webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

squid 3.5.25: latest patches (14155-14167)

Browse Source 
For details see:
http://www.squid-cache.org/Versions/v3/3.5/changesets/

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Matthias Fischer
2017-06-01 18:32:02 +02:00
committed by Michael Tremer
parent d659de88cc
commit c63136978f
14 changed files with 927 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lfs/squid
View File

@@ -70,6 +70,19 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14155.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14156.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14157.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14158.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14159.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14160.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14161.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14162.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14163.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14164.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14165.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14166.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14167.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.25-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi

46
src/patches/squid/squid-3.5-14155.patch Normal file
View File

@@ -0,0 +1,46 @@
------------------------------------------------------------
revno: 14155
revision-id: squid3@treenet.co.nz-20170504061416-ks61dfut8wyml2qu
parent: squid3@treenet.co.nz-20170402121452-ox6d8ttzlmbov3xm
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4682
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Thu 2017-05-04 18:14:16 +1200
message:
Bug 4682: Fix ssl_bump "bump" action documentation
Fixes squid documentation to correctly describe the squid behavior when the
"bump" action is selected on step SslBump1. In this case squid selects
the client-first bumping mode.
This is a Measurement Factory project
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170504061416-ks61dfut8wyml2qu
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: f3b4861a085e069948da25398782237609037c5f
# timestamp: 2017-05-04 06:16:54 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170402121452-\
# ox6d8ttzlmbov3xm
#
# Begin patch
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2017-03-31 23:38:31 +0000
+++ src/cf.data.pre 2017-05-04 06:14:16 +0000
@@ -2669,8 +2669,11 @@
This is the default action.
bump
- Establish a secure connection with the server and, using a
- mimicked server certificate, with the client.
+ When used on step SslBump1, establishes a secure connection
+ with the client first, then connect to the server.
+ When used on step SslBump2 or SslBump3, establishes a secure
+ connection with the server and, using a mimicked server
+ certificate, with the client.
peek
Receive client (step SslBump1) or server (step SslBump2)

44
src/patches/squid/squid-3.5-14156.patch Normal file
View File

@@ -0,0 +1,44 @@
------------------------------------------------------------
revno: 14156
revision-id: squid3@treenet.co.nz-20170508110920-73gma737u4x6ce87
parent: squid3@treenet.co.nz-20170504061416-ks61dfut8wyml2qu
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4695
author: Lubos Uhliarik <luhliari@redhat.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2017-05-08 23:09:20 +1200
message:
Bug 4695: squidpurge: GCC 7 build errors
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170508110920-73gma737u4x6ce87
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: a0f0c573b5be3d81cf0f8e65ae52bf27bd08dba5
# timestamp: 2017-05-08 11:51:08 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170504061416-\
# ks61dfut8wyml2qu
#
# Begin patch
=== modified file 'tools/purge/purge.cc'
--- tools/purge/purge.cc 2017-01-01 00:16:45 +0000
+++ tools/purge/purge.cc 2017-05-08 11:09:20 +0000
@@ -272,7 +272,7 @@
snprintf( md5, sizeof(md5), "%-32s", "(no_md5_data_available)" );
}
- char timeb[64];
+ char timeb[256];
if ( meta && (findings = meta->search( STORE_META_STD )) ) {
StoreMetaStd temp;
// make data aligned, avoid SIGBUS on RISC machines (ARGH!)
@@ -283,7 +283,7 @@
} else if ( meta && (findings = meta->search( STORE_META_STD_LFS )) ) {
StoreMetaStdLFS temp;
// make data aligned, avoid SIGBUS on RISC machines (ARGH!)
- memcpy( &temp, findings->data, sizeof(StoreMetaStd) );
+ memcpy( &temp, findings->data, sizeof(StoreMetaStdLFS) );
snprintf( timeb, sizeof(timeb), "%08lx %08lx %08lx %08lx %04x %5hu ",
(unsigned long)temp.timestamp, (unsigned long)temp.lastref,
(unsigned long)temp.expires, (unsigned long)temp.lastmod, temp.flags, temp.refcount );

