+- /* XXX assumes a single space between date and filename
++ /* Handle the following four formats:
++ * "MMM DD YYYY Name"
++ * "MMM DD YYYYName"
++ * "MMM DD YYYY Name"
++ * "MMM DD YYYY Name"
++ * Assuming a single space between date and filename
+ * suggested by: Nathan.Bailey@cc.monash.edu.au and
+ * Mike Battersby <mike@starbug.bofh.asn.au> */
+- copyFrom += strlen(tbuf) + 1;
++ copyFrom += strlen(tbuf);
++ if (strchr(w_space, *copyFrom))
++ ++copyFrom;
+ }
+
+ p->name = xstrdup(copyFrom);
+
--- /dev/null
+------------------------------------------------------------
+revno: 14159
+revision-id: squid3@treenet.co.nz-20170529043741-9chwfs5onxuip52x
+parent: squid3@treenet.co.nz-20170529043611-1hyb93ivtu5wrdwg
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3772
+author: Rainer Tammer <rainer.tammer@schulergroup.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 16:37:41 +1200
+message:
+ Bug 3772: message from FTP server gets mangled
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170529043741-9chwfs5onxuip52x
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 800db5dab62d996440fd6fccd35e9f1f34f2f0e1
+# timestamp: 2017-05-29 04:40:02 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170529043611-\
+# 1hyb93ivtu5wrdwg
+#
+# Begin patch
+=== modified file 'src/clients/FtpGateway.cc'
+--- src/clients/FtpGateway.cc 2017-05-29 04:36:11 +0000
++++ src/clients/FtpGateway.cc 2017-05-29 04:37:41 +0000
+@@ -1541,7 +1541,7 @@
+ /* Reset cwd_message to only include the last message */
+ ftpState->cwd_message.reset("");
+ for (wordlist *w = ftpState->ctrl.message; w; w = w->next) {
+- ftpState->cwd_message.append(' ');
++ ftpState->cwd_message.append('\n');
+ ftpState->cwd_message.append(w->key);
+ }
+ ftpState->ctrl.message = NULL;
+
--- /dev/null
+------------------------------------------------------------
+revno: 14160
+revision-id: squid3@treenet.co.nz-20170529043852-zkf91gxhaqdj0rkn
+parent: squid3@treenet.co.nz-20170529043741-9chwfs5onxuip52x
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 16:38:52 +1200
+message:
+ Add OpenSSL library details to -v output
+
+ This is partially to meet the OpenSSL copyright requirement that binaries
+ mention when they are using the library, and partially for admin to see
+ which library their Squid is using when multiple are present in the system.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170529043852-zkf91gxhaqdj0rkn
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: c401fe3de5518102ac6a3a4dc7b121ac415c05d4
+# timestamp: 2017-05-29 04:40:04 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170529043741-\
+# 9chwfs5onxuip52x
+#
+# Begin patch
+=== modified file 'src/main.cc'
+--- src/main.cc 2017-02-26 08:52:45 +0000
++++ src/main.cc 2017-05-29 04:38:52 +0000
+@@ -563,6 +563,10 @@
+ printf("Service Name: " SQUIDSBUFPH "\n", SQUIDSBUFPRINT(service_name));
+ if (strlen(SQUID_BUILD_INFO))
+ printf("%s\n",SQUID_BUILD_INFO);
++#if USE_OPENSSL
++ printf("\nThis binary uses %s. ", SSLeay_version(SSLEAY_VERSION));
++ printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n");
++#endif
+ printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS);
+
+ #if USE_WIN32_SERVICE
+
--- /dev/null
+------------------------------------------------------------
+revno: 14161
+revision-id: squid3@treenet.co.nz-20170529053359-xtbuev2zwmdfj9mp
+parent: squid3@treenet.co.nz-20170529043852-zkf91gxhaqdj0rkn
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4682
+author: Christos Tsantilas <chtsanti@users.sourceforge.net>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 17:33:59 +1200
+message:
+ Bug 4653: %st lies about tunneled traffic volumes
+
+ Squid-5 and squid-4 does not count the "HTTP/1.1 200 Connection Established"
+ header size for %<st formatting code.
