diff -ruN squid-2.7.STABLE7/ChangeLog squid-2.7.STABLE8/ChangeLog
--- squid-2.7.STABLE7/ChangeLog 2009-09-17 00:29:48.000000000 +0200
+++ squid-2.7.STABLE8/ChangeLog 2010-03-10 01:40:07.000000000 +0100
@@ -1,4 +1,26 @@
+Changes to squid-2.7.STABLE8 <10 March 2010)
+
+ - Bug #2458: reply_body_max_size incorrectly documented
+ - Bug #2858: Segment violation in HTCP
+ - Bug #2773: Segfault in RFC2069 Digest authantication
+ - 64-bit filesize issue in squidclient if trying to post a file > 2GB
+ - Improve %nn parser to better deal with certain odd %nn sequences
+ - Segmentation fault if failed to open cache.log
+ - Bug #2819: const correctness errors in dns_internal.c
+ - Handle DNS header-only packets as invalid. (CVE-2010-0308)
+ - Windows port: Updated mswin_ad_group native helper to version 2.1
+ - Cosmetic change to keep GCC happy
+ - Bug #2678 - storeurl_rewrite does not play nicely with vary
+ - Bug #2861 - only-if-cached request blocks if it collapsed into
+ another request
+ - Use libcap functions instead of raw kernel interface
+ - No need to sync the store on -k rotate, but instead it needs to be
+ done in reconfigure
+ - const correctness in OpenSSL initialization
+ - Rework the http digest auth parser
+
Changes to squid-2.7.STABLE7 (17 September 2009)
+
- Bug #2661 - Solaris /dev/poll support broken with EINVAL
- Clarify external_acl_type %{Header} documentation slightly
- Bug #2482: Remove mem_obj->old_entry in async code to avoid deep ctx
@@ -45,6 +67,7 @@
- Bug #2768 - squid_ldap_group -K argument parsing error
Changes to squid-2.7.STABLE6 (4 February 2009)
+
- Bug #2494: Fix tproxy url in configure
- Correct latency measurements
- Correct upgrade_http0.9 example
@@ -53,21 +76,8 @@
authenticate_ip_shortcircuit_ttl
- Add in some better documentation for override-expire.
-Changes to squid-2.6.STABLE22 (19 October 2008)
- - Bug #2396: Correct the opening of the PF device file.
- - Make --with-large-files and --with-build-envirnment=default play
- nice together
- - Workaround for Linux-2.6.24 & 2.6.25 netfiler_ipv4.h include header
- __u32 problem
- - Make dns_nameserver work when using --disable-internal-dns on glibc
- based systems
- - Bug #2426: Increase negotiate auth token buffer size
- - Bug #2427: squid_ldap_group -h reports the old % codes for -f
- - Bug #2477: swap.state permission issues if crashing during "squid -k
- reconfigure"
- - Windows port: Fix build error using latest MinGW runtime.
-
Changes to squid-2.7.STABLE5 (17 October 2008)
+
- Bug #2439: configuration file contains non-ASCII characters
- Bug #2441: Shut down store url rewrite helpers on squid -k
reconfigure
@@ -88,6 +98,7 @@
- Windows port: Fix build error using latest MinGW runtime.
Changes to squid-2.7.STABLE4 (8 August 2008)
+
- Bug #2387: The calculation of the number of hash buckets need to
account for the memory size, not only disk size
- Bug #2393: DNS requests retried indefinitely at full speed on failed
@@ -117,30 +128,6 @@
- More changes to deal properly with aborted requests
- Bug #2427: squid_ldap_group -h reports the old % codes for -f
-Changes to squid-2.6.STABLE21 (27 June 2008)
-
- - Bug #2350: Bugs in Linux kernel capabilities code
- - Bug #2241: weights not applied properly in round-robin peer
- selection
- - Off by one error in DNS label decompression could cause valid DNS
- messages to be rejected
- - logformat docs contain extra whitespace
- - Reject ridiculously large ASN.1 lengths
- - Fix SNMP reporting of counters with a value > 0xFF80000
- - Correct spelling of WCCPv2 dst_port_hash to match the source
- - Plug some "squid -k reconfigure" memory leaks. Mostly SSL related.
- - Bug #1993: Memory leak in http_reply_access deny processing
- - Bug #2122: In some situations collapsed_forwarding could leak
- private information
- - Bug #2376: Round-Robin becomes unbalanced when a peer dies and comes
- back
- - Bug #2387: The calculation of the number of hash buckets need to
- account for the memory size, not only disk size
- - Bug #2393: DNS requests retried indefinitely at full speed on failed
- TCP connection
- - Bug #2393: DNS retransmit queue could get hold up
- - Correct socket syscalls statistics in commResetFD()
-
Changes to squid-2.7.STABLE3 (25 June 2008)
- Byg #2376: Round-Robin peer selection becomes unbalanced when a
diff -ruN squid-2.7.STABLE7/configure squid-2.7.STABLE8/configure
--- squid-2.7.STABLE7/configure 2009-09-17 00:46:50.000000000 +0200
+++ squid-2.7.STABLE8/configure 2010-03-10 01:41:19.000000000 +0100
@@ -1,9 +1,9 @@
#! /bin/sh
-# From configure.in Revision: 1.430.2.20 .
+# From configure.in Revision: 1.430.2.22 .
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.62 for Squid Web Proxy 2.7.STABLE7.
+# Generated by GNU Autoconf 2.62 for Squid Web Proxy 2.7.STABLE8.
#
-# Report bugs to .
+# Report bugs to .
#
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
# 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
@@ -597,9 +597,9 @@
# Identity of this package.
PACKAGE_NAME='Squid Web Proxy'
PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='2.7.STABLE7'
-PACKAGE_STRING='Squid Web Proxy 2.7.STABLE7'
-PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/'
+PACKAGE_VERSION='2.7.STABLE8'
+PACKAGE_STRING='Squid Web Proxy 2.7.STABLE8'
+PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'
ac_default_prefix=/usr/local/squid
# Factoring default headers for most tests.
@@ -896,6 +896,7 @@
enable_stacktraces
enable_x_accelerator_vary
enable_follow_x_forwarded_for
+with_libcap
with_maxfd
'
ac_precious_vars='build_alias
@@ -1459,7 +1460,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Squid Web Proxy 2.7.STABLE7 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 2.7.STABLE8 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1529,7 +1530,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Squid Web Proxy 2.7.STABLE7:";;
+ short | recursive ) echo "Configuration of Squid Web Proxy 2.7.STABLE8:";;
esac
cat <<\_ACEOF
@@ -1732,6 +1733,8 @@
XBS5_LP64_OFF64 64 bits (legacy)
XBS5_LPBIG_OFFBIG large pointers and files (legacy)
default The default for your OS
+ --without-libcap disable usage of Linux capabilities library to
+ control privileges
--with-maxfd=N Override maximum number of filedescriptors. Useful
if you build as another user who is not privileged
to use the number of filedescriptors you want the
@@ -1750,7 +1753,7 @@
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
-Report bugs to .
+Report bugs to .
_ACEOF
ac_status=$?
fi
@@ -1813,7 +1816,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Squid Web Proxy configure 2.7.STABLE7
+Squid Web Proxy configure 2.7.STABLE8
generated by GNU Autoconf 2.62
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1827,7 +1830,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by Squid Web Proxy $as_me 2.7.STABLE7, which was
+It was created by Squid Web Proxy $as_me 2.7.STABLE8, which was
generated by GNU Autoconf 2.62. Invocation command line was
$ $0 $@
@@ -2544,7 +2547,7 @@
# Define the identity of the package.
PACKAGE='squid'
- VERSION='2.7.STABLE7'
+ VERSION='2.7.STABLE8'
cat >>confdefs.h <<_ACEOF
@@ -6549,9 +6552,9 @@
{ $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
( cat <<\_ASBOX
-## ----------------------------------------------- ##
-## Report this to http://www.squid-cache.org/bugs/ ##
-## ----------------------------------------------- ##
+## ------------------------------------------- ##
+## Report this to http://bugs.squid-cache.org/ ##
+## ------------------------------------------- ##
_ASBOX
) | sed "s/^/$as_me: WARNING: /" >&2
;;
@@ -24411,6 +24414,338 @@
fi
+use_libcap=auto
+
+# Check whether --with-libcap was given.
+if test "${with_libcap+set}" = set; then
+ withval=$with_libcap; if test "x$withval" = "xyes" ; then
+ { $as_echo "$as_me:$LINENO: result: libcap forced enabled" >&5
+$as_echo "libcap forced enabled" >&6; }
+ use_libcap=yes
+ else
+ { $as_echo "$as_me:$LINENO: result: libcap forced disabled" >&5
+$as_echo "libcap forced disabled" >&6; }
+ use_libcap=no
+ fi
+
+fi
+
+if test "x$use_libcap" != "xno"; then
+ # cap_clear_flag is the most recent libcap function we require
+
+{ $as_echo "$as_me:$LINENO: checking for cap_clear_flag in -lcap" >&5
+$as_echo_n "checking for cap_clear_flag in -lcap... " >&6; }
+if test "${ac_cv_lib_cap_cap_clear_flag+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcap $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char cap_clear_flag ();
+int
+main ()
+{
+return cap_clear_flag ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext && {
+ test "$cross_compiling" = yes ||
+ $as_test_x conftest$ac_exeext
+ }; then
+ ac_cv_lib_cap_cap_clear_flag=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_lib_cap_cap_clear_flag=no
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_cap_cap_clear_flag" >&5
+$as_echo "$ac_cv_lib_cap_cap_clear_flag" >&6; }
+if test $ac_cv_lib_cap_cap_clear_flag = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBCAP 1
+_ACEOF
+
+ LIBS="-lcap $LIBS"
+
+fi
+
+ if test "x$ac_cv_lib_cap_cap_clear_flag" = xyes; then
+ use_libcap=yes
+ else
+ if test "x$use_libcap" = "xyes"; then
+ { { $as_echo "$as_me:$LINENO: error: libcap forced enabled but not available or not usable, requires libcap-2.09 or later" >&5
+$as_echo "$as_me: error: libcap forced enabled but not available or not usable, requires libcap-2.09 or later" >&2;}
+ { (exit 1); exit 1; }; }
+ fi
+ use_libcap=no
+ fi
+fi
+if test "x$use_libcap" = "xyes"; then
+
+cat >>confdefs.h <<\_ACEOF
+#define USE_LIBCAP 1
+_ACEOF
+
+
+for ac_header in sys/capability.h
+do
+as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ $as_echo_n "(cached) " >&6
+fi
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+ $as_echo "$as_val"'`
+ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+else
+ # Is the header compilable?