34
src/patches/squid/squid-3.5-14157.patch Normal file
View File

@@ -0,0 +1,34 @@
------------------------------------------------------------
revno: 14157
revision-id: squid3@treenet.co.nz-20170529042116-kp9naxxmdsqicpjv
parent: squid3@treenet.co.nz-20170508110920-73gma737u4x6ce87
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4589
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2017-05-29 16:21:16 +1200
message:
Bug 4589: ssl_crtd: returning zero on failure
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170529042116-kp9naxxmdsqicpjv
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: ad29dd184416dc47dee80234c541185cca166bb3
# timestamp: 2017-05-29 04:39:57 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170508110920-\
# 73gma737u4x6ce87
#
# Begin patch
=== modified file 'src/ssl/ssl_crtd.cc'
--- src/ssl/ssl_crtd.cc 2017-01-01 00:16:45 +0000
+++ src/ssl/ssl_crtd.cc 2017-05-29 04:21:16 +0000
@@ -350,7 +350,7 @@
}
} catch (std::runtime_error & error) {
std::cerr << argv[0] << ": " << error.what() << std::endl;
- return 0;
+ return -1;
}
return 0;
}

46
src/patches/squid/squid-3.5-14158.patch Normal file
View File

@@ -0,0 +1,46 @@
------------------------------------------------------------
revno: 14158
revision-id: squid3@treenet.co.nz-20170529043611-1hyb93ivtu5wrdwg
parent: squid3@treenet.co.nz-20170529042116-kp9naxxmdsqicpjv
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3102
author: Martin von Gagern <martin.vgagern@gmx.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2017-05-29 16:36:11 +1200
message:
Bug 3102: FTP directory listing drops fist character of file names
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170529043611-1hyb93ivtu5wrdwg
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 60a5f01fc9c9967c55c651c31546cb1067325705
# timestamp: 2017-05-29 04:39:59 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170529042116-\
# kp9naxxmdsqicpjv
#
# Begin patch
=== modified file 'src/clients/FtpGateway.cc'
--- src/clients/FtpGateway.cc 2017-02-26 08:50:09 +0000
+++ src/clients/FtpGateway.cc 2017-05-29 04:36:11 +0000
@@ -626,10 +626,17 @@
while (strchr(w_space, *copyFrom))
++copyFrom;
} else {
- /* XXX assumes a single space between date and filename
+ /* Handle the following four formats:
+ * "MMM DD YYYY Name"
+ * "MMM DD YYYYName"
+ * "MMM DD YYYY Name"
+ * "MMM DD YYYY Name"
+ * Assuming a single space between date and filename
* suggested by: Nathan.Bailey@cc.monash.edu.au and
* Mike Battersby <mike@starbug.bofh.asn.au> */
- copyFrom += strlen(tbuf) + 1;
+ copyFrom += strlen(tbuf);
+ if (strchr(w_space, *copyFrom))
+ ++copyFrom;
}
p->name = xstrdup(copyFrom);

35
src/patches/squid/squid-3.5-14159.patch Normal file
View File

@@ -0,0 +1,35 @@
------------------------------------------------------------
revno: 14159
revision-id: squid3@treenet.co.nz-20170529043741-9chwfs5onxuip52x
parent: squid3@treenet.co.nz-20170529043611-1hyb93ivtu5wrdwg
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3772
author: Rainer Tammer <rainer.tammer@schulergroup.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2017-05-29 16:37:41 +1200
message:
Bug 3772: message from FTP server gets mangled
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170529043741-9chwfs5onxuip52x
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 800db5dab62d996440fd6fccd35e9f1f34f2f0e1
# timestamp: 2017-05-29 04:40:02 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170529043611-\
# 1hyb93ivtu5wrdwg
#
# Begin patch
=== modified file 'src/clients/FtpGateway.cc'
--- src/clients/FtpGateway.cc 2017-05-29 04:36:11 +0000
+++ src/clients/FtpGateway.cc 2017-05-29 04:37:41 +0000
@@ -1541,7 +1541,7 @@
/* Reset cwd_message to only include the last message */
ftpState->cwd_message.reset("");
for (wordlist *w = ftpState->ctrl.message; w; w = w->next) {
- ftpState->cwd_message.append(' ');
+ ftpState->cwd_message.append('\n');
ftpState->cwd_message.append(w->key);
}
ftpState->ctrl.message = NULL;