+
+ This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170529053359-xtbuev2zwmdfj9mp
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: c340785d0d5042ae0f783d606f0998d605290ac4
+# timestamp: 2017-05-29 05:51:04 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170529043852-\
+# zkf91gxhaqdj0rkn
+#
+# Begin patch
+=== modified file 'src/tunnel.cc'
+--- src/tunnel.cc 2017-01-01 00:16:45 +0000
++++ src/tunnel.cc 2017-05-29 05:33:59 +0000
+@@ -836,7 +836,7 @@
+ * Call the tunnelStartShoveling to start the blind pump.
+ */
+ static void
+-tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *buf, size_t size, Comm::Flag flag, int xerrno, void *data)
++tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *, size_t len, Comm::Flag flag, int, void *data)
+ {
+ TunnelStateData *tunnelState = (TunnelStateData *)data;
+ debugs(26, 3, HERE << conn << ", flag=" << flag);
+@@ -848,6 +848,11 @@
+ return;
+ }
+
++ if (ClientHttpRequest *http = tunnelState->http.get()) {
++ http->out.headers_sz += len;
++ http->out.size += len;
++ }
++
+ tunnelStartShoveling(tunnelState);
+ }
+
+
--- /dev/null
+------------------------------------------------------------
+revno: 14162
+revision-id: squid3@treenet.co.nz-20170529055234-790hfbazjwy0fmk4
+parent: squid3@treenet.co.nz-20170529053359-xtbuev2zwmdfj9mp
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4711
+author: Christos Tsantilas <chtsanti@users.sourceforge.net>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 17:52:34 +1200
+message:
+ Bug 4711: SubjectAlternativeNames is missing in some generated certificates
+
+ Squid may generate certificates which have a Common Name, but do not have
+ a subjectAltName extension. For example when squid generated certificates
+ do not mimic an origin certificate or when the certificate adaptation
+ algorithm sslproxy_cert_adapt/setCommonName is used.
+
+ This is causes problems to some browsers, which validates a certificate using
+ the SubjectAlternativeNames but ignore the CommonName field.
+
+ This patch fixes squid to always add a SubjectAlternativeNames extension in
+ generated certificates which do not mimic an origin certificate.
+
+ Squid still will not add a subjectAltName extension when mimicking an origin
+ server certificate, even if that origin server certificate does not include
+ the subjectAltName extension. Such origin server may have problems when
+ talking directly to browsers, and patched Squid is not trying to fix those
+ problems.
+
+ This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170529055234-790hfbazjwy0fmk4
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: e3162152cf590c8126eb3d189ea1ab90ba9a5c37
+# timestamp: 2017-05-29 05:54:13 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170529053359-\
+# xtbuev2zwmdfj9mp
+#
+# Begin patch
+=== modified file 'src/ssl/gadgets.cc'
+--- src/ssl/gadgets.cc 2017-01-01 00:16:45 +0000
++++ src/ssl/gadgets.cc 2017-05-29 05:52:34 +0000
+@@ -339,7 +339,40 @@
+ return added;
+ }
+
+-static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties)
++/// Adds a new subjectAltName extension contining Subject CN or returns false
++/// expects the caller to check for the existing subjectAltName extension
++static bool
++addAltNameWithSubjectCn(Ssl::X509_Pointer &cert)
++{
++ X509_NAME *name = X509_get_subject_name(cert.get());
++ if (!name)
++ return false;
++
++ const int loc = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
++ if (loc < 0)
++ return false;
++
++ ASN1_STRING *cn_data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, loc));
++ if (!cn_data)
++ return false;
++
++ char dnsName[1024]; // DNS names are limited to 256 characters
++ const int res = snprintf(dnsName, sizeof(dnsName), "DNS:%*s", cn_data->length, cn_data->data);
++ if (res <= 0 || res >= static_cast<int>(sizeof(dnsName)))
++ return false;
++
++ X509_EXTENSION *ext = X509V3_EXT_conf_nid(NULL, NULL, NID_subject_alt_name, dnsName);
++ if (!ext)
++ return false;
++
++ const bool result = X509_add_ext(cert.get(), ext, -1);
++
++ X509_EXTENSION_free(ext);
++ return result;
++}
++
++static bool
++buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties)
+ {
+ // not an Ssl::X509_NAME_Pointer because X509_REQ_get_subject_name()
+ // returns a pointer to the existing subject name. Nothing to clean here.
