Bug 3478: workaround: better default handling without -DSTRICT_ORIGINAL_DST

This extends the -DSTRICT_ORIGINAL_DST compile-time flag to include the
logics listing ORIGINAL_DST as first preferred destination.

Which makes ORIGINAL_DST a swap-in replacement for DIRECT and enables
never_direct, always_direct, prefer_direct configuration to apply.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 3529be2a98125c3d3d955a26afcdf5f71ed9d8ec..a48f28fedf111d2dc4ec19dc4a80c6179bc26058 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1778,7 +1778,7 @@ DOC_START
                 * Reverse-proxy traffic is not checked at all.
        
                 * Intercepted traffic which passes verification is handled
-                  normally.
+                  according to client_dst_passthru.
        
                 * Intercepted requests which fail verification are sent
                   to the client original destination instead of DIRECT.

diff --git a/src/forward.cc b/src/forward.cc
index 22723ef93995ad02512a3773b66fdc8abe9f6b5b..66675927931209498023682a9558211b5f41fa8c 100644 (file)
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -125,6 +125,7 @@ void FwdState::start(Pointer aSelf)
 
     entry->registerAbort(FwdState::abort, this);
 
+#if STRICT_ORIGINAL_DST
     // Bug 3243: CVE 2009-0801
     // Bypass of browser same-origin access control in intercepted communication
     // To resolve this we must force DIRECT and only to the original client destination.
@@ -132,17 +133,18 @@ void FwdState::start(Pointer aSelf)
     const bool useOriginalDst = Config.onoff.client_dst_passthru || (request && !request->flags.hostVerified);
     if (isIntercepted && useOriginalDst) {
         selectPeerForIntercepted();
-#if STRICT_ORIGINAL_DST
         // 3.2 does not suppro re-wrapping inside CONNECT.
         // our only alternative is to fake destination "found" and continue with the forwarding.
         startConnectionOrFail();
         return;
-#endif
     }
+#endif
+
     // do full route options selection
     peerSelect(&serverDestinations, request, entry, fwdPeerSelectionCompleteWrapper, this);
 }
 
+#if STRICT_ORIGINAL_DST
 /// bypasses peerSelect() when dealing with intercepted requests
 void
 FwdState::selectPeerForIntercepted()
@@ -170,6 +172,7 @@ FwdState::selectPeerForIntercepted()
     debugs(17, 3, HERE << "using client original destination: " << *p);
     serverDestinations.push_back(p);
 }
+#endif
 
 void
 FwdState::completed()

diff --git a/src/forward.h b/src/forward.h
index fde9b75bfc6dba7afb7936efc148ad7d88e4b2b5..f2d0fbf2fc8f557577aa90e2bc46636a079a81c6 100644 (file)
--- a/src/forward.h
+++ b/src/forward.h
@@ -74,7 +74,9 @@ private:
     FwdState(const Comm::ConnectionPointer &client, StoreEntry *, HttpRequest *, const AccessLogEntryPointer &alp);
     void start(Pointer aSelf);
 
+#if STRICT_ORIGINAL_DST
     void selectPeerForIntercepted();
+#endif
     static void logReplyStatus(int tries, http_status status);
     void doneWithRetries();
     void completed();