39
src/patches/squid/squid-3.5-14160.patch Normal file
View File

@@ -0,0 +1,39 @@
------------------------------------------------------------
revno: 14160
revision-id: squid3@treenet.co.nz-20170529043852-zkf91gxhaqdj0rkn
parent: squid3@treenet.co.nz-20170529043741-9chwfs5onxuip52x
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2017-05-29 16:38:52 +1200
message:
Add OpenSSL library details to -v output
This is partially to meet the OpenSSL copyright requirement that binaries
mention when they are using the library, and partially for admin to see
which library their Squid is using when multiple are present in the system.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170529043852-zkf91gxhaqdj0rkn
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: c401fe3de5518102ac6a3a4dc7b121ac415c05d4
# timestamp: 2017-05-29 04:40:04 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170529043741-\
# 9chwfs5onxuip52x
#
# Begin patch
=== modified file 'src/main.cc'
--- src/main.cc 2017-02-26 08:52:45 +0000
+++ src/main.cc 2017-05-29 04:38:52 +0000
@@ -563,6 +563,10 @@
printf("Service Name: " SQUIDSBUFPH "\n", SQUIDSBUFPRINT(service_name));
if (strlen(SQUID_BUILD_INFO))
printf("%s\n",SQUID_BUILD_INFO);
+#if USE_OPENSSL
+ printf("\nThis binary uses %s. ", SSLeay_version(SSLEAY_VERSION));
+ printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n");
+#endif
printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS);
#if USE_WIN32_SERVICE

52
src/patches/squid/squid-3.5-14161.patch Normal file
View File

@@ -0,0 +1,52 @@
------------------------------------------------------------
revno: 14161
revision-id: squid3@treenet.co.nz-20170529053359-xtbuev2zwmdfj9mp
parent: squid3@treenet.co.nz-20170529043852-zkf91gxhaqdj0rkn
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4682
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2017-05-29 17:33:59 +1200
message:
Bug 4653: %st lies about tunneled traffic volumes
Squid-5 and squid-4 does not count the "HTTP/1.1 200 Connection Established"
header size for %<st formatting code.
This is a Measurement Factory project
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170529053359-xtbuev2zwmdfj9mp
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: c340785d0d5042ae0f783d606f0998d605290ac4
# timestamp: 2017-05-29 05:51:04 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170529043852-\
# zkf91gxhaqdj0rkn
#
# Begin patch
=== modified file 'src/tunnel.cc'
--- src/tunnel.cc 2017-01-01 00:16:45 +0000
+++ src/tunnel.cc 2017-05-29 05:33:59 +0000
@@ -836,7 +836,7 @@
* Call the tunnelStartShoveling to start the blind pump.
*/
static void
-tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *buf, size_t size, Comm::Flag flag, int xerrno, void *data)
+tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *, size_t len, Comm::Flag flag, int, void *data)
{
TunnelStateData *tunnelState = (TunnelStateData *)data;
debugs(26, 3, HERE << conn << ", flag=" << flag);
@@ -848,6 +848,11 @@
return;
}
+ if (ClientHttpRequest *http = tunnelState->http.get()) {
+ http->out.headers_sz += len;
+ http->out.size += len;
+ }
+
tunnelStartShoveling(tunnelState);
}