+@@ -387,6 +420,8 @@
+ } else if (!X509_gmtime_adj(X509_get_notAfter(cert.get()), 60*60*24*356*3))
+ return false;
+
++ int addedExtensions = 0;
++ bool useCommonNameAsAltName = true;
+ // mimic the alias and possibly subjectAltName
+ if (properties.mimicCert.get()) {
+ unsigned char *alStr;
+@@ -396,26 +431,29 @@
+ X509_alias_set1(cert.get(), alStr, alLen);
+ }
+
+- int addedExtensions = 0;
+-
+ // Mimic subjectAltName unless we used a configured CN: browsers reject
+ // certificates with CN unrelated to subjectAltNames.
+ if (!properties.setCommonName) {
+- int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1);
++ int pos = X509_get_ext_by_NID(properties.mimicCert.get(), NID_subject_alt_name, -1);
+ X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos);
+ if (ext) {
+ if (X509_add_ext(cert.get(), ext, -1))
+ ++addedExtensions;
+ }
++ // We want to mimic the server-sent subjectAltName, not enhance it.
++ useCommonNameAsAltName = false;
+ }
+
+ addedExtensions += mimicExtensions(cert, properties.mimicCert);
+-
+- // According to RFC 5280, using extensions requires v3 certificate.
+- if (addedExtensions)
+- X509_set_version(cert.get(), 2); // value 2 means v3
+ }
+
++ if (useCommonNameAsAltName && addAltNameWithSubjectCn(cert))
++ ++addedExtensions;
++
++ // According to RFC 5280, using extensions requires v3 certificate.
++ if (addedExtensions)
++ X509_set_version(cert.get(), 2); // value 2 means v3
++
+ return true;
+ }
+
+
--- /dev/null
+------------------------------------------------------------
+revno: 14163
+revision-id: squid3@treenet.co.nz-20170529062945-gf7u7dukaumjof74
+parent: squid3@treenet.co.nz-20170529055234-790hfbazjwy0fmk4
+author: Ingo Schwarze, Francesco Chemolli <kinkie@squid-cache.org>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 18:29:45 +1200
+message:
+ Docs: Improve formatting of several manual pages
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170529062945-gf7u7dukaumjof74
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: b417bbc7ffb2351fb670e7baa721b9d9b8315024
+# timestamp: 2017-05-29 06:33:51 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170529055234-\
+# 790hfbazjwy0fmk4
+#
+# Begin patch
+=== modified file 'helpers/basic_auth/LDAP/basic_ldap_auth.8'
+--- helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-03-31 23:47:47 +0000
++++ helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-05-29 06:29:45 +0000
+@@ -5,9 +5,9 @@
+ .
+ .SH SYNOPSIS
+ .if !'po4a'hide' .B basic_ldap_auth
+-.if !'po4a'hide' .B \-b\ \"
++.if !'po4a'hide' .B \-b\ \(dq
+ base DN
+-.if !'po4a'hide' .B \"\ [\-u
++.if !'po4a'hide' .B \(dq\ [\-u
+ attribute
+ .if !'po4a'hide' .B ]\ [
+ options
+@@ -20,11 +20,11 @@
+ .if !'po4a'hide' .B ]...
+ .br
+ .if !'po4a'hide' .B basic_ldap_auth
+-.if !'po4a'hide' .B \-b\ \"
++.if !'po4a'hide' .B \-b\ \(dq
+ base DN
+-.if !'po4a'hide' .B \"\ \-f\ \"
++.if !'po4a'hide' .B \(dq\ \-f\ \(dq
+ LDAP search filter
+-.if !'po4a'hide' .B \"\ [
++.if !'po4a'hide' .B \(dq\ [
+ options
+ .if !'po4a'hide' .B ]\ [
+ LDAP server name
+@@ -74,7 +74,7 @@
+ The search filter can contain up to 15 occurrences of
+ .B %s
+ which will be replaced by the username, as in
+-.B "\"uid\=%s\""
++.B "\(dquid\=%s\(dq"
+ for RFC2037 directories. For a detailed description of LDAP search
+ filter syntax see RFC2254.
