From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 17 Jul 2009 13:23:49 +0000 (+1200)
Subject: Author: Alex Rousskov <rousskov@measurement-factory.com>
X-Git-Tag: SQUID_3_0_STABLE17~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb56b0efd48ae220e8dd0960e1ade676bdbc6847;p=thirdparty%2Fsquid.git

Author: Alex Rousskov <rousskov@measurement-factory.com>
Break forwarding loops for "transparent" or "intercept" http_ports.

Squid detected forwarding loops in most configurations, but broke
them (using a customizable HTTP_FORBIDDEN response) only when working as
an accelerator. Squid now breaks loops when working as a transparent
proxy as well.

A persistent loop is going to be broken anyway, when the Via and
X-Forwarded-For headers exceed header size limit, but that wastes a lot of
resources and may also crash misconfigured Squids.

TODO: Consider breaking all loops, regardless of the http_port options.

TODO: Consider adding a specific and/or configurable error page for this case
instead of using hard-coded ACCESS_DENIED.
---

diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index f1f908ee46..d39ec6a830 100644
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -637,10 +637,9 @@ clientReplyContext::processMiss()
         return;
     }
 
-    /*
-     * Deny loops when running in accelerator/transproxy mode.
-     */
-    if (http->flags.accel && r->flags.loopdetect) {
+    /// Deny loops for accelerator and interceptor. TODO: deny in all modes?
+    if (r->flags.loopdetect &&
+        (http->flags.accel || http->flags.intercepted)) {
         http->al.http.code = HTTP_FORBIDDEN;
         err =
             clientBuildError(ERR_ACCESS_DENIED, HTTP_FORBIDDEN, NULL,