diff -u -r -N squid-4.0.6/ChangeLog squid-4.0.7/ChangeLog
--- squid-4.0.6/ChangeLog 2016-02-16 04:54:46.000000000 +1300
+++ squid-4.0.7/ChangeLog 2016-02-24 06:47:50.000000000 +1300
@@ -1,3 +1,13 @@
+Changes to squid-4.0.7 (23 Feb 2016):
+
+ - Regression Fix: external_acl parameters separated by %20 instead of space
+ - Bug 4432: assertion failed: store.cc:1919: "isEmpty()"
+ - Bug 4111: leave_suid() does not properly handle error codes returned by setuid
+ - Fix propagation of response status line parsing error details
+ - Fix memory leak when the cache of sslcrtvalidator_program is disabled via ttl=0
+ - ... and some code SourceLayout project cleaning
+ - ... and all fixes from squid 3.5.15
+
Changes to squid-4.0.6 (16 Feb 2016):
- Regression Bug 4436: Fix DEFAULT_SSL_CRTD
@@ -110,6 +120,14 @@
- ... and many documentation changes
- ... and much code cleanup and polishing
+Changes to squid-3.5.15 (23 Feb 2016):
+
+ - Bug 3870: assertion failed: String.cc: 'len_ + len <65536' in ESI::CustomParser
+ - Fix multiple assertion on String overflows
+ - Fix unit test errors on MacOS
+ - Better handling of huge response headers. Fewer incorrect "Bug #3279" messages.
+ - Log noise reduction for eCAP
+
Changes to squid-3.5.14 (16 Feb 2016):
- Bug 4437: Fix Segfault on Certain SSL Handshake Errors
diff -u -r -N squid-4.0.6/configure squid-4.0.7/configure
--- squid-4.0.6/configure 2016-02-16 04:57:09.000000000 +1300
+++ squid-4.0.7/configure 2016-02-24 06:49:58.000000000 +1300
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac Revision.
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.0.6.
+# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.0.7.
#
# Report bugs to
The Squid Team are pleased to announce the release of Squid-4.0.6 for testing.
+The Squid Team are pleased to announce the release of Squid-4.0.7 for testing.
This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.
diff -u -r -N squid-4.0.6/include/version.h squid-4.0.7/include/version.h --- squid-4.0.6/include/version.h 2016-02-16 04:57:09.000000000 +1300 +++ squid-4.0.7/include/version.h 2016-02-24 06:49:58.000000000 +1300 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1455551674 +#define SQUID_RELEASE_TIME 1456249662 #endif /* diff -u -r -N squid-4.0.6/RELEASENOTES.html squid-4.0.7/RELEASENOTES.html --- squid-4.0.6/RELEASENOTES.html 2016-02-16 05:55:04.000000000 +1300 +++ squid-4.0.7/RELEASENOTES.html 2016-02-24 07:38:32.000000000 +1300 @@ -2,10 +2,10 @@ -The Squid Team are pleased to announce the release of Squid-4.0.6 for testing.
+The Squid Team are pleased to announce the release of Squid-4.0.7 for testing.
This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.
