wessels [Fri, 10 Nov 2000 01:21:27 +0000 (01:21 +0000)]
DW:
- Rewrite of much of refreshCheck().
This was prompted by a bug report that we didn't properly handle the
must-revalidate directive. Indeed, we always caused a refresh
for must-revalidate. The spec says must-revalidate only takes effect
for stale responses.
I find the spec to be unclear on how to handle must-revalidate without
an explicit expiration time. Currently, if we have a response
that has must-revalidate, no expires, but the last-modified factor
rule says the reponse is fresh, then we don't force a validation.
Also added support for the max-stale request directive.
I changed some of the internal accounting to use status codes. In the
future it may be useful to have a "refresh.log" file so people can
figure out why a particular request got validated, or didn't.
wessels [Thu, 9 Nov 2000 03:22:16 +0000 (03:22 +0000)]
DW:
- Two bugs with yesterday's date parsing changes. (1) Need to incrment
past "," after strchr(), and (2) struct tm tm needs to be static
in parse_date2().
wessels [Wed, 8 Nov 2000 06:43:15 +0000 (06:43 +0000)]
Radu Greab (radu@netsoft.ro):
- If an AS contains networks with mask 0, when trying to view the
AS Number Database squid enters into an infinite loop. The patch
below fixes the problem.
wessels [Wed, 8 Nov 2000 06:37:35 +0000 (06:37 +0000)]
DW:
- Changes prompted by bug report that "Wed Aug 9 11:36:06 2000" could
not be parsed. The parse_rfc1123() code assumed there was an extra
space after Aug and before "9".
This change breaks the parsing into smaller functions to make the
code easier to read and understand.
I changed parsing of the "third" date format (asctime()) to use
a buffer copy and strtok. This makes it more flexible. For example,
we don't have to require strlen(s) < 24.
hno [Sun, 5 Nov 2000 06:04:09 +0000 (06:04 +0000)]
Cross-site scripting fixes by Robert Collins and Henrik Nordstrom
Everywhere where Squid inserts text received from the network into
a HTML page (error pages, FTP listings, Gopher listings, ...) care
must be taken to ensure that the text is properly encoded as HTML,
or a malicious user might be able to insert script code or other
HTML tags, and exploit the web browser of any user visiting their
page or clicking on that funny link received in a email..
wessels [Sat, 4 Nov 2000 00:03:54 +0000 (00:03 +0000)]
DW:
- A fix for problems relating to large DNS replies. RFC 1035 says
that DNS/UDP messages must be 512 octets or less. Some servers
(BIND on OS/2) are sending larger packets, but Squid was only
reading the first 512 octets. This could cause buffer overruns
in rfc1035.c.
This patch changes recv() to use the maximum UDP socket buffer
size. However, if we get a large reply we tell rfc1035.c that
we only got 512 octets. Thus, its a little safer if that code
has bugs and reads past 512.
wessels [Fri, 3 Nov 2000 23:43:58 +0000 (23:43 +0000)]
DW:
- If we discover a truncated packetin the middle of unpacking
a resource record, we need to zap RR fields that were already
unpacked. Otherwise we can end up with RR->class = RFC1035_CLASS_IN,
RR->type = RFC1035_TYPE_A, and RR->rdlenght = 0.
wessels [Thu, 2 Nov 2000 04:48:16 +0000 (04:48 +0000)]
DW:
- replacement should use SwapDir high/low values, not the global ones.
Made this patch for diskd some time ago, but never duplicated the
patch in all the other fs duplicated code.
adrian [Tue, 17 Oct 2000 14:06:01 +0000 (14:06 +0000)]
Andres Kroonmaa's MemPool tidyup, take 1. Take a whole bunch of
xmalloc/xcalloc's and replace them with mempool'ed versions of
things. Not everything has been converted, but this is a start.
Notable weirdnesses are:
* aufs - there are now a few pools which are used for string allocation
for things like object paths. This might not be the most optimal
solution but its better than what existed.