+{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
+$as_echo_n "checking $ac_header usability... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_header_compiler=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
+$as_echo_n "checking $ac_header presence... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
+ ac_header_preproc=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
+
+# So? What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+ yes:no: )
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+ ac_header_preproc=yes
+ ;;
+ no:yes:* )
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+ { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+ ( cat <<\_ASBOX
+## ------------------------------------------- ##
+## Report this to http://bugs.squid-cache.org/ ##
+## ------------------------------------------- ##
+_ASBOX
+ ) | sed "s/^/$as_me: WARNING: /" >&2
+ ;;
+esac
+{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ $as_echo_n "(cached) " >&6
+else
+ eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+ $as_echo "$as_val"'`
+ { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+
+fi
+if test `eval 'as_val=${'$as_ac_Header'}
+ $as_echo "$as_val"'` = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+ { $as_echo "$as_me:$LINENO: checking for operational libcap2 headers" >&5
+$as_echo_n "checking for operational libcap2 headers... " >&6; }
+if test "${squid_cv_sys_capability_works+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+#include
+#include
+#include
+
+int
+main ()
+{
+
+capget(NULL, NULL);
+capset(NULL, NULL);
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext && {
+ test "$cross_compiling" = yes ||
+ $as_test_x conftest$ac_exeext
+ }; then
+ squid_cv_sys_capability_works=yes
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ squid_cv_sys_capability_works=no
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
+
+fi
+{ $as_echo "$as_me:$LINENO: result: $squid_cv_sys_capability_works" >&5
+$as_echo "$squid_cv_sys_capability_works" >&6; }
+ if test x$squid_cv_sys_capability_works != xyes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define LIBCAP_BROKEN 1
+_ACEOF
+
+ fi
+fi
+
{ $as_echo "$as_me:$LINENO: checking for main in -lnsl" >&5
$as_echo_n "checking for main in -lnsl... " >&6; }
@@ -24746,9 +25081,9 @@
{ $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
( cat <<\_ASBOX
-## ----------------------------------------------- ##
-## Report this to http://www.squid-cache.org/bugs/ ##
-## ----------------------------------------------- ##
+## ------------------------------------------- ##
+## Report this to http://bugs.squid-cache.org/ ##
+## ------------------------------------------- ##
_ASBOX
) | sed "s/^/$as_me: WARNING: /" >&2
;;
@@ -24897,9 +25232,9 @@
{ $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
( cat <<\_ASBOX
-## ----------------------------------------------- ##
-## Report this to http://www.squid-cache.org/bugs/ ##
-## ----------------------------------------------- ##
+## ------------------------------------------- ##
+## Report this to http://bugs.squid-cache.org/ ##
+## ------------------------------------------- ##
_ASBOX
) | sed "s/^/$as_me: WARNING: /" >&2
;;
@@ -27410,7 +27745,7 @@
sleep 10
fi
-if test "$LINUX_NETFILTER" ; then
+if test "$LINUX_NETFILTER" = "yes"; then
{ $as_echo "$as_me:$LINENO: checking if Linux 2.4 or newer kernel header files are installed" >&5
$as_echo_n "checking if Linux 2.4 or newer kernel header files are installed... " >&6; }
# hold on to your hats...
@@ -27438,7 +27773,7 @@
sleep 10
fi
-if test "$LINUX_TPROXY" ; then
+if test "$LINUX_TPROXY"; then
{ $as_echo "$as_me:$LINENO: checking if TPROXY header files are installed" >&5
$as_echo_n "checking if TPROXY header files are installed... " >&6; }
# hold on to your hats...
@@ -27459,6 +27794,12 @@
fi
{ $as_echo "$as_me:$LINENO: result: $LINUX_TPROXY" >&5
$as_echo "$LINUX_TPROXY" >&6; }
+ if test "$use_libcap" != "yes"; then
+ { $as_echo "$as_me:$LINENO: WARNING: Missing needed capabilities (libcap or libcap2) for TPROXY" >&5
+$as_echo "$as_me: WARNING: Missing needed capabilities (libcap or libcap2) for TPROXY" >&2;}
+ LINUX_TPROXY="no"
+ sleep 10
+ fi
fi
if test "$LINUX_TPROXY" = "no" && test "$LINUX_NETFILTER" = "yes"; then
echo "WARNING: Cannot find TPROXY headers, you need to patch your kernel with the"
@@ -29339,7 +29680,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by Squid Web Proxy $as_me 2.7.STABLE7, which was
+This file was extended by Squid Web Proxy $as_me 2.7.STABLE8, which was
generated by GNU Autoconf 2.62. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -29392,7 +29733,7 @@
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_version="\\
-Squid Web Proxy config.status 2.7.STABLE7
+Squid Web Proxy config.status 2.7.STABLE8
configured by $0, generated by GNU Autoconf 2.62,
with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
diff -ruN squid-2.7.STABLE7/configure.in squid-2.7.STABLE8/configure.in
--- squid-2.7.STABLE7/configure.in 2009-09-17 00:46:50.000000000 +0200
+++ squid-2.7.STABLE8/configure.in 2010-03-10 01:41:19.000000000 +0100
@@ -1,16 +1,16 @@
dnl
dnl Configuration input file for Squid
dnl
-dnl $Id: configure.in,v 1.430.2.20 2009/09/16 22:29:48 hno Exp $
+dnl $Id: configure.in,v 1.430.2.22 2010/03/07 15:56:50 hno Exp $
dnl
dnl
dnl
-AC_INIT(Squid Web Proxy, 2.7.STABLE7, http://www.squid-cache.org/bugs/, squid)
+AC_INIT(Squid Web Proxy, 2.7.STABLE8, http://bugs.squid-cache.org/, squid)
AC_PREREQ(2.52)
AM_CONFIG_HEADER(include/autoconf.h)
AC_CONFIG_AUX_DIR(cfgaux)
AM_INIT_AUTOMAKE
-AC_REVISION($Revision: 1.430.2.20 $)dnl
+AC_REVISION($Revision: 1.430.2.22 $)dnl
AC_PREFIX_DEFAULT(/usr/local/squid)
AM_MAINTAINER_MODE
@@ -2042,6 +2042,47 @@
AC_DEFINE(mtyp_t, long, [message type for message queues])
fi
+use_libcap=auto
+AC_ARG_WITH(libcap, AS_HELP_STRING([--without-libcap],[disable usage of Linux capabilities library to control privileges]),
+[ if test "x$withval" = "xyes" ; then
+ AC_MSG_RESULT(libcap forced enabled)
+ use_libcap=yes
+ else
+ AC_MSG_RESULT(libcap forced disabled)
+ use_libcap=no
+ fi
+])
+if test "x$use_libcap" != "xno"; then
+ # cap_clear_flag is the most recent libcap function we require
+ AC_CHECK_LIB(cap, cap_clear_flag)
+ if test "x$ac_cv_lib_cap_cap_clear_flag" = xyes; then
+ use_libcap=yes
+ else
+ if test "x$use_libcap" = "xyes"; then
+ AC_MSG_ERROR([libcap forced enabled but not available or not usable, requires libcap-2.09 or later])
+ fi
+ use_libcap=no
+ fi
+fi
+if test "x$use_libcap" = "xyes"; then
+ AC_DEFINE(USE_LIBCAP, 1, [use libcap to set capabilities required for TPROXY])
+ dnl Check for libcap headader breakage.
+ AC_CHECK_HEADERS(sys/capability.h)
+ AC_CACHE_CHECK([for operational libcap2 headers], squid_cv_sys_capability_works,
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include
+#include
+#include
+]], [[
+capget(NULL, NULL);
+capset(NULL, NULL);
+ ]])],[squid_cv_sys_capability_works=yes],[squid_cv_sys_capability_works=no])
+ )
+ if test x$squid_cv_sys_capability_works != xyes; then
+ AC_DEFINE([LIBCAP_BROKEN],1,[if libcap2 headers are broken and clashing with glibc])
+ fi
+fi
+
dnl Check for needed libraries
AC_CHECK_LIB(nsl, main)
AC_CHECK_LIB(socket, main)
@@ -2716,7 +2757,7 @@
dnl Linux-Netfilter support requires Linux 2.4 or newer kernel header files.
dnl Shamelessly copied from above
-if test "$LINUX_NETFILTER" ; then
+if test "$LINUX_NETFILTER" = "yes"; then
AC_MSG_CHECKING(if Linux 2.4 or newer kernel header files are installed)
# hold on to your hats...
if test "$ac_cv_header_linux_netfilter_ipv4_h" = "yes"; then
@@ -2734,9 +2775,9 @@
sleep 10
fi
-dnl Linux Netfilter/TPROXY support requires some specific header files
+dnl Linux Netfilter/TPROXY support requires some specific header files and libcap
dnl Shamelessly copied from shamelessly copied from above
-if test "$LINUX_TPROXY" ; then
+if test "$LINUX_TPROXY"; then
AC_MSG_CHECKING(if TPROXY header files are installed)
# hold on to your hats...
if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then
@@ -2747,6 +2788,11 @@
AC_DEFINE(LINUX_TPROXY, 0, [Enable real Transparent Proxy support for Netfilter TPROXY.])
fi
AC_MSG_RESULT($LINUX_TPROXY)
+ if test "$use_libcap" != "yes"; then
+ AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY])
+ LINUX_TPROXY="no"
+ sleep 10
+ fi
fi
if test "$LINUX_TPROXY" = "no" && test "$LINUX_NETFILTER" = "yes"; then
echo "WARNING: Cannot find TPROXY headers, you need to patch your kernel with the"
diff -ruN squid-2.7.STABLE7/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c squid-2.7.STABLE8/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c
--- squid-2.7.STABLE7/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c 2009-09-16 22:43:16.000000000 +0200
+++ squid-2.7.STABLE8/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c 2010-02-12 21:39:55.000000000 +0100
@@ -31,6 +31,10 @@
*
* History:
*
+ * Version 2.1
+ * 20-09-2009 Guido Serassio
+ * Added explicit Global Catalog query
+ *
* Version 2.0
* 20-07-2009 Guido Serassio
* Global groups support rewritten, now is based on ADSI.