diff -u -r -N squid-4.0.6/src/acl/external/delayer/ext_delayer_acl.8 squid-4.0.7/src/acl/external/delayer/ext_delayer_acl.8 --- squid-4.0.6/src/acl/external/delayer/ext_delayer_acl.8 2016-02-16 05:56:02.000000000 +1300 +++ squid-4.0.7/src/acl/external/delayer/ext_delayer_acl.8 2016-02-24 07:39:12.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 8" -.TH EXT_DELAYER_ACL 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/acl/external/SQL_session/ext_sql_session_acl.8 squid-4.0.7/src/acl/external/SQL_session/ext_sql_session_acl.8 --- squid-4.0.6/src/acl/external/SQL_session/ext_sql_session_acl.8 2016-02-16 05:56:13.000000000 +1300 +++ squid-4.0.7/src/acl/external/SQL_session/ext_sql_session_acl.8 2016-02-24 07:39:20.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 8" -.TH EXT_SQL_SESSION_ACL 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 squid-4.0.7/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-4.0.6/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2016-02-16 05:56:17.000000000 +1300 +++ squid-4.0.7/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2016-02-24 07:39:24.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 8" -.TH EXT_WBINFO_GROUP_ACL 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/adaptation/ecap/Host.cc squid-4.0.7/src/adaptation/ecap/Host.cc --- squid-4.0.6/src/adaptation/ecap/Host.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/adaptation/ecap/Host.cc 2016-02-24 06:47:50.000000000 +1300 @@ -137,7 +137,7 @@ return DBG_DATA; // is it a good idea to ignore other flags? if (lv.application()) - return DBG_IMPORTANT; // is it a good idea to ignore other flags? + return lv.normal() ? DBG_IMPORTANT : 2; return 2 + 2*lv.debugging() + 3*lv.operation() + 2*lv.xaction(); } diff -u -r -N squid-4.0.6/src/auth/basic/DB/basic_db_auth.8 squid-4.0.7/src/auth/basic/DB/basic_db_auth.8 --- squid-4.0.6/src/auth/basic/DB/basic_db_auth.8 2016-02-16 05:56:49.000000000 +1300 +++ squid-4.0.7/src/auth/basic/DB/basic_db_auth.8 2016-02-24 07:39:46.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 8" -.TH BASIC_DB_AUTH 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/auth/basic/POP3/basic_pop3_auth.8 squid-4.0.7/src/auth/basic/POP3/basic_pop3_auth.8 --- squid-4.0.6/src/auth/basic/POP3/basic_pop3_auth.8 2016-02-16 05:56:59.000000000 +1300 +++ squid-4.0.7/src/auth/basic/POP3/basic_pop3_auth.8 2016-02-24 07:39:53.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 8" -.TH BASIC_POP3_AUTH 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/cf.data.pre squid-4.0.7/src/cf.data.pre --- squid-4.0.6/src/cf.data.pre 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/cf.data.pre 2016-02-24 06:47:50.000000000 +1300 @@ -712,7 +712,7 @@ This option defines external acl classes using a helper program to look up the status - external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] + external_acl_type name [options] FORMAT /path/to/helper [helper arguments] Options: @@ -774,13 +774,18 @@ %ACL The name of the ACL being tested. - %DATA The ACL arguments. If a logformat encoding modifier - is used it will encode the whole set of arguments - as a single token. - - If not used; then any arguments are automatically - added at the end of the line sent to the helper - as separately URL-encoded fields. + %DATA The ACL arguments separated by spaces (an + "argument string"). + + By default, Squid applies URL-encoding to each ACL + argument inside the argument string. If an explicit + encoding modifier is used (e.g., %#DATA), then Squid + encodes the whole argument string as a single token + (e.g., with %#DATA, spaces between arguments become + %20). + + If you do not specify a DATA macro inside FORMAT, + Squid automatically appends %DATA to your FORMAT. If SSL is enabled, the following formating codes become available: diff -u -r -N squid-4.0.6/src/clients/Client.cc squid-4.0.7/src/clients/Client.cc --- squid-4.0.6/src/clients/Client.