+ .br
+
+=== modified file 'helpers/basic_auth/RADIUS/basic_radius_auth.8'
+--- helpers/basic_auth/RADIUS/basic_radius_auth.8 2017-01-01 00:16:45 +0000
++++ helpers/basic_auth/RADIUS/basic_radius_auth.8 2017-05-29 06:29:45 +0000
+@@ -9,9 +9,9 @@
+ config file
+ .br
+ .if !'po4a'hide' .B basic_radius_auth
+-.if !'po4a'hide' .B "\-h \""
++.if !'po4a'hide' .B "\-h \(dq"
+ server name
+-.if !'po4a'hide' .B "\" [\-p "
++.if !'po4a'hide' .B "\(dq [\-p "
+ port
+ .if !'po4a'hide' .B "] [\-i "
+ identifier
+
+=== modified file 'helpers/external_acl/file_userip/ext_file_userip_acl.8'
+--- helpers/external_acl/file_userip/ext_file_userip_acl.8 2017-01-01 00:16:45 +0000
++++ helpers/external_acl/file_userip/ext_file_userip_acl.8 2017-05-29 06:29:45 +0000
+@@ -68,7 +68,7 @@
+ .B ALL
+ and
+ .B NONE
+-, which mean \"any user on this IP address may authenticate\" or \"no user on this IP address may authenticate\".
++, which mean \(dqany user on this IP address may authenticate\(dq or \(dqno user on this IP address may authenticate\(dq.
+ .
+ .SH AUTHOR
+ This program was written by
+
+=== modified file 'tools/squidclient/squidclient.1'
+--- tools/squidclient/squidclient.1 2017-01-01 00:16:45 +0000
++++ tools/squidclient/squidclient.1 2017-05-29 06:29:45 +0000
+@@ -86,7 +86,7 @@
+ .if !'po4a'hide' .TP
+ .if !'po4a'hide' .B "\-H 'string'"
+ Extra headers to send. Use
+-.B '\\n'
++.B '\en'
+ for new lines.
+ .
+ .if !'po4a'hide' .TP
+
--- /dev/null
+------------------------------------------------------------
+revno: 14164
+revision-id: squid3@treenet.co.nz-20170529063645-qmu68scq9go0wbqr
+parent: squid3@treenet.co.nz-20170529062945-gf7u7dukaumjof74
+author: Alex Rousskov <rousskov@measurement-factory.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 18:36:45 +1200
+message:
+ Fix xstrndup() documentation, callers. Disclosed implementation bugs.
+
+ xstrndup() does not work like strndup(3), and some callers got confused:
+
+ 1. When n is the str length or less, standard strndup(str,n) copies all
+ n bytes but our xstrndup(str,n) drops the last one. Thus, all callers
+ must add one to the desired result length when calling xstrndup().
+ Most already do, but it is often hard to see due to low code quality
+ (e.g., one must remember that MAX_URL is not the maximum URL length).
+
+ 2. xstrndup() also assumes that the source string is 0-terminated. This
+ dangerous assumption does not contradict many official strndup(3)
+ descriptions, but that lack of contradiction is actually a recently
+ fixed POSIX documentation bug (i.e., correct implementations must not
+ assume 0-termination): http://austingroupbugs.net/view.php?id=1019
+
+ The OutOfBoundsException bug led to truncated exception messages.
+
+ The ESI bug led to truncated 'literal strings', but I do not know what
+ that means in terms of user impact. That ESI fix is untested.
+
+ cachemgr.cc bug was masked by the fact that the buffer ends with \n
+ that is unused and stripped by the custom xstrtok() implementation.
+
+ TODO. Fix xstrndup() implementation (and rename the function so that
+ fixed callers do not misbehave if carelessly ported to older Squids).
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170529063645-qmu68scq9go0wbqr
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 7321050a4405a155a8fe02f7125e446b9516dd51
+# timestamp: 2017-05-29 06:51:18 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170529062945-\
+# gf7u7dukaumjof74
+#
+# Begin patch
+=== modified file 'compat/xstring.h'
+--- compat/xstring.h 2017-01-01 00:16:45 +0000
++++ compat/xstring.h 2017-05-29 06:36:45 +0000
+@@ -41,7 +41,10 @@
+ char *xstrncpy(char *dst, const char *src, size_t n);
+
+ /**
+- * xstrndup() - same as strndup(3). Used for portability.
++ * xstrndup() - Somewhat similar(XXX) to strndup(3): Allocates up to n bytes,
++ * while strndup(3) copies up to n bytes and allocates up to n+1 bytes
++ * to fit the terminating character. Assumes s is 0-terminated (another XXX).
++ *
+ * Never returns NULL; fatal on error.
