From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 27 Jan 2017 15:00:05 +0000 (+1300)
Subject: Detect HTTP header ACL issues
X-Git-Tag: SQUID_3_5_24~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5036a21da8ab1ed1e6fb875812a6b6944131d1f7;p=thirdparty%2Fsquid.git

Detect HTTP header ACL issues

rep_header and req_header ACL types cannot match multiple different
headers in one test (unlike Squid-2 appears to have done). Produce
an ERROR and ignore the extra line(s) instead of silently changing
all the previous regex to match the second header name.

Also detect and ERROR when header name is missing entirely. Ignore
these lines instead of asserting.
---

diff --git a/src/acl/HttpHeaderData.cc b/src/acl/HttpHeaderData.cc
index 8559933cf1..108441570e 100644
--- a/src/acl/HttpHeaderData.cc
+++ b/src/acl/HttpHeaderData.cc
@@ -16,6 +16,7 @@
 #include "cache_cf.h"
 #include "ConfigParser.h"
 #include "Debug.h"
+#include "globals.h"
 #include "HttpHeaderTools.h"
 #include "SBuf.h"
 
@@ -74,9 +75,21 @@ void
 ACLHTTPHeaderData::parse()
 {
     char* t = strtokFile();
-    assert (t != NULL);
-    hdrName = t;
-    hdrId = httpHeaderIdByNameDef(hdrName.rawBuf(), hdrName.size());
+    if (!t) {
+        debugs(28, DBG_CRITICAL, "ERROR: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
+        debugs(28, DBG_CRITICAL, "ERROR: Missing header name in ACL");
+        return;
+    }
+
+    if (hdrName.size() == 0) {
+        hdrName = t;
+        hdrId = httpHeaderIdByNameDef(hdrName.rawBuf(), hdrName.size());
+    } else if (hdrName.caseCmp(t) != 0) {
+        debugs(28, DBG_CRITICAL, "ERROR: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
+        debugs(28, DBG_CRITICAL, "ERROR: ACL cannot match both " << hdrName << " and " << t << " headers. Use 'anyof' ACL instead.");
+        return;
+    }
+
     regex_rule->parse();
 }