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/clients/Client.cc 2016-02-24 06:47:50.000000000 +1300 @@ -49,6 +49,7 @@ startedAdaptation(false), #endif receivedWholeRequestBody(false), + doneWithFwd(nullptr), theVirginReply(NULL), theFinalReply(NULL) { @@ -74,8 +75,6 @@ HTTPMSGUNLOCK(theVirginReply); HTTPMSGUNLOCK(theFinalReply); - fwd = NULL; // refcounted - if (responseBodyBuffer != NULL) { delete responseBodyBuffer; responseBodyBuffer = NULL; @@ -93,6 +92,14 @@ cleanAdaptation(); #endif + if (!doneWithServer()) + closeServer(); + + if (!doneWithFwd) { + doneWithFwd = "swanSong()"; + fwd->handleUnregisteredServerEnd(); + } + BodyConsumer::swanSong(); #if USE_ADAPTATION Initiator::swanSong(); @@ -218,6 +225,7 @@ { debugs(11,5, HERE << "completing forwarding for " << fwd); assert(fwd != NULL); + doneWithFwd = "completeForwarding()"; fwd->complete(); } diff -u -r -N squid-4.0.6/src/clients/Client.h squid-4.0.7/src/clients/Client.h --- squid-4.0.6/src/clients/Client.h 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/clients/Client.h 2016-02-24 06:47:50.000000000 +1300 @@ -179,6 +179,10 @@ #endif bool receivedWholeRequestBody; ///< handleRequestBodyProductionEnded called + /// whether we should not be talking to FwdState; XXX: clear fwd instead + /// points to a string literal which is used only for debugging + const char *doneWithFwd; + private: void sendBodyIsTooLargeError(); void maybePurgeOthers(); diff -u -r -N squid-4.0.6/src/clients/FtpClient.cc squid-4.0.7/src/clients/FtpClient.cc --- squid-4.0.6/src/clients/FtpClient.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/clients/FtpClient.cc 2016-02-24 06:47:50.000000000 +1300 @@ -841,6 +841,7 @@ { debugs(9, 4, status()); ctrl.clear(); + doneWithFwd = "ctrlClosed()"; // assume FwdState is monitoring too mustStop("Ftp::Client::ctrlClosed"); } @@ -993,24 +994,12 @@ scheduleReadControlReply(1); } -/** - * Quickly abort the transaction - * - \todo destruction should be sufficient as the destructor should cleanup, - * including canceling close handlers - */ void Ftp::Client::abortAll(const char *reason) { debugs(9, 3, "aborting transaction for " << reason << "; FD " << (ctrl.conn!=NULL?ctrl.conn->fd:-1) << ", Data FD " << (data.conn!=NULL?data.conn->fd:-1) << ", this " << this); - if (Comm::IsConnOpen(ctrl.conn)) { - ctrl.conn->close(); - return; - } - - fwd->handleUnregisteredServerEnd(); - mustStop("Ftp::Client::abortTransaction"); + mustStop(reason); } /** diff -u -r -N squid-4.0.6/src/esi/CustomParser.cc squid-4.0.7/src/esi/CustomParser.cc --- squid-4.0.6/src/esi/CustomParser.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/esi/CustomParser.cc 2016-02-24 06:47:50.000000000 +1300 @@ -89,9 +89,11 @@ } size_t openESITags (0); - //erring on the safe side. Probably rawBuf would be ok too - char const *currentPos = content.termedBuf(); - size_t remainingCount = content.size(); + // TODO: convert to Tokenizer parse + // erring on the safe side for now. Probably rawContent would be ok too + // note that operations below do *X='\0' ... altering the 'const' buffer content. + char const *currentPos = content.c_str(); + SBuf::size_type remainingCount = content.length(); char const *tag = NULL; while ((tag = findTag(currentPos, remainingCount))) { diff -u -r -N squid-4.0.6/src/esi/CustomParser.h squid-4.0.7/src/esi/CustomParser.h --- squid-4.0.6/src/esi/CustomParser.h 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/esi/CustomParser.h 2016-02-24 06:47:50.000000000 +1300 @@ -14,7 +14,7 @@ /* inherits from */ #include "esi/Parser.h" -/* for String variables */ +#include "SBuf.h" #include "SquidString.h" /** @@ -46,7 +46,7 @@ ESIParserClient *theClient; String error; /* cheap n dirty - buffer it all */ - String content; + SBuf content; /* TODO: make a class of this type code */ ESITAG_t lastTag; }; diff -u -r -N squid-4.0.6/src/external_acl.cc squid-4.0.7/src/external_acl.cc --- squid-4.0.6/src/external_acl.