@@ -78,12 +82,18 @@
#include
#include
#include
+#include
#include
#include
#include
#include "util.h"
+enum ADSI_PATH {
+ LDAP_MODE,
+ GC_MODE
+} ADSI_Path;
+
#define BUFSIZE 8192 /* the stdin buffer size */
int use_global = 0;
char debug_enabled = 0;
@@ -275,13 +285,16 @@
wchar_t *
-GetLDAPPath(wchar_t * Base_DN)
+GetLDAPPath(wchar_t * Base_DN, int query_mode)
{
wchar_t *wc;
wc = (wchar_t *) xmalloc((wcslen(Base_DN) + 8) * sizeof(wchar_t));
- wcscpy(wc, L"LDAP://");
+ if (query_mode == LDAP_MODE)
+ wcscpy(wc, L"LDAP://");
+ else
+ wcscpy(wc, L"GC://");
wcscat(wc, Base_DN);
return wc;
@@ -412,11 +425,19 @@
wchar_t *Group_Path;
IADs *pGrp;
- Group_Path = GetLDAPPath(var.n1.n2.n3.bstrVal);
+ Group_Path = GetLDAPPath(var.n1.n2.n3.bstrVal, GC_MODE);
hr = ADsGetObject(Group_Path, &IID_IADs, (void **) &pGrp);
if (SUCCEEDED(hr)) {
hr = Recursive_Memberof(pGrp);
pGrp->lpVtbl->Release(pGrp);
+ safe_free(Group_Path);
+ Group_Path = GetLDAPPath(var.n1.n2.n3.bstrVal, LDAP_MODE);
+ hr = ADsGetObject(Group_Path, &IID_IADs, (void **) &pGrp);
+ if (SUCCEEDED(hr)) {
+ hr = Recursive_Memberof(pGrp);
+ pGrp->lpVtbl->Release(pGrp);
+ } else
+ debug("Recursive_Memberof: ERROR ADsGetObject for %S failed: %s\n", Group_Path, Get_WIN32_ErrorMessage(hr));
} else
debug("Recursive_Memberof: ERROR ADsGetObject for %S failed: %s\n", Group_Path, Get_WIN32_ErrorMessage(hr));
safe_free(Group_Path);
@@ -432,22 +453,38 @@
wchar_t *Group_Path;
IADs *pGrp;
- Group_Path = GetLDAPPath(elem.n1.n2.n3.bstrVal);
+ Group_Path = GetLDAPPath(elem.n1.n2.n3.bstrVal, GC_MODE);
hr = ADsGetObject(Group_Path, &IID_IADs, (void **) &pGrp);
if (SUCCEEDED(hr)) {
hr = Recursive_Memberof(pGrp);
pGrp->lpVtbl->Release(pGrp);
+ safe_free(Group_Path);
+ Group_Path = GetLDAPPath(elem.n1.n2.n3.bstrVal, LDAP_MODE);
+ hr = ADsGetObject(Group_Path, &IID_IADs, (void **) &pGrp);
+ if (SUCCEEDED(hr)) {
+ hr = Recursive_Memberof(pGrp);
+ pGrp->lpVtbl->Release(pGrp);
+ safe_free(Group_Path);
+ } else
+ debug("Recursive_Memberof: ERROR ADsGetObject for %S failed: %s\n", Group_Path, Get_WIN32_ErrorMessage(hr));
} else
debug("Recursive_Memberof: ERROR ADsGetObject for %S failed: %s\n", Group_Path, Get_WIN32_ErrorMessage(hr));
safe_free(Group_Path);
}
VariantClear(&elem);
+ } else {
+ debug("Recursive_Memberof: ERROR SafeArrayGetElement failed: %s\n", Get_WIN32_ErrorMessage(hr));
+ VariantClear(&elem);
}
++lBound;
}
- }
+ } else
+ debug("Recursive_Memberof: ERROR SafeArrayGetxBound failed: %s\n", Get_WIN32_ErrorMessage(hr));
}
VariantClear(&var);
+ } else {
+ if (hr != E_ADS_PROPERTY_NOT_FOUND)
+ debug("Recursive_Memberof: ERROR getting memberof attribute: %s\n", Get_WIN32_ErrorMessage(hr));
}
return hr;
}
@@ -624,9 +661,7 @@
}
wszGroups = build_groups_DN_array(Groups, NTDomain);
- User_LDAP_path = GetLDAPPath(User_DN);
-
- safe_free(User_DN);
+ User_LDAP_path = GetLDAPPath(User_DN, GC_MODE);
hr = ADsGetObject(User_LDAP_path, &IID_IADs, (void **) &pUser);
if (SUCCEEDED(hr)) {
@@ -638,18 +673,33 @@
debug("Valid_Global_Groups: cannot get Primary Group for '%s'.\n", User);
else {
add_User_Group(User_PrimaryGroup);
- User_PrimaryGroup_Path = GetLDAPPath(User_PrimaryGroup);
+ User_PrimaryGroup_Path = GetLDAPPath(User_PrimaryGroup, GC_MODE);
hr = ADsGetObject(User_PrimaryGroup_Path, &IID_IADs, (void **) &pGrp);
if (SUCCEEDED(hr)) {
hr = Recursive_Memberof(pGrp);
pGrp->lpVtbl->Release(pGrp);
+ safe_free(User_PrimaryGroup_Path);
+ User_PrimaryGroup_Path = GetLDAPPath(User_PrimaryGroup, LDAP_MODE);
+ hr = ADsGetObject(User_PrimaryGroup_Path, &IID_IADs, (void **) &pGrp);
+ if (SUCCEEDED(hr)) {
+ hr = Recursive_Memberof(pGrp);
+ pGrp->lpVtbl->Release(pGrp);
+ } else
+ debug("Valid_Global_Groups: ADsGetObject for %S failed, ERROR: %s\n", User_PrimaryGroup_Path, Get_WIN32_ErrorMessage(hr));
} else
debug("Valid_Global_Groups: ADsGetObject for %S failed, ERROR: %s\n", User_PrimaryGroup_Path, Get_WIN32_ErrorMessage(hr));
-
safe_free(User_PrimaryGroup_Path);
}
hr = Recursive_Memberof(pUser);
pUser->lpVtbl->Release(pUser);
+ safe_free(User_LDAP_path);
+ User_LDAP_path = GetLDAPPath(User_DN, LDAP_MODE);
+ hr = ADsGetObject(User_LDAP_path, &IID_IADs, (void **) &pUser);
+ if (SUCCEEDED(hr)) {
+ hr = Recursive_Memberof(pUser);
+ pUser->lpVtbl->Release(pUser);
+ } else
+ debug("Valid_Global_Groups: ADsGetObject for %S failed, ERROR: %s\n", User_LDAP_path, Get_WIN32_ErrorMessage(hr));
tmp = User_Groups;
while (*tmp) {
@@ -662,6 +712,7 @@
} else
debug("Valid_Global_Groups: ADsGetObject for %S failed, ERROR: %s\n", User_LDAP_path, Get_WIN32_ErrorMessage(hr));
+ safe_free(User_DN);
safe_free(User_LDAP_path);
safe_free(User_PrimaryGroup);
tmp = wszGroups;
@@ -815,10 +866,10 @@
rfc1738_unescape(username);
if ((use_global ? Valid_Global_Groups(username, groups) : Valid_Local_Groups(username, groups))) {
- printf("OK\n");
+ SEND("OK");
} else {
error:
- printf("ERR\n");
+ SEND("ERR");
}
err = 0;
}
diff -ruN squid-2.7.STABLE7/helpers/external_acl/mswin_ad_group/readme.txt squid-2.7.STABLE8/helpers/external_acl/mswin_ad_group/readme.txt
--- squid-2.7.STABLE7/helpers/external_acl/mswin_ad_group/readme.txt 2009-08-16 23:55:43.000000000 +0200
+++ squid-2.7.STABLE8/helpers/external_acl/mswin_ad_group/readme.txt 2010-02-12 21:39:55.000000000 +0100
@@ -25,7 +25,7 @@
When running in Active Directory Global mode, all types of Active Directory
security groups are supported:
- Domain Global
-- Domain Local
+- Domain Local from user's domain
- Universal
and Active Directory group nesting is fully supported.
@@ -86,7 +86,10 @@
"Domain Users"
-NOTES:
+NOTES:
+- When running in Active Directory Global mode, for better performance,
+ all Domain Controllers of the Active Directory forest should be configured
+ as Global Catalog.
- When running in local mode, the standard group name comparison is case
sensitive, so group name must be specified with same case as in the
local SAM database.