* pconn.c - an initial pconn FD set is mempool'ed, and if the pconn set
grows bigger than PCONN_FD_SZ it changes to xmalloc()
* client_side.c - the incoming request buffer is now initially mempooled,
of size CLIENT_REQ_BUF_SZ (4096 bytes atm). If it needs to grow, it
changes to xmalloc()
wessels [Fri, 13 Oct 2000 12:35:05 +0000 (12:35 +0000)]
DW:
- We have to test the bit before calling file_map_bit_reset.
file_map_bit_reset doesn't do bounds checking. It assumes
filn is a valid file number, but it might not be because
the map is dynamic in size. Also clearing an already clear
bit puts the map counter of-of-whack. Damn, been looking
for that bug for a long time.
wessels [Wed, 11 Oct 2000 00:15:30 +0000 (00:15 +0000)]
DW:
- My change to eliminate stdio from net_db.c sucked. It leaked memory,
and it had awkward buffer offset junk. Its probably better to
use the logfile.c code, which unfortunately requires a change
to logfileOpen(). Previously the logfile code exited with
a fatal message if there was an error opening or writing the
file. For netdb we don't care that much, so I added a "fatal"
flag to logfileOpen().
wessels [Tue, 10 Oct 2000 08:22:25 +0000 (08:22 +0000)]
DW:
- I get coredumps in free() with CommWriteStateCallbackAndFree sometime.
Not sure if there is a bug here, but it seems like that code could
lead to double-freeing the buffer. This change makes it safer by
NULL-ing the free_func before freeing the buffer.
wessels [Tue, 10 Oct 2000 08:10:42 +0000 (08:10 +0000)]
DW:
- Changed "WARNING: swapin MD5 mismatch" logging so that it is printed
only on powers of ten, just like "ignored XX replies non-peer"
messages in neighbors.c.
wessels [Tue, 10 Oct 2000 00:37:10 +0000 (00:37 +0000)]
DW:
- in storeClientReadHeader I see no reason to stay in the loop checking
swap header values when we find a mismatch. Currently every
bad swapfile is displaying both MD5 mismatch and URL mismatch.
wessels [Fri, 6 Oct 2000 11:12:35 +0000 (11:12 +0000)]
DW:
- In lru_remove(), it seems to be possible for an entry to exist
in the hash but not be in the LRU list, so check for that case
rather than suffer a NULL pointer access.
wessels [Thu, 5 Oct 2000 00:25:35 +0000 (00:25 +0000)]
Takahiro Kambe <taca@kyoto.jepro.co.jp>:
- I compiled squid 2.3STABLE4 and found that three error documents
weren't translated in Japanese. And I found a missing translation
in the Japanese error document which I sent in 2.3STABLE2 days.
So I'll send those document now. I've attached the translated
files.
wessels [Thu, 5 Oct 2000 00:23:57 +0000 (00:23 +0000)]
Dan Larsson <root@tyfon.net>:
- The error template ERR_TOO_BIG is missing in the swedish errors.
I've translated the english version from Squid-2.3STABLE4.
wessels [Wed, 4 Oct 2000 23:09:24 +0000 (23:09 +0000)]
"Nguyen, Hai" <hnguyen@websense.com>:
- If a redirector returns 301/302 Squid would ignore the new Location
if the original URL is a cache hit. So, we need to force all
301/302 redirects to be cache misses.
wessels [Wed, 4 Oct 2000 21:32:13 +0000 (21:32 +0000)]
DW:
- Fixed range_offset_limit, again. The problem this time is that
client_side.c wouldn't set the we_dont_do_ranges flag for normal
cache misses. It was only being set for requests that might
have been hits, but we decided to change to a miss. I moved half
of clientCheckRangeOffsetLimit into HttpHdrRange.c and called
it httpHdrRangeOffsetLimit. The other half stays in client_side.c
but is now called clientCheckRangeForceMiss. Also removed the
confusing we_dont_do_ranges flag.
wessels [Wed, 4 Oct 2000 08:18:48 +0000 (08:18 +0000)]
DW:
- log SSL status codes in access.log. Since ssl.c doesn't know about
HttpReply or MemObject, the least ugly way to do this seems to be
passing a pointer to the HTTP status variable.
wessels [Wed, 4 Oct 2000 07:12:48 +0000 (07:12 +0000)]
DW:
- It was wrong to set the dont_retry flag in fwdConnectDone when
we can't look up the IP address of a neighbor cache. Its likely
that there is an option to connect directly to the origin server,
so forward.c should keep trying, rather than giving up so quickly.
