Fixed detection of various custom lines around "numerous individuals" boilers.
Recognize more custom lines inside boilerplates.
Recognize multi-author lines with a single AUTHOR prefix. Split multi-author
claims (does not fully work in a few some complex cases, but that is OK).
Cleaned up reported claims a little.
Preserve "inspired by" comments when replacing their home boilerplates.
Alex Rousskov [Thu, 3 Oct 2013 00:17:12 +0000 (18:17 -0600)]
Adjusted unusual boilerplates to allow scripts/source-mangler.pl to update them
automatically.
The script tries to be extra careful and skips what it feels may be a custom
boilerplate that requires a manual intervention. The cases handled by this
commit are simple, non-controversial ones.
Handle all common boilerplate cases in src/,
leaving about a dozen known exceptions.
Report copyright-related claims if a recognized boilerplate containing them is
going to be replaced with a standard one. These claims should then be cross
referenced with CONTRIBUTORS and CREDITS, updating those files if needed.
Boilerplates should not contain variable information, such as individual
copyright claims.
Leave DEBUG section information as a separate comment.
Amos Jeffries [Wed, 2 Oct 2013 12:21:20 +0000 (06:21 -0600)]
Add --disable-arch-native build option
The -march-native option is required by Clang 3.2 on some CPU
and produces better optimization in binaries by GCC.
But building inside a virtual machine environment has been found to
cause random Illegal Instruction errors due to mis-detection of CPU.
This option is added to permit selective disabling of teh preferred
default (which is to use the compiler flag when available).
Amos Jeffries [Wed, 2 Oct 2013 03:41:06 +0000 (21:41 -0600)]
Fix build errors in rev.13012
static functions defined in headers (.h) must be used in all .cc which
include them. Functions which are not always used must be defined as
inline instead.
This resolves warning: 'const char* LogTime()' defined but not used
Alex Rousskov [Wed, 2 Oct 2013 01:12:35 +0000 (19:12 -0600)]
Initial changes to streamline copyright declarations in Squid sources
and related metafiles. No functionality or licensing changes are intended.
Once completed, the changes will consistently declare Squid contributors
(listed in CONTRIBUTORS and represented by the Squid Software Foundation) as
Squid copyright owners while referring the reader to the COPYING file for GPL
licensing details. The boilerplate with the above information is provided.
These changes do not affect copyright rights of individuals or organizations.
We are simply confirming the fact that there are many Squid copyright owners,
just like there are many Linux kernel copyright owners. We are also providing
a simple, consistent way to document that fact.
In this particular commit:
* Enlarged CONTRIBUTORS file scope to include all Squid code contributors, not
just individual volunteers. Added known organizations that contributed Squid
code. We could have two separate files for individuals and organizations,
but there is probably no difference between the two as far as copyright is
concerned so why complicate things?
Ideally, it would be best to isolate non-code contributors (or, to be more
precise, contributors without copyright claims) from the rest of the group,
but doing so is impractical at this point IMHO. We do not state that all
listed contributors have a copyright claim on Squid so our statements remain
correct, albeit not precise.
* Fixed SPONSOR[.list] scope to include those who funded development. The
file entries already included many such sponsors but the preamble excluded
them. If some of those sponsors retained copyright for the developed code,
they should be also listed in the CONTRIBUTORS file. More work is probably
needed to make the latter true as I could only audit entries I know about.
* Explicitly defined CREDITS file scope. Removed Squid copyright/licensing
statement from that file as out of scope (parts of it belong to README,
COPYING, and boilerplates). Polished Harvest/cached entry description,
removing no longer valid URL (that is still mentioned in the Harvest
license, which is preserved "as is", of course).
* Removed COPYRIGHT file. It was very stale, non standard (GNU uses COPYING),
and inaccurate. The Regents of the University of California, a rightful
Squid co-owner have been moved to the CONTRIBUTORS file. Historical facts
about UCSD and NSF NLANR grants is already available in the SPONSORS file.
* Updated README with the standard boilerplate text. That file needs more
polishing work outside this project scope.
Amos Jeffries [Tue, 1 Oct 2013 23:21:17 +0000 (17:21 -0600)]
Remove dnsserver and external DNS helper API
The external DNS helper API places limits on Squid DNS lookups per second
low enough to noticably affect the HTTP requests per second which can be
served.
Request for comments about proposed removal 2 years ago produced feedback
stating that the helper was needed for local name resolution. This is
now available since 3.4 mDNS extensions.
A more recent request for reasons for keeping the helper API have
produced only two responses over the period of several months. Both
indicating that the API is no longer necessary for the business cases of
a year or so ago.