133
src/patches/squid/squid-3.5-14162.patch Normal file
View File

@@ -0,0 +1,133 @@
------------------------------------------------------------
revno: 14162
revision-id: squid3@treenet.co.nz-20170529055234-790hfbazjwy0fmk4
parent: squid3@treenet.co.nz-20170529053359-xtbuev2zwmdfj9mp
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4711
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2017-05-29 17:52:34 +1200
message:
Bug 4711: SubjectAlternativeNames is missing in some generated certificates
Squid may generate certificates which have a Common Name, but do not have
a subjectAltName extension. For example when squid generated certificates
do not mimic an origin certificate or when the certificate adaptation
algorithm sslproxy_cert_adapt/setCommonName is used.
This is causes problems to some browsers, which validates a certificate using
the SubjectAlternativeNames but ignore the CommonName field.
This patch fixes squid to always add a SubjectAlternativeNames extension in
generated certificates which do not mimic an origin certificate.
Squid still will not add a subjectAltName extension when mimicking an origin
server certificate, even if that origin server certificate does not include
the subjectAltName extension. Such origin server may have problems when
talking directly to browsers, and patched Squid is not trying to fix those
problems.
This is a Measurement Factory project
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170529055234-790hfbazjwy0fmk4
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: e3162152cf590c8126eb3d189ea1ab90ba9a5c37
# timestamp: 2017-05-29 05:54:13 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170529053359-\
# xtbuev2zwmdfj9mp
#
# Begin patch
=== modified file 'src/ssl/gadgets.cc'
--- src/ssl/gadgets.cc 2017-01-01 00:16:45 +0000
+++ src/ssl/gadgets.cc 2017-05-29 05:52:34 +0000
@@ -339,7 +339,40 @@
return added;
}
-static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties)
+/// Adds a new subjectAltName extension contining Subject CN or returns false
+/// expects the caller to check for the existing subjectAltName extension
+static bool
+addAltNameWithSubjectCn(Ssl::X509_Pointer &cert)
+{
+ X509_NAME *name = X509_get_subject_name(cert.get());
+ if (!name)
+ return false;
+
+ const int loc = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
+ if (loc < 0)
+ return false;
+
+ ASN1_STRING *cn_data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, loc));
+ if (!cn_data)
+ return false;
+
+ char dnsName[1024]; // DNS names are limited to 256 characters
+ const int res = snprintf(dnsName, sizeof(dnsName), "DNS:%*s", cn_data->length, cn_data->data);
+ if (res <= 0 || res >= static_cast<int>(sizeof(dnsName)))
+ return false;
+
+ X509_EXTENSION *ext = X509V3_EXT_conf_nid(NULL, NULL, NID_subject_alt_name, dnsName);
+ if (!ext)
+ return false;
+
+ const bool result = X509_add_ext(cert.get(), ext, -1);
+
+ X509_EXTENSION_free(ext);
+ return result;
+}
+
+static bool
+buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties)
{
// not an Ssl::X509_NAME_Pointer because X509_REQ_get_subject_name()
// returns a pointer to the existing subject name. Nothing to clean here.
@@ -387,6 +420,8 @@
} else if (!X509_gmtime_adj(X509_get_notAfter(cert.get()), 60*60*24*356*3))
return false;
+ int addedExtensions = 0;
+ bool useCommonNameAsAltName = true;
// mimic the alias and possibly subjectAltName
if (properties.mimicCert.get()) {
unsigned char *alStr;
@@ -396,26 +431,29 @@
X509_alias_set1(cert.get(), alStr, alLen);
}
- int addedExtensions = 0;
-
// Mimic subjectAltName unless we used a configured CN: browsers reject
// certificates with CN unrelated to subjectAltNames.
if (!properties.setCommonName) {
- int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1);
+ int pos = X509_get_ext_by_NID(properties.mimicCert.get(), NID_subject_alt_name, -1);
X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos);
if (ext) {
if (X509_add_ext(cert.get(), ext, -1))
++addedExtensions;
}
+ // We want to mimic the server-sent subjectAltName, not enhance it.
+ useCommonNameAsAltName = false;
}
addedExtensions += mimicExtensions(cert, properties.mimicCert);
-
- // According to RFC 5280, using extensions requires v3 certificate.
- if (addedExtensions)
- X509_set_version(cert.get(), 2); // value 2 means v3
}
+ if (useCommonNameAsAltName && addAltNameWithSubjectCn(cert))
+ ++addedExtensions;
+
+ // According to RFC 5280, using extensions requires v3 certificate.
+ if (addedExtensions)
+ X509_set_version(cert.get(), 2); // value 2 means v3
+
return true;
}