diff -ruN squid-2.7.STABLE7/include/autoconf.h.in squid-2.7.STABLE8/include/autoconf.h.in
--- squid-2.7.STABLE7/include/autoconf.h.in 2008-11-20 02:55:42.000000000 +0100
+++ squid-2.7.STABLE8/include/autoconf.h.in 2010-03-08 05:38:53.000000000 +0100
@@ -194,6 +194,9 @@
/* Define to 1 if you have the `bsd' library (-lbsd). */
#undef HAVE_LIBBSD
+/* Define to 1 if you have the `cap' library (-lcap). */
+#undef HAVE_LIBCAP
+
/* Define to 1 if you have the header file. */
#undef HAVE_LIBC_H
@@ -647,6 +650,9 @@
/* Support large cache files > 2GB */
#undef LARGE_CACHE_FILES
+/* if libcap2 headers are broken and clashing with glibc */
+#undef LIBCAP_BROKEN
+
/* Enable support for Transparent Proxy on Linux (Netfilter) systems */
#undef LINUX_NETFILTER
@@ -828,6 +834,9 @@
/* Enable code for assiting in finding memory leaks. Hacker stuff only. */
#undef USE_LEAKFINDER
+/* use libcap to set capabilities required for TPROXY */
+#undef USE_LIBCAP
+
/* Define this to make use of the OpenSSL libraries for MD5 calculation rather
than Squid's own MD5 implementation or if building with SSL encryption
(USE_SSL) */
diff -ruN squid-2.7.STABLE7/include/squid_types.h squid-2.7.STABLE8/include/squid_types.h
--- squid-2.7.STABLE7/include/squid_types.h 2006-05-23 16:51:36.000000000 +0200
+++ squid-2.7.STABLE8/include/squid_types.h 2010-02-12 21:22:18.000000000 +0100
@@ -1,5 +1,5 @@
/*
- * $Id: squid_types.h,v 1.8 2006/05/23 14:51:36 hno Exp $
+ * $Id: squid_types.h,v 1.8.6.1 2010/02/12 20:22:18 hno Exp $
*
* * * * * * * * Legal stuff * * * * * * *
*
@@ -73,4 +73,41 @@
#include
#endif
+#if SIZEOF_INT64_T > SIZEOF_LONG && HAVE_STRTOLL
+typedef int64_t squid_off_t;
+#define SIZEOF_SQUID_OFF_T SIZEOF_INT64_T
+#define PRINTF_OFF_T PRId64
+#define strto_off_t (int64_t)strtoll
+#else
+typedef long squid_off_t;
+#define SIZEOF_SQUID_OFF_T SIZEOF_LONG
+#define PRINTF_OFF_T "ld"
+#define strto_off_t strtol
+#endif
+
+/*
+ * ISO C99 Standard printf() macros for 64 bit integers
+ * On some 64 bit platform, HP Tru64 is one, for printf must be used
+ * "%lx" instead of "%llx"
+ */
+#ifndef PRId64
+#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */
+#define PRId64 "I64d"
+#elif SIZEOF_INT64_T > SIZEOF_LONG
+#define PRId64 "lld"
+#else
+#define PRId64 "ld"
+#endif
+#endif
+
+#ifndef PRIu64
+#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */
+#define PRIu64 "I64u"
+#elif SIZEOF_INT64_T > SIZEOF_LONG
+#define PRIu64 "llu"
+#else
+#define PRIu64 "lu"
+#endif
+#endif
+
#endif /* SQUID_TYPES_H */
diff -ruN squid-2.7.STABLE7/include/version.h squid-2.7.STABLE8/include/version.h
--- squid-2.7.STABLE7/include/version.h 2009-09-17 00:46:50.000000000 +0200
+++ squid-2.7.STABLE8/include/version.h 2010-03-10 01:41:19.000000000 +0100
@@ -9,5 +9,5 @@
*/
#ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1253141183
+#define SQUID_RELEASE_TIME 1268181671
#endif
diff -ruN squid-2.7.STABLE7/lib/rfc1035.c squid-2.7.STABLE8/lib/rfc1035.c
--- squid-2.7.STABLE7/lib/rfc1035.c 2008-06-19 03:11:44.000000000 +0200
+++ squid-2.7.STABLE8/lib/rfc1035.c 2010-02-12 21:28:07.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: rfc1035.c,v 1.29.6.1 2008/06/19 01:11:44 hno Exp $
+ * $Id: rfc1035.c,v 1.29.6.2 2010/02/12 20:28:07 hno Exp $
*
* Low level DNS protocol routines
* AUTHOR: Duane Wessels
@@ -286,7 +286,9 @@
size_t len;
assert(ns > 0);
do {
- assert((*off) < sz);
+ if ((*off) >= sz) {
+ return 1;
+ }
c = *(buf + (*off));
if (c > 191) {
/* blasted compression */
diff -ruN squid-2.7.STABLE7/lib/rfc1738.c squid-2.7.STABLE8/lib/rfc1738.c
--- squid-2.7.STABLE7/lib/rfc1738.c 2007-05-24 00:00:02.000000000 +0200
+++ squid-2.7.STABLE8/lib/rfc1738.c 2010-02-12 21:24:40.000000000 +0100
@@ -1,5 +1,5 @@
/*
- * $Id: rfc1738.c,v 1.25 2007/05/23 22:00:02 hno Exp $
+ * $Id: rfc1738.c,v 1.25.2.1 2010/02/12 20:24:40 hno Exp $
*
* DEBUG:
* AUTHOR: Harvest Derived
@@ -180,30 +180,41 @@
* rfc1738_unescape() - Converts escaped characters (%xy numbers) in
* given the string. %% is a %. %ab is the 8-bit hexadecimal number "ab"
*/
+static inline int
+fromhex(char ch)
+{
+ if (ch >= '0' && ch <= '9')
+ return ch - '0';
+ if (ch >= 'a' && ch <= 'f')
+ return ch - 'a' + 10;
+ if (ch >= 'A' && ch <= 'F')
+ return ch - 'A' + 10;
+ return -1;
+}
+
void
rfc1738_unescape(char *s)
{
- char hexnum[3];
int i, j; /* i is write, j is read */
- unsigned int x;
for (i = j = 0; s[j]; i++, j++) {
s[i] = s[j];
- if (s[i] != '%')
- continue;
- if (s[j + 1] == '%') { /* %% case */
- j++;
- continue;
- }
- if (s[j + 1] && s[j + 2]) {
- if (s[j + 1] == '0' && s[j + 2] == '0') { /* %00 case */
- j += 2;
- continue;
- }
- hexnum[0] = s[j + 1];
- hexnum[1] = s[j + 2];
- hexnum[2] = '\0';
- if (1 == sscanf(hexnum, "%x", &x)) {
- s[i] = (char) (0x0ff & x);
+ if (s[j] != '%') {
+ /* normal case, nothing more to do */
+ } else if (s[j + 1] == '%') { /* %% case */
+ j++; /* Skip % */
+ } else {
+ /* decode */
+ char v1, v2;
+ int x;
+ v1 = fromhex(s[j + 1]);
+ if (v1 < 0)
+ continue; /* non-hex or \0 */
+ v2 = fromhex(s[j + 2]);
+ if (v2 < 0)
+ continue; /* non-hex or \0 */
+ x = v1 << 4 | v2;
+ if (x > 0 && x <= 255) {
+ s[i] = x;
j += 2;
}
}
diff -ruN squid-2.7.STABLE7/lib/rfc2617.c squid-2.7.STABLE8/lib/rfc2617.c
--- squid-2.7.STABLE7/lib/rfc2617.c 2008-01-02 21:28:48.000000000 +0100
+++ squid-2.7.STABLE8/lib/rfc2617.c 2010-02-12 21:15:54.000000000 +0100
@@ -13,7 +13,7 @@
/*
- * $Id: rfc2617.c,v 1.8.6.3 2008/01/02 20:28:48 hno Exp $
+ * $Id: rfc2617.c,v 1.8.6.4 2010/02/12 20:15:54 hno Exp $
*
* DEBUG:
* AUTHOR: RFC 2617 & Robert Collins
@@ -161,7 +161,7 @@
SQUID_MD5Update(&Md5Ctx, pszMethod, strlen(pszMethod));
SQUID_MD5Update(&Md5Ctx, ":", 1);
SQUID_MD5Update(&Md5Ctx, pszDigestUri, strlen(pszDigestUri));
- if (strcasecmp(pszQop, "auth-int") == 0) {
+ if (pszQop && strcasecmp(pszQop, "auth-int") == 0) {
SQUID_MD5Update(&Md5Ctx, ":", 1);
SQUID_MD5Update(&Md5Ctx, HEntity, HASHHEXLEN);
}
@@ -175,7 +175,7 @@
SQUID_MD5Update(&Md5Ctx, ":", 1);
SQUID_MD5Update(&Md5Ctx, pszNonce, strlen(pszNonce));
SQUID_MD5Update(&Md5Ctx, ":", 1);
- if (*pszQop) {
+ if (pszQop && *pszQop) {
SQUID_MD5Update(&Md5Ctx, pszNonceCount, strlen(pszNonceCount));
SQUID_MD5Update(&Md5Ctx, ":", 1);
SQUID_MD5Update(&Md5Ctx, pszCNonce, strlen(pszCNonce));
diff -ruN squid-2.7.STABLE7/RELEASENOTES.html squid-2.7.STABLE8/RELEASENOTES.html
--- squid-2.7.STABLE7/RELEASENOTES.html 2009-09-17 00:58:18.000000000 +0200
+++ squid-2.7.STABLE8/RELEASENOTES.html 2010-03-10 01:41:49.000000000 +0100
@@ -2,12 +2,12 @@
- Squid 2.7.STABLE7 release notes
+ Squid 2.7.STABLE8 release notes
-Squid 2.7.STABLE7 release notes
+Squid 2.7.STABLE8 release notes
-Squid Developers
$Id: release.html,v 1.1.2.12 2009/09/16 22:29:48 hno Exp $
+Squid Developers
$Id: release.html,v 1.1.2.14 2010/03/07 21:12:08 hno Exp $
This document contains the release notes for version 2.7 of Squid.
Squid is a WWW Cache application developed by the Web Caching community.
@@ -59,6 +59,9 @@
+
+
+
@@ -556,6 +559,26 @@
+
+
+
+
+- Bug #2858: Segment violation in HTCP
+- Bug #2773: Segfault in RFC2069 Digest authantication
+- Bug #2845: Crashes on malformed Digest authentication
+- Bug #2367: Incorrect stale=true/false indications in Digest auth
+causing random auth popups.
+- Improve %nn parser to better deal with certain odd %nn sequences
+- Handle DNS header-only packets as invalid. (CVE-2010-0308)
+- Bug #2678 - storeurl_rewrite does not play nicely with vary
+- And many other minor bugfixes
+- See also the list of
+squid-2.7.STABLE8 changes and the
+ChangeLog file for details.