As such and because the helper fails to operate sufficiently on several
major operating systems and the API is difficult to maintain it is being
removed as of Squid-3.5.
Highlighted when the #include sorting was applied to lib/rfcnb/ files
several of the headers were using order-dependent definitions and were
not wrapped with sfety macros.
Perform the long overdue renaming of zh-cn.po an zh-tw.po to Hans and
Hant alphabet files. Add aliases for the 2 and 3 code dialect tags which
are appearing in Asian traffic.
Portability: cleanup includes for sys/time.h and sys/resource.h
These two include files are order-dependent on several operating systems
and as such are provided by Squid libcompat headers. There is no need for
code to include them specially and several HAVE_SYS_TIME_H macros were
missing which breaks the build on systems where the file is missing.
Markus Moeller [Fri, 27 Sep 2013 15:21:54 +0000 (09:21 -0600)]
negotiate_kerberos_auth: upgrade to present group= keys
Use the new kv-pair protocol extensions for emitting group details
directly at the time of authentication. group=X key-value pair is
used to emit the Kerberos SIDS values presented by MS Active
Directory environments.
Also, update the Hiemdal library support for recent library versions.
Also, polish the Kerberos and LDAP Group related code to avoid memory
leaks and improve C++ coding style.
Use IPv6 localhost nameserver on DNS configuration errors
When DNS configuration fails to locate a set of nameservers "localhost"
is used as the default but has previously only been setting 127.0.0.1
IPv4 address for localhost. This enables the failover to work as designed
on IPv6-only networks.
Fixed documentation, tentative alternate dump implementation with Raw api
Improve SBuf::find readability
Improved readability and error reporting in SBuf
Fixed nonfatal bug in snprintf behavior detection
Windows: locate CMSG definitions in Winsock2.h when present
Windows defines the CMSG macros in Winsock2.h sometimes. This allows the
definitions there to be used when present and avoids compiler errors
about double definitions.
Bug 3849: Duplicate certificate sent when using https_port
The certificate file given with the "cert=" option it may contain a list of
certificates to be chained to the SSL client, for example intermediate
certificates.
The bug caused because in the certificates chain we are storing also the
certificate of the port. This is works well for SSL-bump because squid
generates a certificate which uses the port certificate as CA certificate.
But in the case of https_port without bumping the port certificate is sent
twice, one as SSL server certificate and one as chained certificate.
This patch try to chain port certificate only when the sslbump is used.
The port name from http_port/https_port was not being propigated to
adapted reqeusts after ICAP/eCAP. Which makes the myportname ACL and
logging of portname not work on adapted requests.
Windows: fix collision between POSIX wrappers and DiskIO class methods
The POSIX function shutdown() is #define'd on Windows. This causes
compiler issues with the DiskIO method of same name. Rename the method
to gracefulShutdown() instead.
Also, Bug 3189 was incomplete and missed a change to DiskThreads
Windows initialization method.
Alex Rousskov [Sat, 31 Aug 2013 01:32:28 +0000 (19:32 -0600)]
Require passive FTP gw connections to come from the control connection src IP.
Ignore rogue attempts at stealing data connection from legitimate users.
Fixed on-error data connection closing code. On some errors, closed data
connection metadata was left in inconsistent state. After that, RETR/etc.
commands resulted in Squid trying to open an active data connection using
old data connection port info, leading to commBind errors.
Alex Rousskov [Thu, 29 Aug 2013 23:48:21 +0000 (17:48 -0600)]
To minimize TCP races, delay complaining about missing passive data connection
to Squid until we talk to the server.
After PASV, it is possible for the client TCP handshake to reach Squid _after_
a LIST or RETR command is parsed, even if the client properly initiates the
connection before writing the command. We no longer immediately respond with
425 "Data connection is not established" in such cases, but re-check the data
connection availability after we talk to the server.
Alex Rousskov [Thu, 29 Aug 2013 16:38:39 +0000 (10:38 -0600)]
Disclaim support for FTP EPRT and EPSV commands. Exclude them from FEAT
responses.
Squid still assumes that it can support all other FTP commands.
TODO: We probably want to add ftp_support or a similar ACL-driven option
to give admin more control over which commands are supported. This is
different from access control because we want to filter unsupported
commands from FEAT responses as well.
Alex Rousskov [Thu, 29 Aug 2013 14:21:09 +0000 (08:21 -0600)]
Added Expect:100-continue to FTP STOR wrappers for adaptation to avoid stalling
FTP clients that expect an FTP 150 (OK to send data) response from the FTP
server before actually uploading content.