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/external_acl.cc 2016-02-24 06:47:50.000000000 +1300 @@ -326,7 +326,7 @@ if (!data_used) { *fmt = new Format::Token; (*fmt)->type = Format::LFT_EXT_ACL_DATA; - (*fmt)->quote = Format::LOG_QUOTE_URL; + (*fmt)->quote = Format::LOG_QUOTE_NONE; } /* helper */ diff -u -r -N squid-4.0.6/src/http/one/ResponseParser.cc squid-4.0.7/src/http/one/ResponseParser.cc --- squid-4.0.6/src/http/one/ResponseParser.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/http/one/ResponseParser.cc 2016-02-24 06:47:50.000000000 +1300 @@ -231,7 +231,7 @@ // syntax errors already if (retcode < 0) { parsingStage_ = HTTP_PARSE_DONE; - statusCode_ = Http::scInvalidHeader; + parseStatusCode = Http::scInvalidHeader; return false; } } diff -u -r -N squid-4.0.6/src/http/url_rewriters/LFS/url_lfs_rewrite.8 squid-4.0.7/src/http/url_rewriters/LFS/url_lfs_rewrite.8 --- squid-4.0.6/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2016-02-16 05:57:30.000000000 +1300 +++ squid-4.0.7/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2016-02-24 07:40:16.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "URL_LFS_REWRITE 8" -.TH URL_LFS_REWRITE 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH URL_LFS_REWRITE 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/http.cc squid-4.0.7/src/http.cc --- squid-4.0.6/src/http.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/http.cc 2016-02-24 06:47:50.000000000 +1300 @@ -153,6 +153,7 @@ HttpStateData::httpStateConnClosed(const CommCloseCbParams ¶ms) { debugs(11, 5, "httpStateFree: FD " << params.fd << ", httpState=" << params.data); + doneWithFwd = "httpStateConnClosed()"; // assume FwdState is monitoring too mustStop("HttpStateData::httpStateConnClosed"); } @@ -726,13 +727,12 @@ if (!parsedOk) { // unrecoverable parsing error + // TODO: Use Raw! XXX: inBuf no longer has the [beginning of the] malformed header. debugs(11, 3, "Non-HTTP-compliant header:\n---------\n" << inBuf << "\n----------"); flags.headers_parsed = true; HttpReply *newrep = new HttpReply; - newrep->sline.set(Http::ProtocolVersion(), hp->messageStatus()); - HttpReply *vrep = setVirginReply(newrep); - entry->replaceHttpReply(vrep); - // XXX: close the server connection ? + newrep->sline.set(Http::ProtocolVersion(), hp->parseStatusCode); + setVirginReply(newrep); ctx_exit(ctx); return; } @@ -1826,7 +1826,8 @@ String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR); - if (strFwd.size() > 65536/2) { + // if we cannot double strFwd size, then it grew past 50% of the limit + if (!strFwd.canGrowBy(strFwd.size())) { // There is probably a forwarding loop with Via detection disabled. // If we do nothing, String will assert on overflow soon. // TODO: Terminate all transactions with huge XFF? @@ -2463,21 +2464,11 @@ Client::sentRequestBody(io); } -// Quickly abort the transaction -// TODO: destruction should be sufficient as the destructor should cleanup, -// including canceling close handlers void HttpStateData::abortAll(const char *reason) { debugs(11,5, HERE << "aborting transaction for " << reason << "; " << serverConnection << ", this " << this); - - if (Comm::IsConnOpen(serverConnection)) { - serverConnection->close(); - return; - } - - fwd->handleUnregisteredServerEnd(); - mustStop("HttpStateData::abortAll"); + mustStop(reason); } diff -u -r -N squid-4.0.6/src/log/DB/log_db_daemon.8 squid-4.0.7/src/log/DB/log_db_daemon.8 --- squid-4.0.6/src/log/DB/log_db_daemon.8 2016-02-16 05:57:40.000000000 +1300 +++ squid-4.0.7/src/log/DB/log_db_daemon.8 2016-02-24 07:40:23.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 8" -.TH LOG_DB_DAEMON 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/main.cc squid-4.0.7/src/main.cc --- squid-4.0.6/src/main.