+ *
+ * Sets errno to EINVAL if a NULL pointer or negative
+
+=== modified file 'src/SBufExceptions.cc'
+--- src/SBufExceptions.cc 2017-01-01 00:16:45 +0000
++++ src/SBufExceptions.cc 2017-05-29 06:36:45 +0000
+@@ -25,9 +25,7 @@
+ explanatoryText.appendf(" in file %s", aFileName);
+ explanatoryText.appendf(" while accessing position %d in a SBuf long %d",
+ pos, throwingBuf.length());
+- // we can safely alias c_str as both are local to the object
+- // and will not further manipulated.
+- message = xstrndup(explanatoryText.c_str(),explanatoryText.length());
++ message = xstrdup(explanatoryText.c_str());
+ }
+
+ OutOfBoundsException::~OutOfBoundsException() throw()
+
+=== modified file 'src/esi/Expression.cc'
+--- src/esi/Expression.cc 2017-01-01 00:16:45 +0000
++++ src/esi/Expression.cc 2017-05-29 06:36:45 +0000
+@@ -743,7 +743,7 @@
+ /* Special case for zero length strings */
+
+ if (t - s - 1)
+- rv.value.string = xstrndup(s + 1, t - s - 1);
++ rv.value.string = xstrndup(s + 1, t - (s + 1) + 1);
+ else
+ rv.value.string = static_cast<char *>(xcalloc(1,1));
+
+
+=== modified file 'tools/cachemgr.cc'
+--- tools/cachemgr.cc 2017-01-01 00:16:45 +0000
++++ tools/cachemgr.cc 2017-05-29 06:36:45 +0000
+@@ -440,7 +440,7 @@
+ return;
+ }
+
+- buf_copy = x = xstrndup(buf, bufLen);
++ buf_copy = x = xstrndup(buf, bufLen+1);
+
+ a = xstrtok(&x, '\t');
+
+
--- /dev/null
+------------------------------------------------------------
+revno: 14165
+revision-id: squid3@treenet.co.nz-20170529071037-o91o8xvaqata5y2b
+parent: squid3@treenet.co.nz-20170529063645-qmu68scq9go0wbqr
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4682
+author: Christos Tsantilas <chtsanti@users.sourceforge.net>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 19:10:37 +1200
+message:
+ Bug 4682: ignoring http_access deny when client-first bumping mode is used
+
+ Squid fails to identify HTTP requests which are tunneled inside an already
+ established client-first bumped tunnel, and this is results in ignoring
+ http_access denied for these requests.
+
+ This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170529071037-o91o8xvaqata5y2b
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: f77b81826612d7248fb774ef1ea00747cd04d479
+# timestamp: 2017-05-29 07:51:03 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170529063645-\
+# qmu68scq9go0wbqr
+#
+# Begin patch
+=== modified file 'src/client_side_request.cc'
+--- src/client_side_request.cc 2017-03-30 13:31:22 +0000
++++ src/client_side_request.cc 2017-05-29 07:10:37 +0000
+@@ -1424,7 +1424,17 @@
+ if (bumpMode != Ssl::bumpEnd) {
+ debugs(85, 5, HERE << "SslBump already decided (" << bumpMode <<
+ "), " << "ignoring ssl_bump for " << http->getConn());
+- if (!http->getConn()->serverBump())
++
++ // We need the following "if" for transparently bumped TLS connection,
++ // because in this case we are running ssl_bump access list before
++ // the doCallouts runs. It can be removed after the bug #4340 fixed.
++ // We do not want to proceed to bumping steps:
++ // - if the TLS connection with the client is already established
++ // because we are accepting normal HTTP requests on TLS port,
++ // or because of the client-first bumping mode
++ // - When the bumping is already started
++ if (!http->getConn()->switchedToHttps() &&
++ !http->getConn()->serverBump())
+ http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped
+ http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
+ return false;
+
--- /dev/null
+------------------------------------------------------------
+revno: 14166
+revision-id: squid3@treenet.co.nz-20170529125748-qt7yhdloygl4xosg
+parent: squid3@treenet.co.nz-20170529071037-o91o8xvaqata5y2b
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Tue 2017-05-30 00:57:48 +1200
+message:
+ Revert r14161
+
+ Wrong patch and commit message.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170529125748-qt7yhdloygl4xosg
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: ddecde537486c58df04564f3818b8ad9929dd186
+# timestamp: 2017-05-29 13:51:06 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170529071037-\
+# o91o8xvaqata5y2b
+#
+# Begin patch
+=== modified file 'src/tunnel.cc'
+--- src/tunnel.cc 2017-05-29 05:33:59 +0000
++++ src/tunnel.cc 2017-05-29 12:57:48 +0000
+@@ -836,7 +836,7 @@
+ * Call the tunnelStartShoveling to start the blind pump.