If an adaptation service starts waiting for the PUT request body before
starting to produce an adaptation response (allowing the transaction to reach
the FTP server), the FTP transaction will get stuck. It is not clear why this
has not been a [known] issue with real HTTP requests containing
Expect:100-continue.
Fix configuration file parsing bugs, related to quoted strings
This is patch try to fix problems discussed under the "[PATCH] Unknown cfg function"
mail thread on squid-dev mailing list
Fixes/changes:
- The quoted tokens mode (configuration_includes_quoted_values parameter)
is set to off by default
- If configuration_includes_quoted_values is off the quoted tokens
parsed using the ConfigParser::NextToken include the quotes, to keep
compatibility with older releases.
- The methods ConfigParser::RegexPattern() and ConfigParser::RegexStrtokFile()
added to parse regex tokens. The regex tokens can not be quoted values but
have their own syntax.
- For the cases where quoted strings are required (wordlists, Notes
parsing, Headers with acl), the new ConfigParser::NextQuotedToken method
added.
The old wordlists parser allowed escaping any character, this patch
will return an error if you try to escape alphanumeric characters. The
\r \n and \t have the C semantics.
- Removes the ConfigParser::TokenUndo method. The new method
ConfigParser::NextTokenPreview() which can be used to preview the next
token is added. This method if the next token is invalid (eg unquoted
with special characters) instead of calling self_destruct it will return
the "[invalid token]" as token.
- A set of new flags defined under ConfigParser class to define the type of
parsing: ParseRegex_ (next token is regex) ParseQuotedOrToEOL_
(next token is quoted or to-EOL), PreviewMode_ (just do preview do not
pop next token)
- Currently parser read a line, and the tokens stored on this line
and the line modified while parsed.
This patch extracts the tokens from line and store them to
ConfigParser::CfgLineTokens_ member. This method selected because
1) We may need to parse again the line so we do not want to modify it.
For example call the ConfigParser::PeekAtToken method to check if it
is a flag token ( eg "-i"), and if not call the
ConfigParser::RegexPattern() method to read next regex expression.
2) The current line tokens must stored somewhere to support the following:
char *name = ConfigParser::NextToken();
char *value = ConfigParser::NextToken();
The ConfigParser::CfgLineTokens_ reset when a new config line is read.
TODO:
- The ConfigParser::TokenPutBack method probably should removed in the future
together with the ConfigParser::Undo_ and ConfigParser::Undo().
This method is currently used only in one place (acl regex).
Alex Rousskov [Thu, 29 Aug 2013 00:15:55 +0000 (18:15 -0600)]
Reorganized FTP response storage/wrapping to fix multi-line response gatewaying
Multi-line FTP control responses use various line prefixes to tell the client
that the response continues to the next line. Some multi-line responses use a
"CODE-" line prefix. Some, like FEAT, must use a single space as a line prefix
(except for the first line that uses "CODE-"). Squid was removing the virgin
prefix and then using "CODE-" prefix for all lines, breaking FEAT and probably
other responses.
While modifying original multi-line prefix was a bad idea, leaving FTP
multi-lines "as is" does not work either because HTTP wrapping removes leading
spaces which are significant in FEAT and other FTP responses.
Squid now preserves leading multi-lines by wrapping them using quoted strings.
Adaptation services wishing to interpret multi-lines must unquote any quoted
FTP-* header field values before adaptation and return quoted values back (if
needed). Which FTP-* header values are quoted and which are not may be
value-dependent and may change. Quoting and unquoting requires handling of
HTTP \-CHAR escape sequences.
The last FTP response line has to be treated specially because it has [more]
strict syntax, has to be interpreted by Squid, subjected to squid.conf ACLs,
and is more likely to be adapted. Squid used to wrap all multi-lines into
multiple fields of an FTP-Reason header while only storing the "reason" from
the last multi-line there. That was messy, and became prohibitively so when
multi-line quoting of multi-lines was introduced.
Now Squid wraps all multi-lines except the last one using FTP-Pre header. All
FTP-Pre lines may be wrapped as quoted strings. FTP-Status and FTP-Reason
headers are used for the FTP code and reason phrase from the last line:
FTP-Pre: "123-first line"
FTP-Pre: " second line"
FTP-Status: 123
FTP-Reason: from the third line
Needs more work if there are adaptation services that merge multiple FTP-Pre
header values together.
Alex Rousskov [Tue, 27 Aug 2013 16:47:55 +0000 (10:47 -0600)]
Use more portable 227 (PASV) response format.