+
+
+
+
diff -ruN squid-2.7.STABLE7/src/auth/digest/auth_digest.c squid-2.7.STABLE8/src/auth/digest/auth_digest.c
--- squid-2.7.STABLE7/src/auth/digest/auth_digest.c 2008-01-02 16:54:26.000000000 +0100
+++ squid-2.7.STABLE8/src/auth/digest/auth_digest.c 2010-03-07 17:00:07.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: auth_digest.c,v 1.23.2.1 2008/01/02 15:54:26 hno Exp $
+ * $Id: auth_digest.c,v 1.23.2.3 2010/03/07 16:00:07 hno Exp $
*
* DEBUG: section 29 Authenticator
* AUTHOR: Robert Collins
@@ -93,6 +93,34 @@
CBDATA_TYPE(authenticateStateData);
+enum http_digest_attr_type {
+ DIGEST_USERNAME,
+ DIGEST_REALM,
+ DIGEST_QOP,
+ DIGEST_ALGORITHM,
+ DIGEST_URI,
+ DIGEST_NONCE,
+ DIGEST_NC,
+ DIGEST_CNONCE,
+ DIGEST_RESPONSE,
+ DIGEST_ENUM_END
+};
+
+static const HttpHeaderFieldAttrs DigestAttrs[DIGEST_ENUM_END] =
+{
+ {"username", (http_hdr_type) DIGEST_USERNAME},
+ {"realm", (http_hdr_type) DIGEST_REALM},
+ {"qop", (http_hdr_type) DIGEST_QOP},
+ {"algorithm", (http_hdr_type) DIGEST_ALGORITHM},
+ {"uri", (http_hdr_type) DIGEST_URI},
+ {"nonce", (http_hdr_type) DIGEST_NONCE},
+ {"nc", (http_hdr_type) DIGEST_NC},
+ {"cnonce", (http_hdr_type) DIGEST_CNONCE},
+ {"response", (http_hdr_type) DIGEST_RESPONSE},
+};
+
+static HttpHeaderFieldInfo *DigestFieldsInfo = NULL;
+
/*
*
* Nonce Functions
@@ -567,6 +595,11 @@
{
if (digestauthenticators)
helperShutdown(digestauthenticators);
+
+ if (DigestFieldsInfo) {
+ httpHeaderDestroyFieldsInfo(DigestFieldsInfo, DIGEST_ENUM_END);
+ DigestFieldsInfo = NULL;
+ }
authdigest_initialised = 0;
if (!shutting_down) {
authenticateDigestNonceReconfigure();
@@ -722,6 +755,7 @@
RequestMethods[METHOD_GET].str, digest_request->uri, HA2, Response);
if (strcasecmp(digest_request->response, Response)) {
digest_request->flags.credentials_ok = 3;
+ digest_request->flags.invalid_password = 1;
safe_free(auth_user_request->message);
auth_user_request->message = xstrdup("Incorrect password");
return;
@@ -933,6 +967,7 @@
authDigestUserSetup();
authDigestRequestSetup();
authenticateDigestNonceSetup();
+ DigestFieldsInfo = httpHeaderBuildFieldsInfo(DigestAttrs, DIGEST_ENUM_END);
authdigest_initialised = 1;
if (digestauthenticators == NULL)
digestauthenticators = helperCreate("digestauthenticator");
@@ -1153,7 +1188,7 @@
debug(29, 9) ("authenticateDigestDecodeAuth: beginning\n");
assert(auth_user_request != NULL);
- digest_request = authDigestRequestNew();
+ digest_request = auth_user_request->scheme_data = authDigestRequestNew();
/* trim DIGEST from string */
while (xisgraph(*proxy_auth))
@@ -1164,82 +1199,102 @@
proxy_auth++;
stringInit(&temp, proxy_auth);
+
while (strListGetItem(&temp, ',', &item, &ilen, &pos)) {
- if ((p = strchr(item, '=')) && (p - item < ilen))
- ilen = p++ - item;
- if (!strncmp(item, "username", ilen)) {
- /* white space */
- while (xisspace(*p))
- p++;
- /* quote mark */
- p++;
- username = xstrndup(p, strchr(p, '"') + 1 - p);
+ String value = StringNull;
+ size_t nlen;
+ size_t vlen;
+ enum http_digest_attr_type type;
+
+ /* isolate directive name & value */
+ if ((p = (const char *) memchr(item, '=', ilen)) && (p - item < ilen)) {
+ nlen = p++ - item;
+ vlen = ilen - (p - item);
+ } else {
+ nlen = ilen;
+ vlen = 0;
+ }
+
+ /* parse value. auth-param = token "=" ( token | quoted-string ) */
+ if (vlen > 0) {
+ if (*p == '"') {
+ if (!httpHeaderParseQuotedString(p, &value)) {
+ debug(29, 9) ("authDigestDecodeAuth: Failed to parse attribute '%s' in '%s'\n", item, proxy_auth);
+ continue;
+ }
+ } else {
+ stringLimitInit(&value, p, vlen);
+ }
+ } else {
+ debug(29, 9) ("authDigestDecodeAuth: Failed to parse attribute '%s' in '%s'\n", item, proxy_auth);
+ continue;
+ }
+
+ /* find type */
+ type = (enum http_digest_attr_type) httpHeaderIdByName(item, nlen, DigestFieldsInfo, DIGEST_ENUM_END);
+
+ switch (type) {
+ case DIGEST_USERNAME:
+ safe_free(username);
+ username = xstrndup(strBuf(value), strLen(value) + 1);
debug(29, 9) ("authDigestDecodeAuth: Found Username '%s'\n", username);
- } else if (!strncmp(item, "realm", ilen)) {
- /* white space */
- while (xisspace(*p))
- p++;
- /* quote mark */
- p++;
- digest_request->realm = xstrndup(p, strchr(p, '"') + 1 - p);
+ break;
+
+ case DIGEST_REALM:
+ safe_free(digest_request->realm);
+ digest_request->realm = xstrndup(strBuf(value), strLen(value) + 1);
debug(29, 9) ("authDigestDecodeAuth: Found realm '%s'\n", digest_request->realm);
- } else if (!strncmp(item, "qop", ilen)) {
- /* white space */
- while (xisspace(*p))
- p++;
- if (*p == '\"')
- /* quote mark */
- p++;
- digest_request->qop = xstrndup(p, strcspn(p, "\" \t\r\n()<>@,;:\\/[]?={}") + 1);
+ break;
+
+ case DIGEST_QOP:
+ safe_free(digest_request->qop);
+ digest_request->qop = xstrndup(strBuf(value), strLen(value) + 1);
debug(29, 9) ("authDigestDecodeAuth: Found qop '%s'\n", digest_request->qop);
- } else if (!strncmp(item, "algorithm", ilen)) {
- /* white space */
- while (xisspace(*p))
- p++;
- if (*p == '\"')
- /* quote mark */
- p++;
- digest_request->algorithm = xstrndup(p, strcspn(p, "\" \t\r\n()<>@,;:\\/[]?={}") + 1);
+ break;
+
+ case DIGEST_ALGORITHM:
+ safe_free(digest_request->algorithm);
+ digest_request->algorithm = xstrndup(strBuf(value), strLen(value) + 1);
debug(29, 9) ("authDigestDecodeAuth: Found algorithm '%s'\n", digest_request->algorithm);
- } else if (!strncmp(item, "uri", ilen)) {
- /* white space */
- while (xisspace(*p))
- p++;
- /* quote mark */
- p++;
- digest_request->uri = xstrndup(p, strchr(p, '"') + 1 - p);
+ break;
+
+ case DIGEST_URI:
+ safe_free(digest_request->uri);
+ digest_request->uri = xstrndup(strBuf(value), strLen(value) + 1);
debug(29, 9) ("authDigestDecodeAuth: Found uri '%s'\n", digest_request->uri);
- } else if (!strncmp(item, "nonce", ilen)) {
- /* white space */
- while (xisspace(*p))
- p++;
- /* quote mark */
- p++;
- digest_request->nonceb64 = xstrndup(p, strchr(p, '"') + 1 - p);
+ break;
+
+ case DIGEST_NONCE:
+ safe_free(digest_request->nonceb64);
+ digest_request->nonceb64 = xstrndup(strBuf(value), strLen(value) + 1);
debug(29, 9) ("authDigestDecodeAuth: Found nonce '%s'\n", digest_request->nonceb64);
- } else if (!strncmp(item, "nc", ilen)) {
- /* white space */
- while (xisspace(*p))
- p++;
- xstrncpy(digest_request->nc, p, 9);
+ break;
+
+ case DIGEST_NC:
+ if (strLen(value) != 8) {
+ debug(29, 9) ("authDigestDecodeAuth: Invalid nc '%s' in '%s'\n", strBuf(value), proxy_auth);
+ }
+ xstrncpy(digest_request->nc, strBuf(value), strLen(value) + 1);
debug(29, 9) ("authDigestDecodeAuth: Found noncecount '%s'\n", digest_request->nc);
- } else if (!strncmp(item, "cnonce", ilen)) {
- /* white space */
- while (xisspace(*p))
- p++;
- /* quote mark */
- p++;
- digest_request->cnonce = xstrndup(p, strchr(p, '"') + 1 - p);
+ break;
+
+ case DIGEST_CNONCE:
+ safe_free(digest_request->cnonce);
+ digest_request->cnonce = xstrndup(strBuf(value), strLen(value) + 1);
debug(29, 9) ("authDigestDecodeAuth: Found cnonce '%s'\n", digest_request->cnonce);
- } else if (!strncmp(item, "response", ilen)) {
- /* white space */
- while (xisspace(*p))
- p++;
- /* quote mark */
- p++;
- digest_request->response = xstrndup(p, strchr(p, '"') + 1 - p);
+ break;
+
+ case DIGEST_RESPONSE:
+ safe_free(digest_request->response);
+ digest_request->response = xstrndup(strBuf(value), strLen(value) + 1);
debug(29, 9) ("authDigestDecodeAuth: Found response '%s'\n", digest_request->response);
+ break;
+
+ default:
+ debug(29, 3) ("authDigestDecodeAuth: Unknown attribute '%s' in '%s'\n", item, proxy_auth);
+ break;
}
+ stringClean(&value);
}
stringClean(&temp);
@@ -1255,100 +1310,96 @@
* correct values - 400/401/407
*/
- /* first the NONCE count */
- if (digest_request->cnonce && strlen(digest_request->nc) != 8) {
- debug(29, 4) ("authenticateDigestDecode: nonce count length invalid\n");
- authDigestLogUsername(auth_user_request, username);
-
- /* we don't need the scheme specific data anymore */
- authDigestRequestDelete(digest_request);
- auth_user_request->scheme_data = NULL;
- return;
- }
- /* now the nonce */
- nonce = authenticateDigestNonceFindNonce(digest_request->nonceb64);
- if (!nonce) {
- /* we couldn't find a matching nonce! */
- debug(29, 4) ("authenticateDigestDecode: Unexpected or invalid nonce received\n");
- authDigestLogUsername(auth_user_request, username);
- auth_user_request->scheme_data = digest_request;
- return;
- }
- digest_request->nonce = nonce;
- authDigestNonceLink(nonce);
-
- /* check the qop is what we expected. Note that for compatability with
- * RFC 2069 we should support a missing qop. Tough. */
- if (digest_request->qop && strcmp(digest_request->qop, QOP_AUTH) != 0) {
- /* we received a qop option we didn't send */
- debug(29, 4) ("authenticateDigestDecode: Invalid qop option received\n");
- authDigestLogUsername(auth_user_request, username);
-
- /* we don't need the scheme specific data anymore */
- authDigestRequestDelete(digest_request);
- auth_user_request->scheme_data = NULL;
- return;
- }
- /* we can't check the URI just yet. We'll check it in the
- * authenticate phase */
-
- /* is the response the correct length? */
+ /* 2069 requirements */
- if (!digest_request->response || strlen(digest_request->response) != 32) {
- debug(29, 4) ("authenticateDigestDecode: Response length invalid\n");
- authDigestLogUsername(auth_user_request, username);
-
- /* we don't need the scheme specific data anymore */
- authDigestRequestDelete(digest_request);
- auth_user_request->scheme_data = NULL;
- return;
- }
/* do we have a username ? */
if (!username || username[0] == '\0') {
debug(29, 4) ("authenticateDigestDecode: Empty or not present username\n");
- authDigestLogUsername(auth_user_request, username);
-
- /* we don't need the scheme specific data anymore */
- authDigestRequestDelete(digest_request);
- auth_user_request->scheme_data = NULL;
- return;
+ return authDigestLogUsername(auth_user_request, username);
}
- /* check that we're not being hacked / the username hasn't changed */
- if (nonce->auth_user && strcmp(username, authenticateUserUsername(nonce->auth_user))) {
- debug(29, 4) ("authenticateDigestDecode: Username for the nonce does not equal the username for the request\n");
- authDigestLogUsername(auth_user_request, username);
-
- /* we don't need the scheme specific data anymore */
- authDigestRequestDelete(digest_request);
- auth_user_request->scheme_data = NULL;
- return;
+ /* Sanity check of the username.
