Bug 3209: ssl-bumped requests forwarded unencrypted to the parent proxies/caches

author Christos Tsantilas <chtsanti@users.sourceforge.net>

Sat, 7 May 2011 05:48:50 +0000 (23:48 -0600)

committer Amos Jeffries <squid3@treenet.co.nz>

Sat, 7 May 2011 05:48:50 +0000 (23:48 -0600)
author Christos Tsantilas <chtsanti@users.sourceforge.net>
Sat, 7 May 2011 05:48:50 +0000 (23:48 -0600)
committer Amos Jeffries <squid3@treenet.co.nz>
Sat, 7 May 2011 05:48:50 +0000 (23:48 -0600)
diff --git a/src/client_side.cc b/src/client_side.cc

index 7c842f28c12b93229257f3023e9a31edf37d124e..ca2b2fc57da4a2debccb567020b1b001ca8b4bb2 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2432,6 +2432,7 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
      }
  
      request->flags.accelerated = http->flags.accel;
+    request->flags.sslBumped = conn->switchedToHttps();
      request->flags.ignore_cc = conn->port->ignore_cc;
      request->flags.no_direct = request->flags.accelerated ? !conn->port->allow_direct : 0;
  
diff --git a/src/forward.cc b/src/forward.cc

index 4eeb57bd5351b5c5dd980c7925f814913812a422..f85db3bcb1729b1721109bcaf00dc000d755e05c 100644 (file)
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -832,6 +832,13 @@ FwdState::connectStart()
      if (ftimeout < ctimeout)
          ctimeout = ftimeout;
  
+    if (fs->_peer && request->flags.sslBumped == true) {
+        debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parrent proxy are not allowed");
+        ErrorState *anErr = errorCon(ERR_CANNOT_FORWARD, HTTP_SERVICE_UNAVAILABLE, request);
+        fail(anErr);
+        self = NULL; // refcounted
+        return;
+    } 
  
      request->flags.pinned = 0;
      if (fs->code == PINNED) {
diff --git a/src/structs.h b/src/structs.h

index b979712932e1eea7867cbeb4f48a28d38a6734c6..49c950b9a2c7e09b276bccb5ef45e0bc914c79ec 100644 (file)
--- a/src/structs.h
+++ b/src/structs.h
@@ -1014,7 +1014,8 @@ struct _iostats {
  
  
  struct request_flags {
-    request_flags(): range(0),nocache(0),ims(0),auth(0),cachable(0),hierarchical(0),loopdetect(0),proxy_keepalive(0),proxying(0),refresh(0),redirected(0),need_validation(0),fail_on_validation_err(0),stale_if_hit(0),accelerated(0),ignore_cc(0),intercepted(0),spoof_client_ip(0),internal(0),internalclient(0),must_keepalive(0),destinationIPLookedUp_(0)  {
+    request_flags(): range(0),nocache(0),ims(0),auth(0),cachable(0),hierarchical(0),loopdetect(0),proxy_keepalive(0),proxying(0),refresh(0),redirected(0),need_validation(0),fail_on_validation_err(0),stale_if_hit(0),accelerated(0),ignore_cc(0),intercepted(0),spoof_client_ip(0),internal(0),internalclient(0),must_keepalive(0),sslBumped(0),destinationIPLookedUp_(0)  
+{
  #if HTTP_VIOLATIONS
          nocache_hack = 0;
  #endif
@@ -1054,6 +1055,7 @@ unsigned int proxying:
      unsigned int pinned:1;      /* Request sent on a pinned connection */
      unsigned int auth_sent:1;   /* Authentication forwarded */
      unsigned int no_direct:1;  /* Deny direct forwarding unless overriden by always_direct. Used in accelerator mode */
+    unsigned int sslBumped:1; /**< ssl-bumped request*/
  
      // When adding new flags, please update cloneAdaptationImmune() as needed.
author	Christos Tsantilas <chtsanti@users.sourceforge.net>
	Sat, 7 May 2011 05:48:50 +0000 (23:48 -0600)
committer	Amos Jeffries <squid3@treenet.co.nz>
	Sat, 7 May 2011 05:48:50 +0000 (23:48 -0600)
src/client_side.cc		patch \| blob \| blame \| history
src/forward.cc		patch \| blob \| blame \| history
src/structs.h		patch \| blob \| blame \| history