From: Christos Tsantilas Date: Fri, 17 Jun 2011 13:24:39 +0000 (-0600) Subject: Fixed bypass of SSL certificate validation errors. X-Git-Tag: SQUID_3_1_12_3~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=162b77e8d6fe49601423f2ca7520719ed82c8dfa;p=thirdparty%2Fsquid.git Fixed bypass of SSL certificate validation errors. The bypass code was calling ACLChecklist::fastCheck() multiple times if multiple certificate errors were found. That method should not be called multiple times because it changes the internal ACLChecklist state, producing wrong answers for repeated calls. This patch fixes the ACLChecklist::fastCheck() method so it can be called multiple times. Each fastCheck() call results in an independent access list check. This is a Measurement Factory project --- diff --git a/src/acl/Checklist.cc b/src/acl/Checklist.cc index 17a203c066..99310c2d75 100644 --- a/src/acl/Checklist.cc +++ b/src/acl/Checklist.cc @@ -340,26 +340,20 @@ ACLChecklist::fastCheck() PROF_start(aclCheckFast); currentAnswer(ACCESS_DENIED); debugs(28, 5, "aclCheckFast: list: " << accessList); - - while (accessList) { - preCheck(); - matchAclListFast(accessList->aclList); - - if (finished()) { + const acl_access *acl = cbdataReference(accessList); + while (acl != NULL && cbdataReferenceValid(acl)) { + currentAnswer(acl->allow); + if (matchAclListFast(acl->aclList)) { PROF_stop(aclCheckFast); - cbdataReferenceDone(accessList); + cbdataReferenceDone(acl); return currentAnswer() == ACCESS_ALLOWED; } /* * Reference the next access entry */ - const acl_access *A = accessList; - - assert (A); - - accessList = cbdataReference(A->next); - + const acl_access *A = acl; + acl = cbdataReference(acl->next); cbdataReferenceDone(A); } diff --git a/src/acl/Checklist.h b/src/acl/Checklist.h index 433569edda..8b5702b511 100644 --- a/src/acl/Checklist.h +++ b/src/acl/Checklist.h @@ -102,7 +102,7 @@ public: * This means any proxy_auth, external_acl, DNS lookups, Ident lookups etc * which have not already been performed and cached will not be checked. * - * If there is no access list to check the default is to return DENIED. + * If there is no access list to check the default is to return ALLOWED. * However callers should perform their own check and default based on local * knowledge of the ACL usage rather than depend on this default. * That will also save on work setting up ACLChecklist fields for a no-op.