Bug 3969: user credentials cache lookup for Digest authentication broken
Changes to the username credentials cache were made in Basic auth but
the matching changes were not duplicated to Digest auth. Since the
lookup is identical move it to generic Auth::Config.
Amos Jeffries [Sun, 2 Feb 2014 02:47:38 +0000 (19:47 -0700)]
Fix peerSelectDnsResults() IP address cycling
The local ip variable is the index of the IP address to be used.
Loop counter n is only used to prevent cycling indefinitely and should
not be used to access the array indexes.
Patch written by 'dim [1]' contributor to FreeBSD and imported to Squid
under FreeBSD license. see
http://svnweb.freebsd.org/ports/head/www/squid33/files/patch-include__Array.h
When running Squid in SMP mode, the 'client_list' command cannot be used as the
coordinator doesn't call clientdbInit(), and thus doesn't have the client_list
action registered.
This patch uses RegisteredRunner to initialize clientdb and register the
'client_list' command
Amos Jeffries [Wed, 22 Jan 2014 03:29:15 +0000 (20:29 -0700)]
Fix external_acl_type async loop failures
When external_acl_type uses %LOGIN and is required to trigger async
authentication lookups it returns and hits the async loop prevention
check when starting to trigger its own external helper lookup. This
results in a DUNNO output from the helper as final status instead of
the real helper lookup result.
Avoid these by allowing async helpers to loop several times before
aborting the lookups.
Also, extend debug message to indicate loop count.
Thanks to Peter Benko for tracking down the issue and testing solutions.
Amos Jeffries [Sun, 12 Jan 2014 02:07:51 +0000 (19:07 -0700)]
Disable error page translation by default in builds
There is no need for every build from VCS to have fresh translations.
Enable explicitly for snapshot and release scripts instead so that
translated template files are still available online and pre-translated
in the distributed packages.
Alex Rousskov [Sun, 12 Jan 2014 01:49:08 +0000 (18:49 -0700)]
Centrally destroy all ACLs to avoid destruction segfaults
... during reconfiguration.
Group ACLs created later may use other ACLs created earlier and vice
versa, a group ACL created earlier may use other ACLs created later.
The latter is possible when an ACL (e.g., A2 below) is declared when the
group already exists:
acl A1 src 127.0.0.1
acl Group all-of A1
acl A2 src 127.0.0.2
acl Group all-of A2
Thus, the group (i.e., InnerNode) ACL destructor may access already
deleted children regardless of the global ACL deletion order (FIFO or
LIFO with respect to ACL creation). Instead of relying on the deletion
order to protect InnerNode, we remove the InnerNode ACL destructor
completely and rely on a global set of registered ACLs to destroy all
ACLs.
The old code was destroying all explicit ACLs in the same centralized
fashion. We now add implicit ACLs (commonly used by InnerNodes) to the
centralized destruction sequence. We added a new destruction-dedicated
container to avoid messing with the by-name ACL search that
Config.aclList global is used for.
This new container will become unnecessary once we start refcounting
ACLs.
Jakob Bohm [Wed, 25 Dec 2013 21:36:07 +0000 (14:36 -0700)]
Bug 3985: 60s limit introduced by balance_on_multiple_ip breaks bad IP recovery
Alternative fix if necessary would be to calculate a dynamic timeout
value based on number and timeouts for connections and forwarding.
However, as noted in the bug report the address markings are reset every
TTL when the stored RR are replaced. This meets the criteria for
periodic
retries of marked-BAD IPs. Also if all IPs are marked BAD they all get
un-marked and retried. So for now just remove the TTL hack.
Amos Jeffries [Wed, 25 Dec 2013 21:35:15 +0000 (14:35 -0700)]
Fix \-unescaping in quoted strings from helpers
strwordtok() was unescaping '\' values in unquoted tokens. This causes
problems with NTLM helper response user\DOMAIN values which are sent as
a un-quoted un-escaped value.
Restrict un-escaping of '\' to only occur when inside "quoted" words.
Amos Jeffries [Wed, 25 Dec 2013 21:34:33 +0000 (14:34 -0700)]
WCCPv2: fix assertion 'Cannot convert non-IPv4 to IPv4' on FreeBSD
FreeBSD does not set the from-address on recv() if there was an error
reading the packet. This can result in Ip::Address assertion if the
error is not checked for before the IP address is mapped into Squid
internal format.
Bug 3980: FATAL ERROR due to max_user_ip -s option
NP: unit test for -s option temporarily removed and replaced with manual
testing due to 3.4 series parser flags handlign being done at the ACL
module level instead of ACl test.
Amos Jeffries [Thu, 19 Dec 2013 07:55:03 +0000 (00:55 -0700)]
Fix linker errors "relocation R_X86_64_32 against .rodata"
... "can not be used when making a shared object; recompile with -fPIC"
Caused by some libraries built without libtool in certain environments.
NP: there are other libraries in Squid built without libtool but they
appear not to be having these linker issues at this time.