+ */
+ static void
+-tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *, size_t len, Comm::Flag flag, int, void *data)
++tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *buf, size_t size, Comm::Flag flag, int xerrno, void *data)
+ {
+ TunnelStateData *tunnelState = (TunnelStateData *)data;
+ debugs(26, 3, HERE << conn << ", flag=" << flag);
+@@ -848,11 +848,6 @@
+ return;
+ }
+
+- if (ClientHttpRequest *http = tunnelState->http.get()) {
+- http->out.headers_sz += len;
+- http->out.size += len;
+- }
+-
+ tunnelStartShoveling(tunnelState);
+ }
+
+
--- /dev/null
+------------------------------------------------------------
+revno: 14167
+revision-id: squid3@treenet.co.nz-20170529131555-kut221f3geb3aczf
+parent: squid3@treenet.co.nz-20170529125748-qt7yhdloygl4xosg
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4653
+author: Christos Tsantilas <chtsanti@users.sourceforge.net>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Tue 2017-05-30 01:15:55 +1200
+message:
+ Bug 4653: %st lies about tunneled traffic volumes
+
+ Squid-3.5 counts only the "CONNECT ..." header size for %>st and does not
+ count the "HTTP/1.1 200" response header for the %<st.
+
+ This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170529131555-kut221f3geb3aczf
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: dd5783b425c7c7125303a1bd1a5685bc28011754
+# timestamp: 2017-05-29 13:51:09 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170529125748-\
+# qt7yhdloygl4xosg
+#
+# Begin patch
+=== modified file 'src/client_side.cc'
+--- src/client_side.cc 2017-03-31 00:51:52 +0000
++++ src/client_side.cc 2017-05-29 13:15:55 +0000
+@@ -4391,7 +4391,7 @@
+ // in.buf still has the "CONNECT ..." request data, reset it to SSL hello message
+ connState->in.buf.append(rbuf.content(), rbuf.contentSize());
+ ClientHttpRequest *http = context->http;
+- tunnelStart(http, &http->out.size, &http->al->http.code, http->al);
++ tunnelStart(http);
+ }
+ }
+ }
+
+=== modified file 'src/client_side_reply.cc'
+--- src/client_side_reply.cc 2017-01-01 00:16:45 +0000
++++ src/client_side_reply.cc 2017-05-29 13:15:55 +0000
+@@ -1179,7 +1179,7 @@
+ if (curReply->content_length < 0)
+ return 0;
+
+- int64_t expectedLength = curReply->content_length + http->out.headers_sz;
++ uint64_t expectedLength = curReply->content_length + http->out.headers_sz;
+
+ if (http->out.size < expectedLength)
+ return 0;
+
+=== modified file 'src/client_side_request.cc'
+--- src/client_side_request.cc 2017-05-29 07:10:37 +0000
++++ src/client_side_request.cc 2017-05-29 13:15:55 +0000
+@@ -1522,7 +1522,7 @@
+ }
+ #endif
+ getConn()->stopReading(); // tunnels read for themselves
+- tunnelStart(this, &out.size, &al->http.code, al);
++ tunnelStart(this);
+ return;
+ }
+
+
+=== modified file 'src/client_side_request.h'
+--- src/client_side_request.h 2017-01-23 02:05:46 +0000
++++ src/client_side_request.h 2017-05-29 13:15:55 +0000
+@@ -73,7 +73,7 @@
+
+ struct {
+ int64_t offset;
+- int64_t size;
++ uint64_t size;
+ size_t headers_sz;
+ } out;
+
+@@ -182,7 +182,7 @@
+ void clientAccessCheck(ClientHttpRequest *);
+
+ /* ones that should be elsewhere */
+-void tunnelStart(ClientHttpRequest *, int64_t *, int *, const AccessLogEntry::Pointer &al);
++void tunnelStart(ClientHttpRequest *);
+
+ #if _USE_INLINE_
+ #include "client_side_request.cci"
+
+=== modified file 'src/tests/stub_tunnel.cc'
+--- src/tests/stub_tunnel.cc 2017-01-01 00:16:45 +0000
++++ src/tests/stub_tunnel.cc 2017-05-29 13:15:55 +0000
+@@ -14,7 +14,7 @@
+ #include "FwdState.h"
+ class ClientHttpRequest;
+
+-void tunnelStart(ClientHttpRequest *, int64_t *, int *, const AccessLogEntryPointer &al) STUB
++void tunnelStart(ClientHttpRequest *) STUB
+
+ void switchToTunnel(HttpRequest *request, Comm::ConnectionPointer &clientConn, Comm::ConnectionPointer &srvConn) STUB
+
+
+=== modified file 'src/tunnel.cc'
+--- src/tunnel.cc 2017-05-29 12:57:48 +0000
++++ src/tunnel.cc 2017-05-29 13:15:55 +0000
+@@ -139,7 +139,7 @@
+ int len;
+ char *buf;
+ AsyncCall::Pointer writer; ///< pending Comm::Write callback
+- int64_t *size_ptr; /* pointer to size in an ConnStateData for logging */
++ uint64_t *size_ptr; /* pointer to size in an ConnStateData for logging */
+
+ Comm::ConnectionPointer conn; ///< The currently connected connection.