103
src/patches/squid/squid-3.5-14163.patch Normal file
View File

@@ -0,0 +1,103 @@
------------------------------------------------------------
revno: 14163
revision-id: squid3@treenet.co.nz-20170529062945-gf7u7dukaumjof74
parent: squid3@treenet.co.nz-20170529055234-790hfbazjwy0fmk4
author: Ingo Schwarze, Francesco Chemolli <kinkie@squid-cache.org>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2017-05-29 18:29:45 +1200
message:
Docs: Improve formatting of several manual pages
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170529062945-gf7u7dukaumjof74
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: b417bbc7ffb2351fb670e7baa721b9d9b8315024
# timestamp: 2017-05-29 06:33:51 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170529055234-\
# 790hfbazjwy0fmk4
#
# Begin patch
=== modified file 'helpers/basic_auth/LDAP/basic_ldap_auth.8'
--- helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-03-31 23:47:47 +0000
+++ helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-05-29 06:29:45 +0000
@@ -5,9 +5,9 @@
.
.SH SYNOPSIS
.if !'po4a'hide' .B basic_ldap_auth
-.if !'po4a'hide' .B \-b\ \"
+.if !'po4a'hide' .B \-b\ \(dq
base DN
-.if !'po4a'hide' .B \"\ [\-u
+.if !'po4a'hide' .B \(dq\ [\-u
attribute
.if !'po4a'hide' .B ]\ [
options
@@ -20,11 +20,11 @@
.if !'po4a'hide' .B ]...
.br
.if !'po4a'hide' .B basic_ldap_auth
-.if !'po4a'hide' .B \-b\ \"
+.if !'po4a'hide' .B \-b\ \(dq
base DN
-.if !'po4a'hide' .B \"\ \-f\ \"
+.if !'po4a'hide' .B \(dq\ \-f\ \(dq
LDAP search filter
-.if !'po4a'hide' .B \"\ [
+.if !'po4a'hide' .B \(dq\ [
options
.if !'po4a'hide' .B ]\ [
LDAP server name
@@ -74,7 +74,7 @@
The search filter can contain up to 15 occurrences of
.B %s
which will be replaced by the username, as in
-.B "\"uid\=%s\""
+.B "\(dquid\=%s\(dq"
for RFC2037 directories. For a detailed description of LDAP search
filter syntax see RFC2254.
.br
=== modified file 'helpers/basic_auth/RADIUS/basic_radius_auth.8'
--- helpers/basic_auth/RADIUS/basic_radius_auth.8 2017-01-01 00:16:45 +0000
+++ helpers/basic_auth/RADIUS/basic_radius_auth.8 2017-05-29 06:29:45 +0000
@@ -9,9 +9,9 @@
config file
.br
.if !'po4a'hide' .B basic_radius_auth
-.if !'po4a'hide' .B "\-h \""
+.if !'po4a'hide' .B "\-h \(dq"
server name
-.if !'po4a'hide' .B "\" [\-p "
+.if !'po4a'hide' .B "\(dq [\-p "
port
.if !'po4a'hide' .B "] [\-i "
identifier
=== modified file 'helpers/external_acl/file_userip/ext_file_userip_acl.8'
--- helpers/external_acl/file_userip/ext_file_userip_acl.8 2017-01-01 00:16:45 +0000
+++ helpers/external_acl/file_userip/ext_file_userip_acl.8 2017-05-29 06:29:45 +0000
@@ -68,7 +68,7 @@
.B ALL
and
.B NONE
-, which mean \"any user on this IP address may authenticate\" or \"no user on this IP address may authenticate\".
+, which mean \(dqany user on this IP address may authenticate\(dq or \(dqno user on this IP address may authenticate\(dq.
.
.SH AUTHOR
This program was written by
=== modified file 'tools/squidclient/squidclient.1'
--- tools/squidclient/squidclient.1 2017-01-01 00:16:45 +0000
+++ tools/squidclient/squidclient.1 2017-05-29 06:29:45 +0000
@@ -86,7 +86,7 @@
.if !'po4a'hide' .TP
.if !'po4a'hide' .B "\-H 'string'"
Extra headers to send. Use
-.B '\\n'
+.B '\en'
for new lines.
.
.if !'po4a'hide' .TP