Also, fixes "undefined symbol eui64_aton" uncovered by these changes.
Amos Jeffries [Sun, 15 Dec 2013 05:33:33 +0000 (22:33 -0700)]
Regression in URL helper API
The backward compatibility logics in redirect.cc are not working as
intended on redirection URLs due to the presence of '=' in the URL and
how the key=value name parsing is performed.
A typical redirection URL looks like:
http://example.com/?url=http://www.example.net/
and 3.4 has a parser that splits tokens at '=' unconditionally and then
passes the bits as a key and value to the redirector logics which
complains that it does not understand the answer of the URL redirector.
Or treats is an an unknown key=value with no redirection URL.
Either case is handled as a no-redirection result from the helper.
This limits the key names to alphanumeric, hyphen and underscore
characters. Valid URL responses contain characters outside this set and
should no longer be interpreted as keys regardless of the '=' character.
Alex Rousskov [Fri, 6 Dec 2013 12:18:19 +0000 (05:18 -0700)]
Destroy ACLs in the reverse order of creation to avoid destruction segfaults
during reconfiguration.
Group ACLs created later may use other ACLs created earlier. A group ACL must
be deleted first so that its AclDeleter can safely access registration status
(and avoid double deletion) of the ACLs it uses. Since ACLs are remembered (in
Config.aclList) using a singly-linked list, it is difficult to change their
deletion order. Instead, we change their listing order from FIFO to LIFO.
Amos Jeffries [Fri, 6 Dec 2013 12:15:11 +0000 (05:15 -0700)]
Portability: std::string:npos is not always appropriate for String::npos
On some systems such as Windows MinGW the signed/unsigned property of
std::string::npos does not match up with the Squdi String class size_type
signed/unsigned property. Resulting in compiler signed vs unsigned
mismatch errors when compiling.
Nathan Hoad [Sat, 30 Nov 2013 09:16:25 +0000 (02:16 -0700)]
Bug 3972: Segfault when getting the deny info page ID after a reconfigure
Older ACL code was using a stale AclMatchedName value. More recent code resets
the AclMatchedName global to NULL to avoid leaking the stale value, but that
may crash strcmp() in aclGetDenyInfoPage(). Long-term, the global should be
removed, of course.
Amos Jeffries [Fri, 29 Nov 2013 10:55:53 +0000 (03:55 -0700)]
Receive annotations from authentication and external ACL helpers
This saves the kv-pair from authentication and ACL helper responses as
annotations on the HttpRequest and pass on from there to logging.
Added a method appendNewOnly() to ensure duplicate-free addition
to a NotePairs list.
Also, fixes a bug in hasPair() accessor which was returning true
if either the key OR the value matched.
ie. hasPair("a","1") would match true for notes "a=2 b=1"
Alex Rousskov [Tue, 19 Nov 2013 22:51:46 +0000 (15:51 -0700)]
Re-compute Range response content offset after an FTP response was adapted.
Moved HTTP-only offset calculation code to the general ServerStateData code so
that [converted-to-HTTP] FTP responses can use it. FTP code computes the range
offset on its own earlier, but we must REcalculate in case the response is
adapted into a response with a different (or no) content range.
aclocal on Windows cannot handle line-wrapping \ characters and leaves
them present in the output m4 code. in side AC_CONFIG_FILES macro this
results in a mystery file '\\r' being 'registered'.
The list of Makefiles does not even need ths line-wrap indicator as
demonstrated by the tools/Makefile missing its one for some time without
problems.
Amos Jeffries [Tue, 19 Nov 2013 22:45:02 +0000 (15:45 -0700)]
Make HTTP header parser obey relaxed_header_parser
Some unimportant warnings were not obeying the directives silent/loud
setting values.
This abstracts the condition to simplify code and make all the
non-critical warnings depend on the directive for their display level.
Alex Rousskov [Sun, 10 Nov 2013 23:01:35 +0000 (16:01 -0700)]
Replace blocking sleep(3) and close UDS socket on failures.
The two addressed XXX were not causing any known serious bugs on their own,
but the blocking sleep was ugly and possibly in the way of further
kid registration fixes/improvements.
Squid fails parsing error-details.txt template when one or more listed
OpenSSL errors are not supported on running platform.
This patch add a hardcoded list of OpenSSL errors wich can be optional.
Coordinator should not send SNMP client FD to strands when broadcasting SNMP
requests. Strands do not need the descriptor and were forgetting to close it,
causing one FD leak on every SNMP query in SMP mode.
Enhance Ipc::TypedMsgHdr to be able to tell whether the message has a FD.
Alex Rousskov [Fri, 1 Nov 2013 01:25:17 +0000 (19:25 -0600)]
Avoid "hot idle": A series of rapid select() calls with zero timeout.