+ * " can not be allowed in usernames until * the digest helper protocol
+ * have been redone
+ */
+ if (strchr(username, '"')) {
+ debug(29, 2) ("authenticateDigestDecode: Unacceptable username '%s'\n", username);
+ return authDigestLogUsername(auth_user_request, username);
+ }
+ /* do we have a realm ? */
+ if (!digest_request->realm || digest_request->realm[0] == '\0') {
+ debug(29, 2) ("authenticateDigestDecode: Empty or not present realm");
+ return authDigestLogUsername(auth_user_request, username);
+ }
+ /* and a nonce? */
+ if (!digest_request->nonceb64 || digest_request->nonceb64[0] == '\0') {
+ debug(29, 2) ("authenticateDigestDecode: Empty or not present nonce");
+ return authDigestLogUsername(auth_user_request, username);
}
- /* if we got a qop, did we get a cnonce or did we get a cnonce wihtout a qop? */
- if ((digest_request->qop && !digest_request->cnonce)
- || (!digest_request->qop && digest_request->cnonce)) {
- debug(29, 4) ("authenticateDigestDecode: qop without cnonce, or vice versa!\n");
- authDigestLogUsername(auth_user_request, username);
-
- /* we don't need the scheme specific data anymore */
- authDigestRequestDelete(digest_request);
- auth_user_request->scheme_data = NULL;
- return;
+ /* we can't check the URI just yet. We'll check it in the
+ * authenticate phase, but needs to be given */
+ if (!digest_request->uri || digest_request->uri[0] == '\0') {
+ debug(29, 2) ("authenticateDigestDecode: Missing URI field");
+ return authDigestLogUsername(auth_user_request, username);
+ }
+ /* is the response the correct length? */
+ if (!digest_request->response || strlen(digest_request->response) != 32) {
+ debug(29, 2) ("authenticateDigestDecode: Response length invalid\n");
+ return authDigestLogUsername(auth_user_request, username);
}
/* check the algorithm is present and supported */
if (!digest_request->algorithm)
digest_request->algorithm = xstrndup("MD5", 4);
else if (strcmp(digest_request->algorithm, "MD5")
&& strcmp(digest_request->algorithm, "MD5-sess")) {
- debug(29, 4) ("authenticateDigestDecode: invalid algorithm specified!\n");
- authDigestLogUsername(auth_user_request, username);
+ debug(29, 2) ("authenticateDigestDecode: invalid algorithm specified!\n");
+ return authDigestLogUsername(auth_user_request, username);
+ }
+ /* 2617 requirements, indicated by qop */
+ if (digest_request->qop) {
- /* we don't need the scheme specific data anymore */
- authDigestRequestDelete(digest_request);
- auth_user_request->scheme_data = NULL;
- return;
+ /* check the qop is what we expected. */
+ if (strcmp(digest_request->qop, QOP_AUTH) != 0) {
+ /* we received a qop option we didn't send */
+ debug(29, 2) ("authenticateDigestDecode: Invalid qop option received\n");
+ return authDigestLogUsername(auth_user_request, username);
+ }
+ /* check cnonce */
+ if (!digest_request->cnonce || digest_request->cnonce[0] == '\0') {
+ debug(29, 2) ("authenticateDigestDecode: Missing cnonce field\n");
+ return authDigestLogUsername(auth_user_request, username);
+ }
+ /* check nc */
+ if (strlen(digest_request->nc) != 8 || strspn(digest_request->nc, "0123456789abcdefABCDEF") != 8) {
+ debug(29, 2) ("authenticateDigestDecode: invalid nonce count\n");
+ return authDigestLogUsername(auth_user_request, username);
+ }
+ } else {
+ /* cnonce and nc both require qop */
+ if (digest_request->cnonce || digest_request->nc) {
+ debug(29, 2) ("authenticateDigestDecode: missing qop!\n");
+ return authDigestLogUsername(auth_user_request, username);
+ }
}
- /* the method we'll check at the authenticate step as well */
+/** below nonce state dependent **/
+
+ /* now the nonce */
+ nonce = authenticateDigestNonceFindNonce(digest_request->nonceb64);
+ if (!nonce) {
+ /* we couldn't find a matching nonce! */
+ debug(29, 2) ("authenticateDigestDecode: Unexpected or invalid nonce received\n");
+ digest_request->flags.credentials_ok = 3;
+ return authDigestLogUsername(auth_user_request, username);
+ }
+ digest_request->nonce = nonce;
+ authDigestNonceLink(nonce);
+
+ /* check that we're not being hacked / the username hasn't changed */
+ if (nonce->auth_user && strcmp(username, authenticateUserUsername(nonce->auth_user))) {
+ debug(29, 2) ("authenticateDigestDecode: Username for the nonce does not equal the username for the request\n");
+ return authDigestLogUsername(auth_user_request, username);
+ }
+ /* the method we'll check at the authenticate step as well */
/* we don't send or parse opaques. Ok so we're flexable ... */
@@ -1384,7 +1435,6 @@
}
/*link the request and the user */
auth_user_request->auth_user = auth_user;
- auth_user_request->scheme_data = digest_request;
/* lock for the request link */
authenticateAuthUserLock(auth_user);
node = dlinkNodeNew();
diff -ruN squid-2.7.STABLE7/src/cf.data.pre squid-2.7.STABLE8/src/cf.data.pre
--- squid-2.7.STABLE7/src/cf.data.pre 2009-08-16 23:52:42.000000000 +0200
+++ squid-2.7.STABLE8/src/cf.data.pre 2009-11-09 23:38:57.000000000 +0100
@@ -1,6 +1,6 @@
#
-# $Id: cf.data.pre,v 1.450.2.33 2009/08/16 21:52:42 hno Exp $
+# $Id: cf.data.pre,v 1.450.2.34 2009/11/09 22:38:57 hno Exp $
#
# SQUID Web Proxy Cache http://www.squid-cache.org/
# ----------------------------------------------------------
@@ -877,7 +877,7 @@
DOC_END
NAME: reply_body_max_size
-COMMENT: bytes allow|deny acl acl...
+COMMENT: bytes deny acl acl...
TYPE: body_size_t
DEFAULT: none
DEFAULT_IF_NONE: 0 allow all
@@ -887,7 +887,7 @@
It can be used to prevent users from downloading very large files,
such as MP3's and movies. When the reply headers are received,
the reply_body_max_size lines are processed, and the first line with
- a result of "allow" is used as the maximum body size for this reply.
+ a result of "deny" is used as the maximum body size for this reply.
This size is checked twice. First when we get the reply headers,
we check the content-length value. If the content length value exists
and is larger than the allowed size, the request is denied and the
diff -ruN squid-2.7.STABLE7/src/client_side.c squid-2.7.STABLE8/src/client_side.c
--- squid-2.7.STABLE7/src/client_side.c 2009-08-16 23:43:51.000000000 +0200
+++ squid-2.7.STABLE8/src/client_side.c 2010-02-14 01:46:25.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: client_side.c,v 1.754.2.27 2009/08/16 21:43:51 hno Exp $
+ * $Id: client_side.c,v 1.754.2.29 2010/02/14 00:46:25 hno Exp $
*
* DEBUG: section 33 Client-side Routines
* AUTHOR: Duane Wessels
@@ -651,7 +651,7 @@
vary = httpMakeVaryMark(request, rep);
if (etag && vary) {
- storeAddVary(url, entry->mem_obj->method, NULL, httpHeaderGetStr(&rep->header, HDR_ETAG), request->vary_hdr, request->vary_headers, strBuf(request->vary_encoding));
+ storeAddVary(entry->mem_obj->store_url, entry->mem_obj->url, entry->mem_obj->method, NULL, httpHeaderGetStr(&rep->header, HDR_ETAG), request->vary_hdr, request->vary_headers, strBuf(request->vary_encoding));
}
}
clientHandleETagMiss(http);
@@ -3437,6 +3437,11 @@
return LOG_TCP_MISS;
}
if (EBIT_TEST(e->flags, KEY_EARLY_PUBLIC)) {
+ if (clientOnlyIfCached(http)) {
+ debug(33, 3) ("clientProcessRequest2: collapsed only-if-cached MISS\n");
+ http->entry = NULL;
+ return LOG_TCP_MISS;
+ }
r->flags.collapsed = 1; /* Don't trust the store entry */
}
if (EBIT_TEST(e->flags, ENTRY_SPECIAL)) {
diff -ruN squid-2.7.STABLE7/src/dns_internal.c squid-2.7.STABLE8/src/dns_internal.c
--- squid-2.7.STABLE7/src/dns_internal.c 2009-08-16 23:49:44.000000000 +0200
+++ squid-2.7.STABLE8/src/dns_internal.c 2010-02-14 00:37:10.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: dns_internal.c,v 1.63.2.10 2009/08/16 21:49:44 hno Exp $
+ * $Id: dns_internal.c,v 1.63.2.12 2010/02/13 23:37:10 hno Exp $
*
* DEBUG: section 78 DNS lookups; interacts with lib/rfc1035.c
* AUTHOR: Duane Wessels
@@ -318,7 +318,7 @@
idnsParseWIN32SearchList(const char *Separator)
{
char *t;
- char *token;
+ const char *token;
HKEY hndKey;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, REG_TCPIP_PARA, 0, KEY_QUERY_VALUE, &hndKey) == ERROR_SUCCESS) {
@@ -351,10 +351,10 @@
}
RegCloseKey(hndKey);
}
- if (npc == 0 && ((const char *) t = getMyHostname())) {
- t = strchr(t, '.');
- if (t)
- idnsAddPathComponent(t + 1);
+ if (npc == 0 && (token = getMyHostname())) {
+ token = strchr(token, '.');
+ if (token)
+ idnsAddPathComponent(token + 1);
}
}
diff -ruN squid-2.7.STABLE7/src/htcp.c squid-2.7.STABLE8/src/htcp.c
--- squid-2.7.STABLE7/src/htcp.c 2008-05-05 01:23:13.000000000 +0200
+++ squid-2.7.STABLE8/src/htcp.c 2010-02-11 11:05:01.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: htcp.c,v 1.55.2.2 2008/05/04 23:23:13 hno Exp $
+ * $Id: htcp.c,v 1.55.2.3 2010/02/11 10:05:01 amosjeffries Exp $
*
* DEBUG: section 31 Hypertext Caching Protocol
* AUTHOR: Duane Wesssels
@@ -950,6 +950,11 @@
debug(31, 3) ("htcpHandleClr: htcpUnpackSpecifier failed\n");
return;
}
+ if (!s->request) {
+ debug(31, 2) ("htcpHandleTstRequest: failed to parse request\n");
+ htcpFreeSpecifier(s);
+ return;
+ }
if (!htcpAccessCheck(Config.accessList.htcp_clr, s, from)) {
debug(31, 2) ("htcpHandleClr: Access denied\n");
htcpFreeSpecifier(s);
diff -ruN squid-2.7.STABLE7/src/HttpHeaderTools.c squid-2.7.STABLE8/src/HttpHeaderTools.c
--- squid-2.7.STABLE7/src/HttpHeaderTools.c 2009-09-16 22:56:03.000000000 +0200
+++ squid-2.7.STABLE8/src/HttpHeaderTools.c 2010-03-07 17:00:07.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: HttpHeaderTools.c,v 1.41.2.2 2009/09/16 20:56:03 hno Exp $
+ * $Id: HttpHeaderTools.c,v 1.41.2.3 2010/03/07 16:00:07 hno Exp $
*
* DEBUG: section 66 HTTP Header Tools
* AUTHOR: Alex Rousskov
@@ -420,6 +420,42 @@
}
#endif
+/**
+ * Parses a quoted-string field (RFC 2616 section 2.2), complains if
+ * something went wrong, returns non-zero on success.