103
src/patches/squid/squid-3.5-14164.patch Normal file
View File

@@ -0,0 +1,103 @@
------------------------------------------------------------
revno: 14164
revision-id: squid3@treenet.co.nz-20170529063645-qmu68scq9go0wbqr
parent: squid3@treenet.co.nz-20170529062945-gf7u7dukaumjof74
author: Alex Rousskov <rousskov@measurement-factory.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2017-05-29 18:36:45 +1200
message:
Fix xstrndup() documentation, callers. Disclosed implementation bugs.
xstrndup() does not work like strndup(3), and some callers got confused:
1. When n is the str length or less, standard strndup(str,n) copies all
n bytes but our xstrndup(str,n) drops the last one. Thus, all callers
must add one to the desired result length when calling xstrndup().
Most already do, but it is often hard to see due to low code quality
(e.g., one must remember that MAX_URL is not the maximum URL length).
2. xstrndup() also assumes that the source string is 0-terminated. This
dangerous assumption does not contradict many official strndup(3)
descriptions, but that lack of contradiction is actually a recently
fixed POSIX documentation bug (i.e., correct implementations must not
assume 0-termination): http://austingroupbugs.net/view.php?id=1019
The OutOfBoundsException bug led to truncated exception messages.
The ESI bug led to truncated 'literal strings', but I do not know what
that means in terms of user impact. That ESI fix is untested.
cachemgr.cc bug was masked by the fact that the buffer ends with \n
that is unused and stripped by the custom xstrtok() implementation.
TODO. Fix xstrndup() implementation (and rename the function so that
fixed callers do not misbehave if carelessly ported to older Squids).
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170529063645-qmu68scq9go0wbqr
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 7321050a4405a155a8fe02f7125e446b9516dd51
# timestamp: 2017-05-29 06:51:18 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170529062945-\
# gf7u7dukaumjof74
#
# Begin patch
=== modified file 'compat/xstring.h'
--- compat/xstring.h 2017-01-01 00:16:45 +0000
+++ compat/xstring.h 2017-05-29 06:36:45 +0000
@@ -41,7 +41,10 @@
char *xstrncpy(char *dst, const char *src, size_t n);
/**
- * xstrndup() - same as strndup(3). Used for portability.
+ * xstrndup() - Somewhat similar(XXX) to strndup(3): Allocates up to n bytes,
+ * while strndup(3) copies up to n bytes and allocates up to n+1 bytes
+ * to fit the terminating character. Assumes s is 0-terminated (another XXX).
+ *
* Never returns NULL; fatal on error.
*
* Sets errno to EINVAL if a NULL pointer or negative
=== modified file 'src/SBufExceptions.cc'
--- src/SBufExceptions.cc 2017-01-01 00:16:45 +0000
+++ src/SBufExceptions.cc 2017-05-29 06:36:45 +0000
@@ -25,9 +25,7 @@
explanatoryText.appendf(" in file %s", aFileName);
explanatoryText.appendf(" while accessing position %d in a SBuf long %d",
pos, throwingBuf.length());
- // we can safely alias c_str as both are local to the object
- // and will not further manipulated.
- message = xstrndup(explanatoryText.c_str(),explanatoryText.length());
+ message = xstrdup(explanatoryText.c_str());
}
OutOfBoundsException::~OutOfBoundsException() throw()
=== modified file 'src/esi/Expression.cc'
--- src/esi/Expression.cc 2017-01-01 00:16:45 +0000
+++ src/esi/Expression.cc 2017-05-29 06:36:45 +0000
@@ -743,7 +743,7 @@
/* Special case for zero length strings */
if (t - s - 1)
- rv.value.string = xstrndup(s + 1, t - s - 1);
+ rv.value.string = xstrndup(s + 1, t - (s + 1) + 1);
else
rv.value.string = static_cast<char *>(xcalloc(1,1));
=== modified file 'tools/cachemgr.cc'
--- tools/cachemgr.cc 2017-01-01 00:16:45 +0000
+++ tools/cachemgr.cc 2017-05-29 06:36:45 +0000
@@ -440,7 +440,7 @@
return;
}
- buf_copy = x = xstrndup(buf, bufLen);
+ buf_copy = x = xstrndup(buf, bufLen+1);
a = xstrtok(&x, '\t');

51
src/patches/squid/squid-3.5-14165.patch Normal file
View File

@@ -0,0 +1,51 @@
------------------------------------------------------------
revno: 14165
revision-id: squid3@treenet.co.nz-20170529071037-o91o8xvaqata5y2b
parent: squid3@treenet.co.nz-20170529063645-qmu68scq9go0wbqr
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4682
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2017-05-29 19:10:37 +1200
message:
Bug 4682: ignoring http_access deny when client-first bumping mode is used
Squid fails to identify HTTP requests which are tunneled inside an already
established client-first bumped tunnel, and this is results in ignoring
http_access denied for these requests.
This is a Measurement Factory project
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170529071037-o91o8xvaqata5y2b
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: f77b81826612d7248fb774ef1ea00747cd04d479
# timestamp: 2017-05-29 07:51:03 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170529063645-\
# qmu68scq9go0wbqr
#
# Begin patch
=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc 2017-03-30 13:31:22 +0000
+++ src/client_side_request.cc 2017-05-29 07:10:37 +0000
@@ -1424,7 +1424,17 @@
if (bumpMode != Ssl::bumpEnd) {
debugs(85, 5, HERE << "SslBump already decided (" << bumpMode <<
"), " << "ignoring ssl_bump for " << http->getConn());
- if (!http->getConn()->serverBump())
+
+ // We need the following "if" for transparently bumped TLS connection,
+ // because in this case we are running ssl_bump access list before
+ // the doCallouts runs. It can be removed after the bug #4340 fixed.
+ // We do not want to proceed to bumping steps:
+ // - if the TLS connection with the client is already established
+ // because we are accepting normal HTTP requests on TLS port,
+ // or because of the client-first bumping mode
+ // - When the bumping is already started
+ if (!http->getConn()->switchedToHttps() &&
+ !http->getConn()->serverBump())
http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped
http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
return false;

