Bug 3969: user credentials cache lookup for Digest authentication broken
Changes to the username credentials cache were made in Basic auth but
the matching changes were not duplicated to Digest auth. Since the
lookup is identical move it to generic Auth::Config.
Nathan Hoad [Sat, 30 Nov 2013 09:17:07 +0000 (02:17 -0700)]
Bug 3972: Segfault when getting the deny info page ID after a reconfigure
Older ACL code was using a stale AclMatchedName value. More recent code resets
the AclMatchedName global to NULL to avoid leaking the stale value, but that
may crash strcmp() in aclGetDenyInfoPage(). Long-term, the global should be
removed, of course.
Alex Rousskov [Thu, 21 Nov 2013 21:54:29 +0000 (14:54 -0700)]
Re-compute Range response content offset after an FTP response was adapted.
Moved HTTP-only offset calculation code to the general ServerStateData code so
that [converted-to-HTTP] FTP responses can use it. FTP code computes the range
offset on its own earlier, but we must REcalculate in case the response is
adapted into a response with a different (or no) content range.
aclocal on Windows cannot handle line-wrapping \ characters and leaves
them present in the output m4 code. in side AC_CONFIG_FILES macro this
results in a mystery file '\\r' being 'registered'.
The list of Makefiles does not even need ths line-wrap indicator as
demonstrated by the tools/Makefile missing its one for some time without
problems.
Amos Jeffries [Wed, 20 Nov 2013 00:06:58 +0000 (17:06 -0700)]
Make HTTP header parser obey relaxed_header_parser
Some unimportant warnings were not obeying the directives silent/loud
setting values.
This abstracts the condition to simplify code and make all the
non-critical warnings depend on the directive for their display level.
Alex Rousskov [Sun, 10 Nov 2013 23:02:08 +0000 (16:02 -0700)]
Replace blocking sleep(3) and close UDS socket on failures.
The two addressed XXX were not causing any known serious bugs on their own,
but the blocking sleep was ugly and possibly in the way of further
kid registration fixes/improvements.
Squid fails parsing error-details.txt template when one or more listed
OpenSSL errors are not supported on running platform.
This patch add a hardcoded list of OpenSSL errors wich can be optional.
Coordinator should not send SNMP client FD to strands when broadcasting SNMP
requests. Strands do not need the descriptor and were forgetting to close it,
causing one FD leak on every SNMP query in SMP mode.
Enhance Ipc::TypedMsgHdr to be able to tell whether the message has a FD.
Alex Rousskov [Sun, 3 Nov 2013 08:37:57 +0000 (01:37 -0700)]
Avoid "hot idle": A series of rapid select() calls with zero timeout.
Squid uses "infinite" precision when it comes to deciding whether the next
timed event is ready but uses millisecond (1e-3) precision when deciding how
long to wait before the next event will be ready. This inconsistency results
in the EventScheduler engine telling the main loop that it has 0 milliseconds
to poll pending I/O, but when asked again (after the I/O is quickly polled),
the EventScheduler engine often does not schedule the promised event and tells
the main loop to poll for another 0 milliseconds again. This cycling may
happen many times in a row (until enough time is wasted for the next event to
become ready using higher precision).
The fixed code adds a minimum 1ms delay for not-yet-ready events. It also
places both decisions into one method (EventScheduler::timeRemaining), and
tries to polish/document decision logic (which is more complex than it may
seem) because the code has to avoid both inconsistent decisions and hot idle
loops while maintaining the traditional "no event is fired before it is due"
guarantee.
TODO: Idle Squid still runs hotter than it should because the maximum waiting
time is artificially capped outside the event queue to EVENT_LOOP_TIMEOUT=1s.
This causes at most one extra loop iteration per second.
Amos Jeffries [Thu, 24 Oct 2013 15:35:08 +0000 (09:35 -0600)]
Add cache_miss_revalidate
Port of 2.7 ignore_ims_on_miss directive by Henrik Nordstrom.
This on/off switch enables Squid to convert conditional requests from
clients to non-conditional fetches that can fill the cache faster under
cold-start conditions.
Alex Rousskov [Thu, 24 Oct 2013 15:27:49 +0000 (09:27 -0600)]
Bug 3480: StoreEntry::kickProducer() segfaults in store_client::copy()
context
Short-term fix: Lock StoreEntry object so that it is not freed by
storeClientCopy2() callbacks. Also lock StoreEntry in storeUnregister()
context because an aborting entry may be deleted there unless it is
double-locked.
See bug 3480 comment #27 for detailed call stack analysis. Additional
cases
include rejected copied HIT due to Var mismatch and hits blocked by
reply_from_cache directive (under development; see bug 3937).
Long-term, we need to make store copying asynchronous and revise
StoreEntry
locking approach.