+ * start should point at the first double-quote.
+ * RC TODO: This is too looose. We should honour the BNF and exclude CTL's
+ */
+int
+httpHeaderParseQuotedString(const char *start, String * val)
+{
+ const char *end, *pos;
+ stringClean(val);
+ if (*start != '"') {
+ debug(66, 2) ("failed to parse a quoted-string header field near '%s'\n", start);
+ return 0;
+ }
+ pos = start + 1;
+
+ while (*pos != '"') {
+ int quoted = (*pos == '\\');
+ if (quoted)
+ pos++;
+ if (!*pos) {
+ debug(66, 2) ("failed to parse a quoted-string header field near '%s'\n", start);
+ stringClean(val);
+ return 0;
+ }
+ end = pos + strcspn(pos + quoted, "\"\\") + quoted;
+ stringAppend(val, pos, end - pos);
+ pos = end;
+ }
+ /* Make sure it's defined even if empty "" */
+ if (!val->buf)
+ stringLimitInit(val, "", 0);
+ return 1;
+}
+
/*
* httpHdrMangle checks the anonymizer (header_access) configuration.
* Returns 1 if the header is allowed.
diff -ruN squid-2.7.STABLE7/src/main.c squid-2.7.STABLE8/src/main.c
--- squid-2.7.STABLE7/src/main.c 2009-06-26 00:53:15.000000000 +0200
+++ squid-2.7.STABLE8/src/main.c 2010-03-07 16:58:56.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: main.c,v 1.403.2.4 2009/06/25 22:53:15 hno Exp $
+ * $Id: main.c,v 1.403.2.6 2010/03/07 15:58:56 hno Exp $
*
* DEBUG: section 1 Startup and Main Loop
* AUTHOR: Harvest Derived
@@ -401,6 +401,7 @@
authenticateShutdown();
externalAclShutdown();
refreshCheckShutdown();
+ storeDirSync(); /* Flush pending I/O ops */
storeDirCloseSwapLogs();
storeLogClose();
accessLogClose();
@@ -473,7 +474,6 @@
refreshCheckShutdown();
_db_rotate_log(); /* cache.log */
storeDirWriteCleanLogs(1);
- storeDirSync(); /* Flush pending I/O ops */
storeLogRotate(); /* store.log */
accessLogRotate(); /* access.log */
useragentRotateLog(); /* useragent.log */
@@ -551,7 +551,8 @@
Config.Port.icp = (u_short) icpPortNumOverride;
_db_init(Config.Log.log, Config.debugOptions);
- fd_open(fileno(debug_log), FD_LOG, Config.Log.log);
+ if (debug_log != stderr)
+ fd_open(fileno(debug_log), FD_LOG, Config.Log.log);
#if MEM_GEN_TRACE
log_trace_init("/tmp/squid.alloc");
#endif
diff -ruN squid-2.7.STABLE7/src/protos.h squid-2.7.STABLE8/src/protos.h
--- squid-2.7.STABLE7/src/protos.h 2009-08-16 23:43:51.000000000 +0200
+++ squid-2.7.STABLE8/src/protos.h 2010-03-07 17:00:07.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: protos.h,v 1.547.2.11 2009/08/16 21:43:51 hno Exp $
+ * $Id: protos.h,v 1.547.2.13 2010/03/07 16:00:07 hno Exp $
*
*
* SQUID Web Proxy Cache http://www.squid-cache.org/
@@ -426,6 +426,7 @@
extern const char *getStringPrefix(const char *str, const char *end);
extern int httpHeaderParseInt(const char *start, int *val);
extern int httpHeaderParseSize(const char *start, squid_off_t * sz);
+extern int httpHeaderParseQuotedString(const char *start, String * val);
extern int httpHeaderReset(HttpHeader * hdr);
extern void httpHeaderAddClone(HttpHeader * hdr, const HttpHeaderEntry * e);
#if STDC_HEADERS
@@ -1470,7 +1471,7 @@
/* ETag support */
void storeLocateVaryDone(VaryData * data);
void storeLocateVary(StoreEntry * e, int offset, const char *vary_data, String accept_encoding, STLVCB * callback, void *cbdata);
-void storeAddVary(const char *url, const method_t method, const cache_key * key, const char *etag, const char *vary, const char *vary_headers, const char *accept_encoding);
+void storeAddVary(const char *store_url, const char *url, const method_t method, const cache_key * key, const char *etag, const char *vary, const char *vary_headers, const char *accept_encoding);
/* New HTTP message parsing support */
extern void HttpMsgBufInit(HttpMsgBuf * hmsg, const char *buf, size_t size);
diff -ruN squid-2.7.STABLE7/src/squid.h squid-2.7.STABLE8/src/squid.h
--- squid-2.7.STABLE7/src/squid.h 2008-01-09 14:55:23.000000000 +0100
+++ squid-2.7.STABLE8/src/squid.h 2010-02-12 21:22:18.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: squid.h,v 1.244.6.2 2008/01/09 13:55:23 hno Exp $
+ * $Id: squid.h,v 1.244.6.3 2010/02/12 20:22:18 hno Exp $
*
* AUTHOR: Duane Wessels
*
@@ -359,31 +359,6 @@
#define S_ISDIR(mode) (((mode) & (_S_IFMT)) == (_S_IFDIR))
#endif
-/*
- * ISO C99 Standard printf() macros for 64 bit integers
- * On some 64 bit platform, HP Tru64 is one, for printf must be used
- * "%lx" instead of "%llx"
- */
-#ifndef PRId64
-#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */
-#define PRId64 "I64d"
-#elif SIZEOF_INT64_T > SIZEOF_LONG
-#define PRId64 "lld"
-#else
-#define PRId64 "ld"
-#endif
-#endif
-
-#ifndef PRIu64
-#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */
-#define PRIu64 "I64u"
-#elif SIZEOF_INT64_T > SIZEOF_LONG
-#define PRIu64 "llu"
-#else
-#define PRIu64 "lu"
-#endif
-#endif
-
#ifdef USE_GNUREGEX
#include "GNUregex.h"
#elif HAVE_REGEX_H
diff -ruN squid-2.7.STABLE7/src/ssl_support.c squid-2.7.STABLE8/src/ssl_support.c
--- squid-2.7.STABLE7/src/ssl_support.c 2006-07-04 23:55:55.000000000 +0200
+++ squid-2.7.STABLE8/src/ssl_support.c 2010-03-07 16:59:18.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: ssl_support.c,v 1.11 2006/07/04 21:55:55 hno Exp $
+ * $Id: ssl_support.c,v 1.11.6.1 2010/03/07 15:59:18 hno Exp $
*
* AUTHOR: Benno Rice
* DEBUG: section 83 SSL accelerator support
@@ -426,7 +426,7 @@
sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *CRLfile, const char *dhfile, const char *context)
{
int ssl_error;
- SSL_METHOD *method;
+ const SSL_METHOD *method;
SSL_CTX *sslContext;
long fl = ssl_parse_flags(flags);
@@ -587,7 +587,7 @@
sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile)
{
int ssl_error;
- SSL_METHOD *method;
+ const SSL_METHOD *method;
SSL_CTX *sslContext;
long fl = ssl_parse_flags(flags);
diff -ruN squid-2.7.STABLE7/src/store.c squid-2.7.STABLE8/src/store.c
--- squid-2.7.STABLE7/src/store.c 2009-08-16 23:50:53.000000000 +0200
+++ squid-2.7.STABLE8/src/store.c 2010-02-14 01:45:52.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: store.c,v 1.584.2.9 2009/08/16 21:50:53 hno Exp $
+ * $Id: store.c,v 1.584.2.10 2010/02/14 00:45:52 hno Exp $
*
* DEBUG: section 20 Storage Manager
* AUTHOR: Harvest Derived
@@ -417,6 +417,7 @@
StoreEntry *oe;
StoreEntry *e;
store_client *sc;
+ char *store_url;
char *url;
char *key;
char *vary_headers;
@@ -468,6 +469,7 @@
storeUnlockObject(state->oe);
state->oe = NULL;
}
+ safe_free(state->store_url);
safe_free(state->url);
safe_free(state->key);
safe_free(state->vary_headers);
@@ -711,7 +713,7 @@
* At leas one of key or etag must be specified, preferably both.
