From: Francesco Chemolli Date: Mon, 10 Sep 2012 13:36:59 +0000 (+0200) Subject: Implemented some more getters/setters for RequestFlags. X-Git-Tag: sourceformat-review-1~6^2~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=823e6f98e5c02b1f6bbed5a9e4dfe0697df87eab;p=thirdparty%2Fsquid.git Implemented some more getters/setters for RequestFlags. Moved from a preprocessor-backed conditional code to a compiler-backed conditional code for follow-x-forwarded-for --- diff --git a/src/RequestFlags.h b/src/RequestFlags.h index 738a7284ca..b9675ba2a7 100644 --- a/src/RequestFlags.h +++ b/src/RequestFlags.h @@ -42,14 +42,12 @@ public: ignore_cc(0), intercepted(0), hostVerified(0), spoof_client_ip(0), internal(0), internalclient(0), must_keepalive(0), pinned(0), canRePin(0), chunked_reply(0), stream_error(0), sslPeek(0), - sslBumped(0), destinationIPLookedUp_(false), resetTCP_(false), + done_follow_x_forwarded_for(!FOLLOW_X_FORWARDED_FOR), + sslBumped_(false), destinationIPLookedUp_(false), resetTCP_(false), isRanged_(false) { #if USE_HTTP_VIOLATIONS nocache_hack = 0; #endif -#if FOLLOW_X_FORWARDED_FOR - done_follow_x_forwarded_for = 0; -#endif /* FOLLOW_X_FORWARDED_FOR */ } unsigned int nocache :1; ///< whether the response to this request may be READ from cache @@ -88,11 +86,9 @@ public: unsigned int chunked_reply :1; /**< Reply with chunked transfer encoding */ unsigned int stream_error :1; /**< Whether stream error has occured */ unsigned int sslPeek :1; ///< internal ssl-bump request to get server cert - unsigned int sslBumped :1; /**< ssl-bumped request*/ #if FOLLOW_X_FORWARDED_FOR /* TODO: move from conditional definition to conditional setting */ - unsigned int done_follow_x_forwarded_for :1; #endif /* FOLLOW_X_FORWARDED_FOR */ // When adding new flags, please update cloneAdaptationImmune() as needed. @@ -108,8 +104,27 @@ public: bool isRanged() const; void setRanged(); void clearRanged(); + + bool sslBumped() const { return sslBumped_; } + void setSslBumped(bool newValue=true) { sslBumped_=newValue; } + void clearSslBumpeD() { sslBumped_=false; } + + bool doneFollowXFF() const { return done_follow_x_forwarded_for; } + void setDoneFollowXFF() { + done_follow_x_forwarded_for = true; + } + void clearDoneFollowXFF() { + /* do not allow clearing if FOLLOW_X_FORWARDED_FOR is unset */ + done_follow_x_forwarded_for = false || !FOLLOW_X_FORWARDED_FOR; + } private: + /* done_follow_x_forwarded_for set by default to the opposite of + * compilation option FOLLOW_X_FORWARDED_FOR (so that it returns + * always "done" if the build option is disabled. + */ + bool done_follow_x_forwarded_for :1; + bool sslBumped_ :1; /**< ssl-bumped request*/ bool destinationIPLookedUp_:1; bool resetTCP_:1; ///< request to reset the TCP stream bool isRanged_ :1; diff --git a/src/auth/Acl.cc b/src/auth/Acl.cc index fd70ba3f66..cc5de7b2c0 100644 --- a/src/auth/Acl.cc +++ b/src/auth/Acl.cc @@ -24,7 +24,7 @@ AuthenticateAcl(ACLChecklist *ch) if (NULL == request) { fatal ("requiresRequest SHOULD have been true for this ACL!!"); return ACCESS_DENIED; - } else if (request->flags.sslBumped) { + } else if (request->flags.sslBumped()) { debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate"); checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->auth_user_request : request->auth_user_request; if (checklist->auth_user_request != NULL) diff --git a/src/client_side.cc b/src/client_side.cc index 21aecf61a5..f6514f1467 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2652,14 +2652,14 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c request->clientConnectionManager = conn; request->flags.accelerated = http->flags.accel; - request->flags.sslBumped = conn->switchedToHttps(); - request->flags.canRePin = request->flags.sslBumped && conn->pinning.pinned; + request->flags.setSslBumped(conn->switchedToHttps()); + request->flags.canRePin = request->flags.sslBumped() && conn->pinning.pinned; request->flags.ignore_cc = conn->port->ignore_cc; // TODO: decouple http->flags.accel from request->flags.sslBumped - request->flags.no_direct = (request->flags.accelerated && !request->flags.sslBumped) ? + request->flags.no_direct = (request->flags.accelerated && !request->flags.sslBumped()) ? !conn->port->allow_direct : 0; #if USE_AUTH - if (request->flags.sslBumped) { + if (request->flags.sslBumped()) { if (conn->auth_user_request != NULL) request->auth_user_request = conn->auth_user_request; } diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc index 4cafe42717..64fd47d9f8 100644 --- a/src/client_side_reply.cc +++ b/src/client_side_reply.cc @@ -1477,7 +1477,7 @@ clientReplyContext::buildReplyHeader() } else if (fdUsageHigh()&& !request->flags.must_keepalive) { debugs(88, 3, "clientBuildReplyHeader: Not many unused FDs, can't keep-alive"); request->flags.proxy_keepalive = 0; - } else if (request->flags.sslBumped && !reply->persistent()) { + } else if (request->flags.sslBumped() && !reply->persistent()) { // We do not really have to close, but we pretend we are a tunnel. debugs(88, 3, "clientBuildReplyHeader: bumped reply forces close"); request->flags.proxy_keepalive = 0; diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 7731e9d313..a3ebc67cc1 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -534,7 +534,7 @@ clientFollowXForwardedForCheck(allow_t answer, void *data) conn->log_addr = request->indirect_client_addr; } request->x_forwarded_for_iterator.clean(); - request->flags.done_follow_x_forwarded_for = 1; + request->flags.setDoneFollowXFF(); if (answer != ACCESS_ALLOWED && answer != ACCESS_DENIED) { debugs(28, DBG_CRITICAL, "ERROR: Processing X-Forwarded-For. Stopping at IP address: " << request->indirect_client_addr ); @@ -709,8 +709,9 @@ ClientRequestContext::hostHeaderVerify() void ClientRequestContext::clientAccessCheck() { -#if FOLLOW_X_FORWARDED_FOR - if (!http->request->flags.done_follow_x_forwarded_for && + /* NOP if !FOLLOW_X_FORWARDED_FOR */ + if (FOLLOW_X_FORWARDED_FOR && + !http->request->flags.doneFollowXFF() && Config.accessList.followXFF && http->request->header.has(HDR_X_FORWARDED_FOR)) { @@ -726,7 +727,6 @@ ClientRequestContext::clientAccessCheck() acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, this); return; } -#endif /* FOLLOW_X_FORWARDED_FOR */ if (Config.accessList.http) { acl_checklist = clientAclChecklistCreate(Config.accessList.http, http); @@ -810,7 +810,7 @@ ClientRequestContext::clientAccessCheckDone(const allow_t &answer) if (auth_challenge) { #if USE_AUTH - if (http->request->flags.sslBumped) { + if (http->request->flags.sslBumped()) { /*SSL Bumped request, authentication is not possible*/ status = HTTP_FORBIDDEN; } else if (!http->flags.accel) { diff --git a/src/forward.cc b/src/forward.cc index f8b1a42b30..10f11b81e1 100644 --- a/src/forward.cc +++ b/src/forward.cc @@ -953,7 +953,7 @@ FwdState::connectStart() if (ftimeout < ctimeout) ctimeout = ftimeout; - if (serverDestinations[0]->getPeer() && request->flags.sslBumped == true) { + if (serverDestinations[0]->getPeer() && request->flags.sslBumped() == true) { debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parrent proxy are not allowed"); ErrorState *anErr = new ErrorState(ERR_CANNOT_FORWARD, HTTP_SERVICE_UNAVAILABLE, request); fail(anErr);