Amos Jeffries [Thu, 24 Oct 2013 15:26:21 +0000 (09:26 -0600)]
Fix CBDATA_CLASS2 macro definition
CBDATA_UNKNOWN was being used in place of a void no-op statement.
This was incorrect and useless. Now that the value definition is fixed
it is being picked up by the stricter compilers.
Replace the trinary conditional with an if-statement.
Amos Jeffries [Thu, 3 Oct 2013 11:17:30 +0000 (05:17 -0600)]
Use IPv6 localhost nameserver on DNS configuration errors
When DNS configuration fails to locate a set of nameservers "localhost"
is used as the default but has previously only been setting 127.0.0.1
IPv4 address for localhost. This enables the failover to work as
designed on IPv6-only networks.
Alex Rousskov [Sun, 29 Sep 2013 17:28:00 +0000 (11:28 -0600)]
Close idle client connections associated with closed idle pinned connections.
Squid was not monitoring idle persistent connections pinned to servers. Squid
would discover that the pinned server connection is closed only after
receiving a new request on the idle client connection and trying to write that
request to the server. In such cases, Squid propagates the pinned connection
closure to the client (as it should).
Chrome and, to a lesser extent, Firefox handle such races by opening a new
connection and resending the failed [idempotent] request transparently to the
user. However, IE usually displays an error page to the user.
While some pconn races cannot be avoided, without monitoring idle pconns,
Squid virtually guaranteed such a race in environments where origin server
idle connection timeout is smaller than client/Squid timeouts and users
are revisiting pages in the window between those two timeouts.
Squid now monitors idle pinned connections similar to idle connections in the
pconn pool and closes the corresponding idle client connection to keep the two
sides in sync (to the extent possible).
It is theoretically possible that this change will break servers that send
whitespace on an idle persistent connection or perhaps send some SSL keepalive
traffic. No such cases are known to exist though.
Revert r12609 due to compile errors on stable branch
src/ssl/support.cc:302: error: expected type-specifier
src/ssl/support.cc:302: error: cannot convert 'int*' to 'Ssl::Errors*' in assignment
src/ssl/support.cc:302: error: expected `;'
src/ssl/support.cc:303: error: 'class ACLFilledChecklist' has no member named 'serverCert'
src/ssl/support.cc:312: error: 'class ACLFilledChecklist' has no member named 'serverCert'
src/ssl/support.cc:316: error: 'TheConfig' is not a member of 'Ssl'
src/ssl/support.cc:319: error: 'ssl_ex_index_ssl_cert_chain' was not declared in this scope
src/ssl/support.cc:495: error: a function-definition is not allowed here before '{' token
src/ssl/support.cc:1595: error: expected `}' at end of input
Windows: locate CMSG definitions in WinSock2.h when present
Windows defines the CMSG macros in WinSock2.h sometimes. This allows the
definitions there to be used when present and avoids compiler errors
about double definitions.
Bug 3849: Duplicate certificate sent when using https_port
The certificate file given with the "cert=" option it may contain a list
of
certificates to be chained to the SSL client, for example intermediate
certificates.
The bug caused because in the certificates chain we are storing also
the
certificate of the port. This is works well for SSL-bump because squid
generates a certificate which uses the port certificate as CA
certificate.
But in the case of https_port without bumping the port certificate is
sent
twice, one as SSL server certificate and one as chained certificate.
This patch try to chain port certificate only when the sslbump is used.
The port name from http_port/https_port was not being propigated to
adapted reqeusts after ICAP/eCAP. Which makes the myportname ACL and
logging of portname not work on adapted requests.
Windows: fix collision between POSIX wrappers and DiskIO class methods
The POSIX function shutdown() is #define'd on Windows. This causes
compiler issues with the DiskIO method of same name. Rename the method
to gracefulShutdown() instead.
Also, Bug 3189 was incomplete and missed a change to DiskThreads
Windows initialization method.
Jan Sievers [Tue, 10 Sep 2013 11:28:13 +0000 (05:28 -0600)]
Regression Bug 3077: off-by-one error in Digest header decoding
This is a regression in the 3.2 and later version of the original bug
fix patch.
The effect is that all attributes are treated as quoted-string values
with unescaping performed. This ends with credentials wrongly being
rejected as invalid.
Squid would semi-silently accept invalid IP address or hostname in some
directives which required them (eg wccp_router) and use the magic
IP_ANYADDR value. This change makes configure halt with a FATAL error
instead.
Handle infinite certificate validation loops caused by OpenSSL bug #3090.
If OpenSSL is stuck in a validation loop, Squid breaks the loop and
triggers a
new custom SQUID_X509_V_ERR_INFINITE_VALIDATION SSL validation error.