*/
void
-storeAddVary(const char *url, const method_t method, const cache_key * key, const char *etag, const char *vary, const char *vary_headers, const char *accept_encoding)
+storeAddVary(const char *store_url, const char *url, const method_t method, const cache_key * key, const char *etag, const char *vary, const char *vary_headers, const char *accept_encoding)
{
AddVaryState *state;
request_flags flags = null_request_flags;
@@ -725,13 +727,15 @@
state->accept_encoding = xstrdup(accept_encoding);
if (etag)
state->etag = xstrdup(etag);
- state->oe = storeGetPublic(url, method);
+ state->oe = storeGetPublic(store_url ? store_url : url, method);
debug(11, 2) ("storeAddVary: %s (%s) %s %s\n",
state->url, state->key, state->vary_headers, state->etag);
if (state->oe)
storeLockObject(state->oe);
flags.cachable = 1;
state->e = storeCreateEntry(url, flags, method);
+ if (store_url)
+ state->e->mem_obj->store_url = xstrdup(store_url);
httpReplySetHeaders(state->e->mem_obj->reply, HTTP_OK, "Internal marker object", "x-squid-internal/vary", -1, -1, squid_curtime + 100000);
httpHeaderPutStr(&state->e->mem_obj->reply->header, HDR_VARY, vary);
storeSetPublicKey(state->e);
@@ -1055,7 +1059,7 @@
strListAdd(&vary, strBuf(varyhdr), ',');
stringClean(&varyhdr);
#endif
- storeAddVary(mem->url, mem->method, newkey, httpHeaderGetStr(&mem->reply->header, HDR_ETAG), strBuf(vary), mem->vary_headers, mem->vary_encoding);
+ storeAddVary(mem->store_url, mem->url, mem->method, newkey, httpHeaderGetStr(&mem->reply->header, HDR_ETAG), strBuf(vary), mem->vary_headers, mem->vary_encoding);
stringClean(&vary);
}
} else {
diff -ruN squid-2.7.STABLE7/src/tools.c squid-2.7.STABLE8/src/tools.c
--- squid-2.7.STABLE7/src/tools.c 2008-10-06 23:27:17.000000000 +0200
+++ squid-2.7.STABLE8/src/tools.c 2010-03-07 16:56:50.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: tools.c,v 1.260.2.5 2008/10/06 21:27:17 hno Exp $
+ * $Id: tools.c,v 1.260.2.6 2010/03/07 15:56:50 hno Exp $
*
* DEBUG: section 21 Misc Functions
* AUTHOR: Harvest Derived
@@ -42,13 +42,15 @@
#ifdef _SQUID_LINUX_
#if HAVE_SYS_CAPABILITY_H
-#undef _POSIX_SOURCE
+#if LIBCAP_BROKEN
/* Ugly glue to get around linux header madness colliding with glibc */
+#undef _POSIX_SOURCE
#define _LINUX_TYPES_H
#define _LINUX_FS_H
typedef uint32_t __u32;
-#include
#endif
+#include
+#endif /* HAVE_SYS_CAPABILITY_H */
#endif
#if HAVE_SYS_PRCTL_H
@@ -1344,7 +1346,7 @@
void
keepCapabilities(void)
{
-#if HAVE_PRCTL && defined(PR_SET_KEEPCAPS) && HAVE_SYS_CAPABILITY_H
+#if HAVE_PRCTL && defined(PR_SET_KEEPCAPS) && USE_LIBCAP
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
/* Silent failure unless TPROXY is required. Maybe not started as root */
#if LINUX_TPROXY
@@ -1359,44 +1361,42 @@
static void
restoreCapabilities(int keep)
{
-#if defined(_SQUID_LINUX_) && HAVE_SYS_CAPABILITY_H
-#ifndef _LINUX_CAPABILITY_VERSION_1
-#define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION
-#endif
- cap_user_header_t head = xcalloc(1, sizeof(*head));
- cap_user_data_t cap = xcalloc(1, sizeof(*cap));
-
- head->version = _LINUX_CAPABILITY_VERSION_1;
- if (capget(head, cap) != 0) {
- debug(50, 1) ("Can't get current capabilities\n");
- goto nocap;
- }
- if (head->version != _LINUX_CAPABILITY_VERSION_1) {
- debug(50, 1) ("Invalid capability version %d (expected %d)\n", head->version, _LINUX_CAPABILITY_VERSION);
- goto nocap;
- }
- head->pid = 0;
-
- cap->inheritable = 0;
- cap->effective = (1 << CAP_NET_BIND_SERVICE);
-#if LINUX_TPROXY
- if (need_linux_tproxy)
- cap->effective |= (1 << CAP_NET_ADMIN) | (1 << CAP_NET_BROADCAST);
-#endif
- if (!keep)
- cap->permitted &= cap->effective;
- if (capset(head, cap) != 0) {
- /* Silent failure unless TPROXY is required */
+#if USE_LIBCAP
+ cap_t caps;
+ if (keep)
+ caps = cap_get_proc();
+ else
+ caps = cap_init();
+ if (!caps) {
#if LINUX_TPROXY
if (need_linux_tproxy)
debug(50, 1) ("Error enabling needed capabilities. Will continue without tproxy support\n");
need_linux_tproxy = 0;
#endif
+ } else {
+ int ncaps = 0;
+ int rc = 0;
+ cap_value_t cap_list[10];
+ cap_list[ncaps++] = CAP_NET_BIND_SERVICE;
+#if LINUX_TPROXY
+ if (need_linux_tproxy) {
+ cap_list[ncaps++] = CAP_NET_ADMIN;
+ cap_list[ncaps++] = CAP_NET_BROADCAST;
+ }
+#endif
+ cap_clear_flag(caps, CAP_EFFECTIVE);
+ rc |= cap_set_flag(caps, CAP_EFFECTIVE, ncaps, cap_list, CAP_SET);
+ rc |= cap_set_flag(caps, CAP_PERMITTED, ncaps, cap_list, CAP_SET);
+ if (rc || cap_set_proc(caps) != 0) {
+ /* Silent failure unless TPROXY is required */
+#if LINUX_TPROXY
+ if (need_linux_tproxy)
+ debug(50, 1) ("Error enabling needed capabilities. Will continue without tproxy support\n");
+ need_linux_tproxy = 0;
+#endif
+ }
}
- nocap:
- xfree(head);
- xfree(cap);
-#else
+#else /* !USE_LIBCAP */
#if LINUX_TPROXY
if (need_linux_tproxy)
debug(50, 1) ("Missing needed capability support. Will continue without tproxy support\n");
diff -ruN squid-2.7.STABLE7/src/typedefs.h squid-2.7.STABLE8/src/typedefs.h
--- squid-2.7.STABLE7/src/typedefs.h 2009-08-16 23:43:51.000000000 +0200
+++ squid-2.7.STABLE8/src/typedefs.h 2010-02-12 21:22:18.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: typedefs.h,v 1.157.2.2 2009/08/16 21:43:51 hno Exp $
+ * $Id: typedefs.h,v 1.157.2.3 2010/02/12 20:22:18 hno Exp $
*
*
* SQUID Web Proxy Cache http://www.squid-cache.org/
@@ -41,18 +41,6 @@
typedef signed int sfileno;
typedef signed int sdirno;
-#if SIZEOF_INT64_T > SIZEOF_LONG && HAVE_STRTOLL
-typedef int64_t squid_off_t;
-#define SIZEOF_SQUID_OFF_T SIZEOF_INT64_T
-#define PRINTF_OFF_T PRId64
-#define strto_off_t (int64_t)strtoll
-#else
-typedef long squid_off_t;
-#define SIZEOF_SQUID_OFF_T SIZEOF_LONG
-#define PRINTF_OFF_T "ld"
-#define strto_off_t strtol
-#endif
-
#if LARGE_CACHE_FILES
typedef squid_off_t squid_file_sz;
#define SIZEOF_SQUID_FILE_SZ SIZEOF_SQUID_OFF_T
diff -ruN squid-2.7.STABLE7/src/wccp2.c squid-2.7.STABLE8/src/wccp2.c
--- squid-2.7.STABLE7/src/wccp2.c 2008-05-05 01:23:13.000000000 +0200
+++ squid-2.7.STABLE8/src/wccp2.c 2010-02-12 21:49:53.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: wccp2.c,v 1.31.2.3 2008/05/04 23:23:13 hno Exp $
+ * $Id: wccp2.c,v 1.31.2.4 2010/02/12 20:49:53 hno Exp $
*
* DEBUG: section 80 WCCP Support
* AUTHOR: Steven WIlton
@@ -1137,6 +1137,7 @@
break;
default:
fatalf("Unknown Wccp2 assignment method\n");
+ return; /* Keep GCC happy, thinks cache_address may be used uninitialized otherwise */
}
/* Update the cache list */
diff -ruN squid-2.7.STABLE7/tools/squidclient.c squid-2.7.STABLE8/tools/squidclient.c
--- squid-2.7.STABLE7/tools/squidclient.c 2008-06-04 22:32:50.000000000 +0200
+++ squid-2.7.STABLE8/tools/squidclient.c 2010-02-12 21:22:20.000000000 +0100
@@ -1,6 +1,6 @@
/*
- * $Id: squidclient.c,v 1.9.2.1 2008/06/04 20:32:50 hno Exp $
+ * $Id: squidclient.c,v 1.9.2.2 2010/02/12 20:22:20 hno Exp $
*
* DEBUG: section 0 WWW Client
* AUTHOR: Harvest Derived
@@ -83,33 +83,12 @@
#endif
#include "util.h"
+#include "squid_types.h"
#ifndef BUFSIZ
#define BUFSIZ 8192
#endif
-#ifndef PRId64
-#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */
-#define PRId64 "I64d"
-#elif SIZEOF_INT64_T > SIZEOF_LONG
-#define PRId64 "lld"
-#else
-#define PRId64 "ld"
-#endif
-#endif
-
-#if SIZEOF_INT64_T > SIZEOF_LONG && HAVE_STRTOLL
-typedef int64_t squid_off_t;
-#define SIZEOF_SQUID_OFF_T SIZEOF_INT64_T
-#define PRINTF_OFF_T PRId64
-#define strto_off_t (int64_t)strtoll
-#else
-typedef long squid_off_t;
-#define SIZEOF_SQUID_OFF_T SIZEOF_LONG
-#define PRINTF_OFF_T "ld"
-#define strto_off_t strtol
-#endif
-
typedef void SIGHDLR(int sig);
/* Local functions */
@@ -351,7 +330,7 @@
strcat(msg, buf);
}
if (put_fd > 0) {
- snprintf(buf, BUFSIZ, "Content-length: %d\r\n", (int) sb.st_size);
+ snprintf(buf, BUFSIZ, "Content-length: %" PRINTF_OFF_T "\r\n", (squid_off_t) sb.st_size);
strcat(msg, buf);
}
if (opt_noaccept == 0) {