47
src/patches/squid/squid-3.5-14166.patch Normal file
View File

@@ -0,0 +1,47 @@
------------------------------------------------------------
revno: 14166
revision-id: squid3@treenet.co.nz-20170529125748-qt7yhdloygl4xosg
parent: squid3@treenet.co.nz-20170529071037-o91o8xvaqata5y2b
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Tue 2017-05-30 00:57:48 +1200
message:
Revert r14161
Wrong patch and commit message.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170529125748-qt7yhdloygl4xosg
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: ddecde537486c58df04564f3818b8ad9929dd186
# timestamp: 2017-05-29 13:51:06 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170529071037-\
# o91o8xvaqata5y2b
#
# Begin patch
=== modified file 'src/tunnel.cc'
--- src/tunnel.cc 2017-05-29 05:33:59 +0000
+++ src/tunnel.cc 2017-05-29 12:57:48 +0000
@@ -836,7 +836,7 @@
* Call the tunnelStartShoveling to start the blind pump.
*/
static void
-tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *, size_t len, Comm::Flag flag, int, void *data)
+tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *buf, size_t size, Comm::Flag flag, int xerrno, void *data)
{
TunnelStateData *tunnelState = (TunnelStateData *)data;
debugs(26, 3, HERE << conn << ", flag=" << flag);
@@ -848,11 +848,6 @@
return;
}
- if (ClientHttpRequest *http = tunnelState->http.get()) {
- http->out.headers_sz += len;
- http->out.size += len;
- }
-
tunnelStartShoveling(tunnelState);
}