RFC1123 says that "The format of the 227 reply to a PASV command is not well
standardized". Evidently, we should not use "227 =a,b,c,d,p1,p2" or
"227 Entering Passive Mode. A1,A2,A3,A4,a1,a2" formats. Some nf_ct_ftp
versions block responses that use those alternative syntax rules!
Alex Rousskov [Tue, 27 Aug 2013 16:19:20 +0000 (10:19 -0600)]
Improved FTP error handling and reporting.
Use FTP 451 response if we intend to keep the control connection open.
Use FTP 421 response if we intend to close the control connection. Some
FTP clients close the control connection upon receiving a 421 response.
Report more error details in FTP_ERROR state (FtpHandleErrorReply) by moving
common error reporting code from FtpWriteForwardedForeign into
FtpWriteErrorReply.
Alex Rousskov [Mon, 26 Aug 2013 19:15:21 +0000 (13:15 -0600)]
Log %<sS (reply content length) as zero when object size is unknown.
For %<sS purposes, Squid computes reply content length as the difference
between "object size" and response headers. When headers were received but the
"object size" is not known (e.g., the promissed response body was never
received), that computation results in misleading negative numbers. We no
longer log them.
Alex Rousskov [Mon, 26 Aug 2013 19:09:40 +0000 (13:09 -0600)]
Support %<st and %<sh logformat codes for FTP gateway responses.
For logging purposes, treat all non-data FTP responses (i.e., bytes written on
the client control connection) as "HTTP headers" because they are similar
"matadata".
Alex Rousskov [Mon, 26 Aug 2013 18:24:02 +0000 (12:24 -0600)]
Added ftp_client_idle_timeout directive to squid.conf.
Many FTP clients do not deal with control connection closures. They cannot
retry pconn races without asking the user for credentials, for example. Thus,
the existing client_idle_pconn_timeout default (2 minutes) does not work well
for FTP clients. One the other hand, increasing that may create too many idle
HTTP connections for Squid to maintain.
The new timeout is specific to ftp_port traffic. It does not affect ftp://...
requests sent to an http[s]_port.
Alex Rousskov [Mon, 26 Aug 2013 17:46:48 +0000 (11:46 -0600)]
Do not close FTP gw server control connection on more server-unrelated errors.
FtpGatewayServer now forgets about its control connection to the server once
it is done communicating with that server. This allows us to preserve that
connection on FTP transaction errors (e.g., forbidden responses or broken
ICAP servers) that are not related to the server communication and can be
ignored as far as the next FTP gatewayed transaction is concerned.
Removed special DONE state because it is now identical to doneWithServer().
Fixed ServerChannel::forget() to prevent subsequent forgotten connection
closure.
Alex Rousskov [Sun, 25 Aug 2013 19:50:44 +0000 (13:50 -0600)]
Avoid some unnecessary FTP control connection closures; polished FTP failure
code.
Do not close FTP server control connection just because FTP response
adaptation is done. We still close FTP connections if we are receiving the
virgin response (because we have no place to store it), but if we are done
receiving, there is no need to terminate FTP server connections. The former
happens when an ICAP service responds before receiving the entire virgin FTP
response. The latter, when the ICAP service responds after the FTP data
connection is closed but before the control 226 response comes in.
Do not close FTP client control connection just because we served a non-OK
control response. The client may still send us commands if our ClientStream is
still in a good state. This may happen when an FTP download is prohibited by
an adaptation service via an HTTP 403 Forbidden response, for example.
Avoid STORE_PENDING assertion in FwdState::reforward() due to double
forwarding completion by FtpGatewayServer. Similar code exists in regular FTP
server and is needed for gatewaying as well because FTP may keep open (and
expect a control response on) the control connection after adaptation is
completed, creating two avenues for a FwdState::complete() call.
Ftp::ServerStateData::failed() should always call FwdState::fail(), to supply
forwarding code with ErrorState details. And we should not create the error
HttpReply in the FTP code. FwdState code does that, probably because it may
reforward the request and, hence, bypass some errors. For now, FTP gateway
code still creates an HttpReply (in addition to calling FwdState::fail) to be
able to supply custom gatewaying error information. Eventually, that should be
done via custom ErrorState object (that will later create an appropriate
HttpReply when/if needed).
Amos Jeffries [Sun, 25 Aug 2013 04:44:20 +0000 (22:44 -0600)]
Doce: make doc/Programming-Guide/doxygen.footer.dyn non-empty
Experiment to see if the .dyn file footer output by doxygen is still
placed if this file contains whitespace. Just having it empty no longer
seems to work with the newer doxygen version.