+ uint8_t delayedLoops; ///< how many times a read on this connection has been postponed.
+@@ -848,6 +848,11 @@
+ return;
+ }
+
++ if (ClientHttpRequest *http = tunnelState->http.get()) {
++ http->out.headers_sz += size;
++ http->out.size += size;
++ }
++
+ tunnelStartShoveling(tunnelState);
+ }
+
+@@ -995,7 +1000,7 @@
+ }
+
+ void
+-tunnelStart(ClientHttpRequest * http, int64_t * size_ptr, int *status_ptr, const AccessLogEntryPointer &al)
++tunnelStart(ClientHttpRequest * http)
+ {
+ debugs(26, 3, HERE);
+ /* Create state structure. */
+@@ -1021,7 +1026,7 @@
+ if (ch.fastCheck() == ACCESS_DENIED) {
+ debugs(26, 4, HERE << "MISS access forbidden.");
+ err = new ErrorState(ERR_FORWARDING_DENIED, Http::scForbidden, request);
+- *status_ptr = Http::scForbidden;
++ http->al->http.code = Http::scForbidden;
+ errorSend(http->getConn()->clientConnection, err);
+ return;
+ }
+@@ -1037,12 +1042,13 @@
+ #endif
+ tunnelState->url = xstrdup(url);
+ tunnelState->request = request;
+- tunnelState->server.size_ptr = size_ptr;
+- tunnelState->status_ptr = status_ptr;
++ tunnelState->server.size_ptr = &http->out.size;
++ tunnelState->client.size_ptr = &http->al->http.clientRequestSz.payloadData;
++ tunnelState->status_ptr = &http->al->http.code;
+ tunnelState->logTag_ptr = &http->logType;
+ tunnelState->client.conn = http->getConn()->clientConnection;
+ tunnelState->http = http;
+- tunnelState->al = al;
++ tunnelState->al = http->al ;
+ tunnelState->started = squid_curtime;
+
+ comm_add_close_handler(tunnelState->client.conn->fd,
+@@ -1053,7 +1059,7 @@
+ CommTimeoutCbPtrFun(tunnelTimeout, tunnelState));
+ commSetConnTimeout(tunnelState->client.conn, Config.Timeout.lifetime, timeoutCall);
+
+- peerSelect(&(tunnelState->serverDestinations), request, al,
++ peerSelect(&(tunnelState->serverDestinations), request, tunnelState->al,
+ NULL,
+ tunnelPeerSelectComplete,
+ tunnelState);
+@@ -1226,6 +1232,10 @@
+ if (context != NULL && context->http != NULL) {
+ tunnelState->logTag_ptr = &context->http->logType;
+ tunnelState->server.size_ptr = &context->http->out.size;
++ if (context->http->al != NULL) {
++ tunnelState->al = context->http->al;
++ tunnelState->client.size_ptr = &context->http->al->http.clientRequestSz.payloadData;
++ }
+
+ #if USE_DELAY_POOLS
+ /* no point using the delayIsNoDelay stuff since tunnel is nice and simple */
+
projects / people / mlorenz / ipfire-2.x.git / commitdiff