181
src/patches/squid/squid-3.5-14167.patch Normal file
View File

@@ -0,0 +1,181 @@
------------------------------------------------------------
revno: 14167
revision-id: squid3@treenet.co.nz-20170529131555-kut221f3geb3aczf
parent: squid3@treenet.co.nz-20170529125748-qt7yhdloygl4xosg
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4653
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Tue 2017-05-30 01:15:55 +1200
message:
Bug 4653: %st lies about tunneled traffic volumes
Squid-3.5 counts only the "CONNECT ..." header size for %>st and does not
count the "HTTP/1.1 200" response header for the %<st.
This is a Measurement Factory project
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20170529131555-kut221f3geb3aczf
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: dd5783b425c7c7125303a1bd1a5685bc28011754
# timestamp: 2017-05-29 13:51:09 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20170529125748-\
# qt7yhdloygl4xosg
#
# Begin patch
=== modified file 'src/client_side.cc'
--- src/client_side.cc 2017-03-31 00:51:52 +0000
+++ src/client_side.cc 2017-05-29 13:15:55 +0000
@@ -4391,7 +4391,7 @@
// in.buf still has the "CONNECT ..." request data, reset it to SSL hello message
connState->in.buf.append(rbuf.content(), rbuf.contentSize());
ClientHttpRequest *http = context->http;
- tunnelStart(http, &http->out.size, &http->al->http.code, http->al);
+ tunnelStart(http);
}
}
}
=== modified file 'src/client_side_reply.cc'
--- src/client_side_reply.cc 2017-01-01 00:16:45 +0000
+++ src/client_side_reply.cc 2017-05-29 13:15:55 +0000
@@ -1179,7 +1179,7 @@
if (curReply->content_length < 0)
return 0;
- int64_t expectedLength = curReply->content_length + http->out.headers_sz;
+ uint64_t expectedLength = curReply->content_length + http->out.headers_sz;
if (http->out.size < expectedLength)
return 0;
=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc 2017-05-29 07:10:37 +0000
+++ src/client_side_request.cc 2017-05-29 13:15:55 +0000
@@ -1522,7 +1522,7 @@
}
#endif
getConn()->stopReading(); // tunnels read for themselves
- tunnelStart(this, &out.size, &al->http.code, al);
+ tunnelStart(this);
return;
}
=== modified file 'src/client_side_request.h'
--- src/client_side_request.h 2017-01-23 02:05:46 +0000
+++ src/client_side_request.h 2017-05-29 13:15:55 +0000
@@ -73,7 +73,7 @@
struct {
int64_t offset;
- int64_t size;
+ uint64_t size;
size_t headers_sz;
} out;
@@ -182,7 +182,7 @@
void clientAccessCheck(ClientHttpRequest *);
/* ones that should be elsewhere */
-void tunnelStart(ClientHttpRequest *, int64_t *, int *, const AccessLogEntry::Pointer &al);
+void tunnelStart(ClientHttpRequest *);
#if _USE_INLINE_
#include "client_side_request.cci"
=== modified file 'src/tests/stub_tunnel.cc'
--- src/tests/stub_tunnel.cc 2017-01-01 00:16:45 +0000
+++ src/tests/stub_tunnel.cc 2017-05-29 13:15:55 +0000
@@ -14,7 +14,7 @@
#include "FwdState.h"
class ClientHttpRequest;
-void tunnelStart(ClientHttpRequest *, int64_t *, int *, const AccessLogEntryPointer &al) STUB
+void tunnelStart(ClientHttpRequest *) STUB
void switchToTunnel(HttpRequest *request, Comm::ConnectionPointer &clientConn, Comm::ConnectionPointer &srvConn) STUB
=== modified file 'src/tunnel.cc'
--- src/tunnel.cc 2017-05-29 12:57:48 +0000
+++ src/tunnel.cc 2017-05-29 13:15:55 +0000
@@ -139,7 +139,7 @@
int len;
char *buf;
AsyncCall::Pointer writer; ///< pending Comm::Write callback
- int64_t *size_ptr; /* pointer to size in an ConnStateData for logging */
+ uint64_t *size_ptr; /* pointer to size in an ConnStateData for logging */
Comm::ConnectionPointer conn; ///< The currently connected connection.
uint8_t delayedLoops; ///< how many times a read on this connection has been postponed.
@@ -848,6 +848,11 @@
return;
}
+ if (ClientHttpRequest *http = tunnelState->http.get()) {
+ http->out.headers_sz += size;
+ http->out.size += size;
+ }
+
tunnelStartShoveling(tunnelState);
}
@@ -995,7 +1000,7 @@
}
void
-tunnelStart(ClientHttpRequest * http, int64_t * size_ptr, int *status_ptr, const AccessLogEntryPointer &al)
+tunnelStart(ClientHttpRequest * http)
{
debugs(26, 3, HERE);
/* Create state structure. */
@@ -1021,7 +1026,7 @@
if (ch.fastCheck() == ACCESS_DENIED) {
debugs(26, 4, HERE << "MISS access forbidden.");
err = new ErrorState(ERR_FORWARDING_DENIED, Http::scForbidden, request);
- *status_ptr = Http::scForbidden;
+ http->al->http.code = Http::scForbidden;
errorSend(http->getConn()->clientConnection, err);
return;
}
@@ -1037,12 +1042,13 @@
#endif
tunnelState->url = xstrdup(url);
tunnelState->request = request;
- tunnelState->server.size_ptr = size_ptr;
- tunnelState->status_ptr = status_ptr;
+ tunnelState->server.size_ptr = &http->out.size;
+ tunnelState->client.size_ptr = &http->al->http.clientRequestSz.payloadData;
+ tunnelState->status_ptr = &http->al->http.code;
tunnelState->logTag_ptr = &http->logType;
tunnelState->client.conn = http->getConn()->clientConnection;
tunnelState->http = http;
- tunnelState->al = al;
+ tunnelState->al = http->al ;
tunnelState->started = squid_curtime;
comm_add_close_handler(tunnelState->client.conn->fd,
@@ -1053,7 +1059,7 @@
CommTimeoutCbPtrFun(tunnelTimeout, tunnelState));
commSetConnTimeout(tunnelState->client.conn, Config.Timeout.lifetime, timeoutCall);
- peerSelect(&(tunnelState->serverDestinations), request, al,
+ peerSelect(&(tunnelState->serverDestinations), request, tunnelState->al,
NULL,
tunnelPeerSelectComplete,
tunnelState);
@@ -1226,6 +1232,10 @@
if (context != NULL && context->http != NULL) {
tunnelState->logTag_ptr = &context->http->logType;
tunnelState->server.size_ptr = &context->http->out.size;
+ if (context->http->al != NULL) {
+ tunnelState->al = context->http->al;
+ tunnelState->client.size_ptr = &context->http->al->http.clientRequestSz.payloadData;
+ }
#if USE_DELAY_POOLS
/* no point using the delayIsNoDelay stuff since tunnel is nice and simple */