From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 10 Aug 2012 05:47:13 +0000 (-0600)
Subject: Bug 3478: workaround: better default handling without -DSTRICT_ORIGINAL_DST
X-Git-Tag: SQUID_3_2_1~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3646e53d1e01255352daf6b2e62e52841ba79bc4;p=thirdparty%2Fsquid.git

Bug 3478: workaround: better default handling without -DSTRICT_ORIGINAL_DST

This extends the -DSTRICT_ORIGINAL_DST compile-time flag to include the
logics listing ORIGINAL_DST as first preferred destination.

Which makes ORIGINAL_DST a swap-in replacement for DIRECT and enables
never_direct, always_direct, prefer_direct configuration to apply.
---

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 3529be2a98..a48f28fedf 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1778,7 +1778,7 @@ DOC_START
 		 * Reverse-proxy traffic is not checked at all.
 	
 		 * Intercepted traffic which passes verification is handled
-		   normally.
+		   according to client_dst_passthru.
 	
 		 * Intercepted requests which fail verification are sent
 		   to the client original destination instead of DIRECT.
diff --git a/src/forward.cc b/src/forward.cc
index 22723ef939..6667592793 100644
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -125,6 +125,7 @@ void FwdState::start(Pointer aSelf)
 
     entry->registerAbort(FwdState::abort, this);
 
+#if STRICT_ORIGINAL_DST
     // Bug 3243: CVE 2009-0801
     // Bypass of browser same-origin access control in intercepted communication
     // To resolve this we must force DIRECT and only to the original client destination.
@@ -132,17 +133,18 @@ void FwdState::start(Pointer aSelf)
     const bool useOriginalDst = Config.onoff.client_dst_passthru || (request && !request->flags.hostVerified);
     if (isIntercepted && useOriginalDst) {
         selectPeerForIntercepted();
-#if STRICT_ORIGINAL_DST
         // 3.2 does not suppro re-wrapping inside CONNECT.
         // our only alternative is to fake destination "found" and continue with the forwarding.
         startConnectionOrFail();
         return;
-#endif
     }
+#endif
+
     // do full route options selection
     peerSelect(&serverDestinations, request, entry, fwdPeerSelectionCompleteWrapper, this);
 }
 
+#if STRICT_ORIGINAL_DST
 /// bypasses peerSelect() when dealing with intercepted requests
 void
 FwdState::selectPeerForIntercepted()
@@ -170,6 +172,7 @@ FwdState::selectPeerForIntercepted()
     debugs(17, 3, HERE << "using client original destination: " << *p);
     serverDestinations.push_back(p);
 }
+#endif
 
 void
 FwdState::completed()
diff --git a/src/forward.h b/src/forward.h
index fde9b75bfc..f2d0fbf2fc 100644
--- a/src/forward.h
+++ b/src/forward.h
@@ -74,7 +74,9 @@ private:
     FwdState(const Comm::ConnectionPointer &client, StoreEntry *, HttpRequest *, const AccessLogEntryPointer &alp);
     void start(Pointer aSelf);
 
+#if STRICT_ORIGINAL_DST
     void selectPeerForIntercepted();
+#endif
     static void logReplyStatus(int tries, http_status status);
     void doneWithRetries();
     void completed();