From bcccf2d2d8c33725242b15bed0d038eb163e7bd4 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Mon, 7 Feb 2011 05:15:24 -0700 Subject: [PATCH] Prevent pipeline_prefetch misconfigurations Enact the TODO/Caveat about checking post-parse for auth type clashing with pipeline settings. This can only fix local configuration errors. Pipeline_prefetch ON will still silently break WWW-Authenticate pass-thru and Proxy-Authenticate pass-thru for these auth mechanisms. --- src/auth/negotiate/auth_negotiate.cc | 11 ----------- src/auth/ntlm/auth_ntlm.cc | 11 ----------- src/cache_cf.cc | 16 ++++++++++++++++ src/cf.data.pre | 2 ++ 4 files changed, 18 insertions(+), 22 deletions(-) diff --git a/src/auth/negotiate/auth_negotiate.cc b/src/auth/negotiate/auth_negotiate.cc index 62ae88729b..c9a71cec58 100644 --- a/src/auth/negotiate/auth_negotiate.cc +++ b/src/auth/negotiate/auth_negotiate.cc @@ -164,17 +164,6 @@ AuthNegotiateConfig::parse(AuthConfig * scheme, int n_configured, char *param_st } else { debugs(29, 0, "AuthNegotiateConfig::parse: unrecognised negotiate auth scheme parameter '" << param_str << "'"); } - - /* - * disable client side request pipelining. There is a race with - * Negotiate when the client sends a second request on an Negotiate - * connection before the authenticate challenge is sent. With - * this patch, the client may fail to authenticate, but squid's - * state will be preserved. Caveats: this should be a post-parse - * test, but that can wait for the modular parser to be integrated. - */ - if (authenticate) - Config.onoff.pipeline_prefetch = 0; } const char * diff --git a/src/auth/ntlm/auth_ntlm.cc b/src/auth/ntlm/auth_ntlm.cc index 1f951e2fba..42b16d019b 100644 --- a/src/auth/ntlm/auth_ntlm.cc +++ b/src/auth/ntlm/auth_ntlm.cc @@ -146,17 +146,6 @@ AuthNTLMConfig::parse(AuthConfig * scheme, int n_configured, char *param_str) } else { debugs(29, 0, "AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter '" << param_str << "'"); } - - /* - * disable client side request pipelining. There is a race with - * NTLM when the client sends a second request on an NTLM - * connection before the authenticate challenge is sent. With - * this patch, the client may fail to authenticate, but squid's - * state will be preserved. Caveats: this should be a post-parse - * test, but that can wait for the modular parser to be integrated. - */ - if (authenticate) - Config.onoff.pipeline_prefetch = 0; } const char * diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 1ebf999daf..2bed93d10c 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -745,6 +745,22 @@ configDoConfigure(void) " Change client_request_buffer_max or request_header_max_size limits.", (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize); } + + /* + * disable client side request pipelining. There is a race with + * Negotiate and NTLM when the client sends a second request on an + * connection before the authenticate challenge is sent. With + * pipelining OFF, the client may fail to authenticate, but squid's + * state will be preserved. + */ + if (Config.onoff.pipeline_prefetch) { + AuthConfig *nego = AuthConfig::Find("Negotiate"); + AuthConfig *ntlm = AuthConfig::Find("NTLM"); + if ((nego && nego->active()) || (ntlm && ntlm->active())) { + debugs(3, DBG_IMPORTANT, "WARNING: pipeline_prefetch breaks NTLM and Negotiate authentication. Forced OFF."); + Config.onoff.pipeline_prefetch = 0; + } + } } /** Parse a line containing an obsolete directive. diff --git a/src/cf.data.pre b/src/cf.data.pre index 3ade4de0bd..14c8d41e94 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -6676,6 +6676,8 @@ DOC_START Defaults to off for bandwidth management and access logging reasons. + + WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. DOC_END NAME: high_response_time_warning -- 2.47.2