Now we only set dont_retry if we fail to look up the origin server
IP address.
wessels [Wed, 4 Oct 2000 06:24:16 +0000 (06:24 +0000)]
DW:
- Simplified ipcache internals in the same manner as the fqdncache code.
The ipcache structures have been made internal to ipcache.c. The
status variable is gone. IPcache entries are added to the hash table
only after the lookup completes. There is no more need for
ipcacheUnregister. etc.
wessels [Wed, 4 Oct 2000 04:38:13 +0000 (04:38 +0000)]
DW:
- This patch makes a fundamental change to the FQDN cache internals.
Before, FQDN entries could be in the hash (i.e. public) and in
a pending state. Additional lookup requests for an entry in the
pending state would be joined to the pending entry. Thus, we would
only bother the DNS server for one lookup even if many clients were
interested in it. The problem is that if one lookup got "stuck" for
some reason, many clients would be blocked.
Now the pending lookups are "private" and are made public only
after the DNS server responds. The disadvantage is that we bother
the DNS server for parallel requests, but we wouldn't block all of
Squid's clients if one of those queries got stuck.
This patch also removes the ugliness of needing to "rename" stuck
queries after some timeout in order to try getting a fresh
response.
wessels [Wed, 4 Oct 2000 02:51:04 +0000 (02:51 +0000)]
DW:
- This ugly hack is here to prevent the user from seeing a negative
byte hit ratio. When we fetch a cache digest from a neighbor,
it gets treated like a cache miss because the object is consumed
internally. Thus, we subtract cache digest bytes out before
calculating the byte hit ratio.
DW:
- IP-Filter changed the type for SIOCGNATL between 3.3 and 3.4.
It also changed the cmd value for SIOCGNATL, so at least we can
detect it. We could put something in configure and use ifdefs
here, but this seems simpler.
DW:
- This change collapses multiple dots in hostnames to single dots. For
example www....foo....com becomes www.foo.com. This only recently
became a problem with internal DNS lookups. gethostbyname() seems
to generate a failure for multiple-dotted hostnames, but Squid's
internal DNS code does not.
hno [Sat, 19 Aug 2000 20:23:18 +0000 (20:23 +0000)]
Cleanup of make dependencies to fix the parallell build races.
Actually the problem was quite basic, and also manifested itself on
the call to cf_gen.
The problematic rules look like:
target1 target2: some.dependency
command wich makes both of target1 and target2
this is incompatible with make -j, as make assumes the command only
builds one of the targets (the one available in $@).
There are two ways to work around this. One is to make the command
only build one of the targets (as done in fs/ and repl/), the other to chain
dependencies between the two targets with some "magic" to have the first
target in the chain rebuilt in case it alone gets removed..
target1: target2
@sh -c "test -f target1 || command to regenerate the targets"
target2: dependency
command to regenerate the targets
Tested on RedHat Linux 6.2 (GNU Make) and FreeBSD 4.0.
hno [Sat, 19 Aug 2000 12:10:00 +0000 (12:10 +0000)]
Added a default xmalloc and friends failure_notify handler used when the
main program hasn't installed one. These functions are used by more binaries
than the main Squid binary, and not all (only the squid binary) installs
a failure_notify handler. The others cause a SEGV when trying to call
the non-existant failure_notify handler..
adrian [Thu, 17 Aug 2000 15:15:06 +0000 (15:15 +0000)]
Tidying up some memory allocation code, so MemPool code is always
freed correctly, and making sure that the mempools that DO exist for
some structures are actually used.
adrian [Tue, 15 Aug 2000 13:14:03 +0000 (13:14 +0000)]
Allow the hot object -> transit object transition point to be configurable,
rather than hard-coded at SM_PAGE_SIZE. This change should allow a higher
memory hitrate, and makes the current object memory code kind of behave like
the old 'all or nothing' hot object memory cache.
This change should now be placed in the handbook/FAQ somewhere.
hno [Mon, 14 Aug 2000 03:18:09 +0000 (03:18 +0000)]
The snmp_community ACL check segfaulted if Squid failed to parse
the SNMP query. We might want to backport this to 2.3, and release
it as a patch as this can be used to DOS anyone with SNMP enabled
and using the snmp_community ACL.
A workaround is to base access controls purely on the source address
instead of using a community.
projects / thirdparty / squid.git / log
