From: Benno Rice Date: Wed, 3 Sep 2008 05:31:50 +0000 (+1000) Subject: Merge from upstream. X-Git-Tag: SQUID_3_1_0_1~49^2~9^2~10^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f38ba03f65129effc400c3a13cbce0a925ba142d;p=thirdparty%2Fsquid.git Merge from upstream. --- f38ba03f65129effc400c3a13cbce0a925ba142d diff --cc src/Server.cc index 8ad9d887d5,ffae195b2d..830b55217c --- a/src/Server.cc +++ b/src/Server.cc @@@ -402,23 -402,34 +402,34 @@@ sameUrlHosts(const char *url1, const ch // purges entries that match the value of a given HTTP [response] header static void -purgeEntriesByHeader(const HttpRequest *req, const char *reqUrl, HttpMsg *rep, http_hdr_type hdr) +purgeEntriesByHeader(HttpRequest *req, const char *reqUrl, HttpMsg *rep, http_hdr_type hdr) { - const char *url, *absUrl; + const char *hdrUrl, *absUrl; - if ((url = rep->header.getStr(hdr)) != NULL) { - absUrl = urlAbsolute(req, url); - if (absUrl != NULL) { - url = absUrl; - } - if (absUrl != NULL) { // if the URL was relative, it is by nature the same host - purgeEntriesByUrl(req, url); - } else if (sameUrlHosts(reqUrl, url)) { // prevent purging DoS, per RFC 2616 13.10, second last paragraph - purgeEntriesByUrl(req, url); - } + absUrl = NULL; + hdrUrl = rep->header.getStr(hdr); + if (hdrUrl == NULL) { + return; + } + + /* + * If the URL is relative, make it absolute so we can find it. + * If it's absolute, make sure the host parts match to avoid DOS attacks + * as per RFC 2616 13.10. + */ + if (urlIsRelative(hdrUrl)) { + absUrl = urlMakeAbsolute(req, hdrUrl); if (absUrl != NULL) { - safe_free(absUrl); + hdrUrl = absUrl; } + } else if (!sameUrlHosts(reqUrl, hdrUrl)) { + return; + } + + purgeEntriesByUrl(hdrUrl); + + if (absUrl != NULL) { + safe_free(absUrl); } }