Squid uses "infinite" precision when it comes to deciding whether the next
timed event is ready but uses millisecond (1e-3) precision when deciding how
long to wait before the next event will be ready. This inconsistency results
in the EventScheduler engine telling the main loop that it has 0 milliseconds
to poll pending I/O, but when asked again (after the I/O is quickly polled),
the EventScheduler engine often does not schedule the promised event and tells
the main loop to poll for another 0 milliseconds again. This cycling may
happen many times in a row (until enough time is wasted for the next event to
become ready using higher precision).
The fixed code adds a minimum 1ms delay for not-yet-ready events. It also
places both decisions into one method (EventScheduler::timeRemaining), and
tries to polish/document decision logic (which is more complex than it may
seem) because the code has to avoid both inconsistent decisions and hot idle
loops while maintaining the traditional "no event is fired before it is due"
guarantee.
TODO: Idle Squid still runs hotter than it should because the maximum waiting
time is artificially capped outside the event queue to EVENT_LOOP_TIMEOUT=1s.
This causes at most one extra loop iteration per second.
Amos Jeffries [Wed, 23 Oct 2013 05:11:22 +0000 (23:11 -0600)]
Add cache_miss_revalidate
Port of 2.7 ignore_ims_on_miss directive by Henrik Nordstrom.
This on/off switch enables Squid to convert conditional requests from
clients to non-conditional fetches that can fill the cache faster under
cold-start conditions.
Alex Rousskov [Wed, 23 Oct 2013 05:10:17 +0000 (23:10 -0600)]
Bug 3480: StoreEntry::kickProducer() segfaults in store_client::copy()
context
Short-term fix: Lock StoreEntry object so that it is not freed by
storeClientCopy2() callbacks. Also lock StoreEntry in storeUnregister()
context because an aborting entry may be deleted there unless it is
double-locked.
See bug 3480 comment #27 for detailed call stack analysis. Additional
cases
include rejected copied HIT due to Var mismatch and hits blocked by
reply_from_cache directive (under development; see bug 3937).
Long-term, we need to make store copying asynchronous and revise
StoreEntry
locking approach.
Amos Jeffries [Sun, 13 Oct 2013 13:41:55 +0000 (07:41 -0600)]
Fix CBDATA_CLASS2 macro definition
CBDATA_UNKNOWN was being used in place of a void no-op statement.
This was incorrect and useless. Now that the value definition is fixed
it is being picked up by the stricter compilers.
Replace the trinary conditional with an if-statement.
Amos Jeffries [Thu, 3 Oct 2013 11:12:31 +0000 (05:12 -0600)]
Add --disable-arch-native build option
The -march-native option is required by Clang 3.2 on some CPU
and produces better optimization in binaries by GCC.
But building inside a virtual machine environment has been found to
cause random Illegal Instruction errors due to mis-detection of CPU.
This option is added to permit selective disabling of teh preferred
default (which is to use the compiler flag when available).
Amos Jeffries [Thu, 3 Oct 2013 11:10:43 +0000 (05:10 -0600)]
Fix various header build issues in librfcnb
Highlighted when the #include sorting was applied to lib/rfcnb/ files
several of the headers were using order-dependent definitions and were
not wrapped with sfety macros.
Amos Jeffries [Thu, 3 Oct 2013 11:02:34 +0000 (05:02 -0600)]
Portability: cleanup includes for sys/time.h and sys/resource.h
These two include files are order-dependent on several operating systems
and as such are provided by Squid libcompat headers. There is no need for
code to include them specially and several HAVE_SYS_TIME_H macros were
missing which breaks the build on systems where the file is missing.
Markus Moeller [Thu, 3 Oct 2013 10:47:40 +0000 (04:47 -0600)]
negotiate_kerberos_auth: upgrade to present group= keys
Use the new kv-pair protocol extensions for emitting group details
directly at the time of authentication. group=X key-value pair is
used to emit the Kerberos SIDS values presented by MS Active
Directory environments.
Also, update the Hiemdal library support for recent library versions.
Also, polish the Kerberos and LDAP Group related code to avoid memory
leaks and improve C++ coding style.
Amos Jeffries [Thu, 3 Oct 2013 10:38:31 +0000 (04:38 -0600)]
Use IPv6 localhost nameserver on DNS configuration errors
When DNS configuration fails to locate a set of nameservers "localhost"
is used as the default but has previously only been setting 127.0.0.1
IPv4 address for localhost. This enables the failover to work as
designed
on IPv6-only networks.
Alex Rousskov [Sat, 28 Sep 2013 15:38:33 +0000 (09:38 -0600)]
Regression Bug 3891: squid.conf parser errors in 3.4.0.1
Alternative implementation for configuration_includes_quoted_values and
quoted string support in squid.conf that avoids the extensions attempted
in 3.4.0.1 leading to parse errors from overly strict parsing of all
directives parameters.
Documentation updated by Amos Jeffries, Treehouse Networks Ltd.
This feature has turned out to be more buggy than previously thought.
After a very log series of discussions the upgrade has been re-thought
and will not include this code in 3.4 series.
projects / thirdparty / squid.git / log