That
error cannot be bypassed using sslproxy_cert_error because to break the
loop
Squid has to tell OpenSSL that the certificate is invalid, which
terminates
the SSL connection.
Validation loops exceeding SQUID_CERT_VALIDATION_ITERATION_MAX
iterations
are deemed infinite. That macro is defined to be 16384, but that default
can
be overwritten using CPPFLAGS.
* _SQUID_WINDOWS_ for any Windows build specific code
* _SQUID_CYGWIN_ for CygWin Windows build specific code
* _SQUID_MINGW_ for MinGW Windows build specific code
Invalid casting seems to confuse the ABI generator and results in
illegal instruction faults when the unit tests is run.
The class API is already const-correct so there is no need for the cast
to occur, and it should not be done on a non-pointer type anyway.
Also, fixes a missing "struct" type identifier found along the way.
This patch sends an If-None-Match request, when we need to re-validate
if a cached object which has a strong ETag is still valid.
This is also done in the cases an HTTP client request contains HTTP
headers prohibiting a from-cache response (i.e., a "reload" request).
The use of If-None-Match request in this context violates RFC 2616 and
requires using reload-into-ims option within refresh_pattern squid.conf
directive.
The exact definition of a "reload request" and the adjustment/removal of
"reload" headers is the same as currently used for reload-into-ims
option support. This patch is not modifying that code/logic, just adding
an If-None-Match header in addition to the IMS header that Squid already
adds.
Fix external ACL user:pass detail logging after adaptation
When a request is successfully adapted, the external ACL username and
password are now inherited with this patch. This means the
LFT_USER_NAME log token can display the username from an external ACL
if available, for adapted requests.
The HttpRequest will inherit the password for good measure as well -
while none too useful, it seems strange to inherit the username but
not the password.
We can do better than just producing errors about invalid port details
and treating it as port-0.
We can instead undo the port separation and pass it through as part of
the host name to be verified with the default port number properly
assumed.
Protect against buffer overrun in DNS query generation
see SQUID-2013:2.
This bug has been present as long as the internal DNS component however
most code reaching this point is passing through URL validation first.
With Squid-3.2 Host header verification using DNS directly we may have
problems.
- The SSL_CTX_new in newer openSSL releases requires a const
'SSL_METHOD *' argument and in older releases requires non const
'SSL_METHD *' argument. Currently we are trying to identify openSSL
version using the OPENSSL_VERSION_NUMBER macro define but we are failing
to correctly identify all cases.
- sk_OPENSSL_PSTRING_value is buggy in early openSSL-1.0.0? releases
causing compile errors to squid.
Amos Jeffries [Sun, 30 Jun 2013 08:45:09 +0000 (02:45 -0600)]
Bug 3762: remove bogus WARNING in cache.log
The warning is bogus for several reasons:
* it appears with memory-only cache configurations
* it only checks the size of first SwapDir (as seen in bug 3762)
* very large memory spaces are now possible which may make disk appear
small by comparison.
Its usefulness in detecting memory and disk misconfigurations has long
been almosy nil. Removing this entirey to resolve the bogus noise in
the above mentioned legitimate configurations.
Alexis Robert [Sat, 29 Jun 2013 08:23:49 +0000 (02:23 -0600)]
Fix Ip::Address::operator =(sockaddr_storage)
The memcpy() for AF_INET6 is using a length of sizeof(sockaddr_in) instead
of sizeof(sockaddr_in6), so squid was trying to connect to truncatured IPv6
addresses with strange ports.
Alex Rousskov [Sat, 29 Jun 2013 08:20:01 +0000 (02:20 -0600)]
Make sure %<tt includes all [failed] connection attempts.
The old code was using zero n_tries to detect the first connection
attempt,
but n_tries is not incremented when we are opening a new connection
rather
than reusing an old one. Perhaps n_tries should be updated differently
as
well, but this change simply makes %<tt (hier.total_response_time)
management
independent from that [complex] counter.
Alex Rousskov [Wed, 5 Jun 2013 13:00:09 +0000 (07:00 -0600)]
Bug 3717: assertion failed with dstdom_regex with IP based URL
A combination of ACL negation and async lookup leads to
Checklist.cc:287:"!needsAsync && !matchFinished" assertions.
The lower-level ACL code says "not a match because I need an async lookup" but
the negation-handling code in ACL::matches() ignores the "need an async
lookup" part and converts "not a match" into a "match". This patch prevents
that conversion, while allowing Checklist code to decide what to do with
an async lookup (depending on whether the directive being checked supports
slow ACLs).
Note that this change prevents admins from negating async lookups in
directives that do not support them: both "!foo" and "foo" will probably not
match in those directives if ACL foo needs an async lookup.
projects / thirdparty / squid.git / log