Amos Jeffries [Sat, 24 Aug 2013 13:12:26 +0000 (01:12 +1200)]
Docs: define use of footer for output DYN files.
doc/Programming-Guide/doxygen.footer.dyn is an empty file because we do
not need anythign as a footer. But we do need to use it because doing so
will suppress teh default "</body></html>" string being appended to the
output file, which breaks out static site generation since .dyn files
have our own squid-cache.org footers automatically appended.
Alex Rousskov [Fri, 23 Aug 2013 22:19:46 +0000 (16:19 -0600)]
Render adaptation X-Response-Info and X-Response-Desc meta values in FTP errors
caused by adaptation (e.g., an ICAP service blocking an FTP command)
Requires adaptation history to be enabled, which can be achieved by logging
adaptation meta headers to access log (%adapt::<last_h) or setting
adaptation_masterx_shared_names in squid.conf
Long term, the contents of the error message should be configurable via
error message templates (which may include these semi-standard meta headers).
Alex Rousskov [Fri, 23 Aug 2013 20:29:04 +0000 (14:29 -0600)]
Provide user with more details on forwarding/adaptation errors.
In addition to "421 Service Unavailable", print %c and %E errorpage info.
Needs more work to make FTP error messages configurable, just like they are
for HTTP.
Alex Rousskov [Fri, 23 Aug 2013 01:20:21 +0000 (19:20 -0600)]
Initial support for active FTP downloads via the FTP PORT command.
Squid accepts PORT command on the client side, but still uses passive transfer
on the server side. The PORT command response is not sent to the client until
the server-side PASV command succeeds. The data connection to the client is
not opened until Squid receives the RETR command from the client.
Squid requires either PORT or PASV command before data transfers. RFC 959 says
PORT is optional because default ports can be used.
RFC 959 also seems to imply that Squid should originate active connections to
client from port 20. The code to do that is commented out for now because it
would prevent support for concurrent data connections. The code configuring
this outgoing (but to-client) connection may need more work as we do a lot
more for outgoing to-server connections.
Alex Rousskov [Thu, 22 Aug 2013 18:39:41 +0000 (12:39 -0600)]
Close idle client connections associated with closed idle pinned connections.
Squid was not monitoring idle persistent connections pinned to servers. Squid
would discover that the pinned server connection is closed only after
receiving a new request on the idle client connection and trying to write that
request to the server. In such cases, Squid propagates the pinned connection
closure to the client (as it should).
Chrome and, to a lesser extent, Firefox handle such races by opening a new
connection and resending the failed [idempotent] request transparently to the
user. However, IE usually displays an error page to the user.
While some pconn races cannot be avoided, without monitoring idle pconns,
Squid virtually guaranteed such a race in environments where origin server
idle connection timeout is smaller than client/Squid timeouts and users
are revisiting pages in the window between those two timeouts.
Squid now monitors idle pinned connections similar to idle connections in the
pconn pool and closes the corresponding idle client connection to keep the two
sides in sync (to the extent possible).
It is theoretically possible that this change will break servers that send
whitespace on an idle persistent connection or perhaps send some SSL keepalive
traffic. No such cases are known to exist though.
Amos Jeffries [Wed, 21 Aug 2013 08:43:27 +0000 (02:43 -0600)]
Update forward_max_tries to permit 25 server paths
With cloud sites becoming more popular more CDN servers are producing
long lists of IPv6 and IPv4 addresses. If there are not enough paths
selected the IPv4 ones may never be reached.
Alex Rousskov [Thu, 15 Aug 2013 22:26:40 +0000 (16:26 -0600)]
Fixed swap_file_sz calculation when loading rock entries. Polished debugging.
Supply storeRebuildParseEntry() with known "swap file size" so that it can
adjust swap_file_sz after loading store entry meta info. Entries are often
stored with swap_file_sz in the meta header missing the swap_hdr_len
component. storeRebuildParseEntry() adds swap_hdr_len when needed, using known
entry size to detect that need.
Alex Rousskov [Thu, 15 Aug 2013 22:21:16 +0000 (16:21 -0600)]
Do not use StoreEntry::swap_file_sz to write DbCellHeader::entrySize,
even during the last write.
StoreEntry::swap_file_sz is often set by storeSwapOutFileClosed, which is
called after the last write.
Also, I am not sure whether partial StoreEntry::swap_file_sz info might later
confuse store rebuild code into thinking that the whole entry is malformed.
That would be [different] bug.
projects / thirdparty / squid.git / log
