From: rousskov <> Date: Wed, 23 Jan 2008 02:53:03 +0000 (+0000) Subject: Bug 1923 fix: Do not send hop-by-hop headers to the ICAP server. X-Git-Tag: BASIC_TPROXY4~161 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2cdeea8288740ab964b235dda466c874a39c18bd;p=thirdparty%2Fsquid.git Bug 1923 fix: Do not send hop-by-hop headers to the ICAP server. Send Proxy-Authenticate&Proxy-Authorization in ICAP request headers. --- diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc index 9e5b886706..a0bab13f85 100644 --- a/src/HttpHeader.cc +++ b/src/HttpHeader.cc @@ -1,6 +1,6 @@ /* - * $Id: HttpHeader.cc,v 1.138 2007/11/26 13:09:55 hno Exp $ + * $Id: HttpHeader.cc,v 1.139 2008/01/22 19:53:03 rousskov Exp $ * * DEBUG: section 55 HTTP Header * AUTHOR: Alex Rousskov @@ -236,6 +236,12 @@ static http_hdr_type RequestHeadersArr[] = HDR_USER_AGENT, HDR_X_FORWARDED_FOR, HDR_SURROGATE_CAPABILITY }; +static http_hdr_type HopByHopHeadersArr[] = + { + HDR_CONNECTION, HDR_KEEP_ALIVE, HDR_PROXY_AUTHENTICATE, HDR_PROXY_AUTHORIZATION, + HDR_TE, HDR_TRAILERS, HDR_TRANSFER_ENCODING, HDR_UPGRADE + }; + /* header accounting */ static HttpHeaderStat HttpHeaderStats[] = { @@ -1762,6 +1768,18 @@ HttpHeader::hasByNameListMember(const char *name, const char *member, const char return result; } +void +HttpHeader::removeHopByHopEntries() +{ + removeConnectionHeaderEntries(); + + int count = countof(HopByHopHeadersArr); + + for (int i=0; i entries; /* parsed fields in raw format */ HttpHeaderMask mask; /* bit set <=> entry present */ http_hdr_owner_type owner; /* request or reply */ int len; /* length when packed, not counting terminating '\0' */ +protected: + void removeConnectionHeaderEntries(); + private: HttpHeaderEntry *findLastEntry(http_hdr_type id) const; // Make it non-copyable. Our destructor is a bit nasty... diff --git a/src/ICAP/ICAPModXact.cc b/src/ICAP/ICAPModXact.cc index 4aaf7f4955..807505d423 100644 --- a/src/ICAP/ICAPModXact.cc +++ b/src/ICAP/ICAPModXact.cc @@ -1083,6 +1083,16 @@ void ICAPModXact::makeRequestHeaders(MemBuf &buf) if (!TheICAPConfig.reuse_connections) buf.Printf("Connection: close\r\n"); + // we must forward "Proxy-Authenticate" and "Proxy-Authorization" + // as ICAP headers. + if (virgin.header->header.has(HDR_PROXY_AUTHENTICATE)) + buf.Printf("Proxy-Authenticate: %s\r\n", + virgin.header->header.getByName("Proxy-Authenticate").buf()); + + if (virgin.header->header.has(HDR_PROXY_AUTHORIZATION)) + buf.Printf("Proxy-Authorization: %s\r\n", + virgin.header->header.getByName("Proxy-Authorization").buf()); + buf.Printf("Encapsulated: "); MemBuf httpBuf; @@ -1170,8 +1180,38 @@ void ICAPModXact::encapsulateHead(MemBuf &icapBuf, const char *section, MemBuf & // update ICAP header icapBuf.Printf("%s=%d, ", section, (int) httpBuf.contentSize()); - // pack HTTP head - packHead(httpBuf, head); + // begin cloning + HttpMsg *headClone = NULL; + + if (const HttpRequest* old_request = dynamic_cast(head)) { + HttpRequest* new_request = new HttpRequest; + urlParse(old_request->method, old_request->canonical,new_request); + new_request->http_ver = old_request->http_ver; + inheritVirginProperties(*new_request, *old_request); + headClone = new_request; + } + else if (const HttpReply *old_reply = dynamic_cast(head)) { + HttpReply* new_reply = new HttpReply; + new_reply->sline = old_reply->sline; + headClone = new_reply; + } + + Must(headClone); + + HttpHeaderPos pos = HttpHeaderInitPos; + HttpHeaderEntry* p_head_entry = NULL; + while (NULL != (p_head_entry = head->header.getEntry(&pos)) ) + headClone->header.addEntry(p_head_entry->clone()); + + // end cloning + + // remove all hop-by-hop headers from the clone + headClone->header.removeHopByHopEntries(); + + // pack polished HTTP header + packHead(httpBuf, headClone); + + delete headClone; } void ICAPModXact::packHead(MemBuf &httpBuf, const HttpMsg *head) diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc index 13de32f3c1..0ad99b60fd 100644 --- a/src/client_side_reply.cc +++ b/src/client_side_reply.cc @@ -1,6 +1,6 @@ /* - * $Id: client_side_reply.cc,v 1.149 2008/01/22 16:45:45 rousskov Exp $ + * $Id: client_side_reply.cc,v 1.150 2008/01/22 19:53:03 rousskov Exp $ * * DEBUG: section 88 Client-side Reply Routines * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c) @@ -1234,10 +1234,7 @@ clientReplyContext::buildReplyHeader() if (is_hit) hdr->delById(HDR_SET_COOKIE); - /* - * Be sure to obey the Connection header - */ - reply->header.removeConnectionHeaderEntries(); + reply->header.removeHopByHopEntries(); // if (request->range) // clientBuildRangeHeader(http, reply);