From: rousskov <>
Date: Sat, 9 Feb 2008 01:30:18 +0000 (+0000)
Subject: Bug 2038: check reply_body_max_size before ICAP
X-Git-Tag: BASIC_TPROXY4~133
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4741655593ce55dd6b0ba50b2d8dd4f9b82ebf4e;p=thirdparty%2Fsquid.git

Bug 2038: check reply_body_max_size before ICAP

Use newly added HttpReply::expectedBodyTooLarge() check to support the
reply_body_max_size ACL when the expected body size may be known. The check
is now shared between server and client sides.

The server side needs to do the checks before feeding the data to ICAP.
Otherwise, ICAP service may suck a large response in and spit a small response
out. It was decided that the reply_body_max_size ACL should apply to the
virgin response as well.

The server side does not perform HttpReply::receivedBodyTooLarge() check yet.
---

diff --git a/src/Server.cc b/src/Server.cc
index 8817d1a1e5..8179112bc3 100644
--- a/src/Server.cc
+++ b/src/Server.cc
@@ -1,5 +1,5 @@
 /*
- * $Id: Server.cc,v 1.23 2007/09/27 14:34:06 rousskov Exp $
+ * $Id: Server.cc,v 1.24 2008/02/08 18:30:18 rousskov Exp $
  *
  * DEBUG:
  * AUTHOR: Duane Wessels
@@ -640,6 +640,14 @@ ServerStateData::icapAclCheckDone(ICAPServiceRep::Pointer service)
     if (abortOnBadEntry("entry went bad while waiting for ICAP ACL check"))
         return;
 
+    // TODO: Should nonICAP and postICAP path check this on the server-side?
+    // That check now only happens on client-side, in processReplyAccess().
+    if (virginReply()->expectedBodyTooLarge(*request)) {
+        sendBodyIsTooLargeError();
+        return;
+    }
+    // TODO: Should we check received5CBodyTooLarge on the server-side as well?
+
     startedIcap = startIcap(service, originalRequest());
 
     if (!startedIcap && (!service || service->bypass)) {
@@ -671,6 +679,16 @@ ServerStateData::icapAclCheckDoneWrapper(ICAPServiceRep::Pointer service, void *
 }
 #endif
 
+void
+ServerStateData::sendBodyIsTooLargeError()
+{
+    ErrorState *err = errorCon(ERR_TOO_BIG, HTTP_FORBIDDEN, request);
+    err->xerrno = errno;
+    fwd->fail(err);
+    fwd->dontRetry(true);
+    abortTransaction("Virgin body too large.");
+}
+
 // TODO: when HttpStateData sends all errors to ICAP, 
 // we should be able to move this at the end of setVirginReply().
 void
diff --git a/src/Server.h b/src/Server.h
index 5c221be4ff..a360ed679a 100644
--- a/src/Server.h
+++ b/src/Server.h
@@ -1,6 +1,6 @@
 
 /*
- * $Id: Server.h,v 1.11 2008/01/07 17:10:22 hno Exp $
+ * $Id: Server.h,v 1.12 2008/02/08 18:30:18 rousskov Exp $
  *
  * AUTHOR: Duane Wessels
  *
@@ -186,6 +186,7 @@ protected:
 
 private:
     void quitIfAllDone(); // successful termination
+    void sendBodyIsTooLargeError();
 
 	HttpReply *theVirginReply; // reply received from the origin server
 	HttpReply *theFinalReply; // adapted reply from ICAP or virgin reply