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/main.cc 2016-02-24 06:47:50.000000000 +1300 @@ -1152,9 +1152,6 @@ #endif #if USE_OPENSSL - if (!configured_once) - Ssl::initialize_session_cache(); - if (Ssl::CertValidationHelper::GetInstance()) Ssl::CertValidationHelper::GetInstance()->Init(); #endif diff -u -r -N squid-4.0.6/src/security/cert_validators/fake/security_fake_certverify.8 squid-4.0.7/src/security/cert_validators/fake/security_fake_certverify.8 --- squid-4.0.6/src/security/cert_validators/fake/security_fake_certverify.8 2016-02-16 05:57:59.000000000 +1300 +++ squid-4.0.7/src/security/cert_validators/fake/security_fake_certverify.8 2016-02-24 07:40:35.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "SECURITY_FAKE_CERTVERIFY 8" -.TH SECURITY_FAKE_CERTVERIFY 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH SECURITY_FAKE_CERTVERIFY 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/security/Makefile.am squid-4.0.7/src/security/Makefile.am --- squid-4.0.6/src/security/Makefile.am 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/security/Makefile.am 2016-02-24 06:47:50.000000000 +1300 @@ -25,4 +25,5 @@ PeerOptions.h \ ServerOptions.cc \ ServerOptions.h \ + Session.cc \ Session.h diff -u -r -N squid-4.0.6/src/security/Makefile.in squid-4.0.7/src/security/Makefile.in --- squid-4.0.6/src/security/Makefile.in 2016-02-16 04:56:50.000000000 +1300 +++ squid-4.0.7/src/security/Makefile.in 2016-02-24 06:49:42.000000000 +1300 @@ -164,7 +164,7 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) libsecurity_la_LIBADD = am_libsecurity_la_OBJECTS = EncryptorAnswer.lo NegotiationHistory.lo \ - PeerOptions.lo ServerOptions.lo + PeerOptions.lo ServerOptions.lo Session.lo libsecurity_la_OBJECTS = $(am_libsecurity_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -754,6 +754,7 @@ PeerOptions.h \ ServerOptions.cc \ ServerOptions.h \ + Session.cc \ Session.h all: all-recursive @@ -824,6 +825,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/NegotiationHistory.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/PeerOptions.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ServerOptions.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/Session.Plo@am__quote@ .cc.o: @am__fastdepCXX_TRUE@ $(AM_V_CXX)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ diff -u -r -N squid-4.0.6/src/security/Session.cc squid-4.0.7/src/security/Session.cc --- squid-4.0.6/src/security/Session.cc 1970-01-01 12:00:00.000000000 +1200 +++ squid-4.0.7/src/security/Session.cc 2016-02-24 06:47:50.000000000 +1300 @@ -0,0 +1,105 @@ +/* + * Copyright (C) 1996-2016 The Squid Software Foundation and contributors + * + * Squid software is distributed under GPLv2+ license and includes + * contributions from numerous individuals and organizations. + * Please see the COPYING and CONTRIBUTORS files for details. + */ + +#include "squid.h" +#include "anyp/PortCfg.h" +#include "base/RunnersRegistry.h" +#include "ipc/MemMap.h" +#include "security/Session.h" +#include "SquidConfig.h" + +#define SSL_SESSION_ID_SIZE 32 +#define SSL_SESSION_MAX_SIZE 10*1024 + +static bool +isTlsServer() +{ + for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) { + if (s->secure.encryptTransport) + return true; + if (s->flags.tunnelSslBumping) + return true; + } + + return false; +} + +void +initializeSessionCache() +{ +#if USE_OPENSSL + // Check if the MemMap keys and data are enough big to hold + // session ids and session data + assert(SSL_SESSION_ID_SIZE >= MEMMAP_SLOT_KEY_SIZE); + assert(SSL_SESSION_MAX_SIZE >= MEMMAP_SLOT_DATA_SIZE); + + int configuredItems = ::Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot); + if (IamWorkerProcess() && configuredItems) + Ssl::SessionCache = new Ipc::MemMap(Ssl::SessionCacheName); + else { + Ssl::SessionCache = nullptr; + return; + } + + for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) { + if (s->secure.staticContext.get()) + Ssl::SetSessionCallbacks(s->secure.staticContext.get()); + } +#endif +} + +/// initializes shared memory segments used by MemStore +class SharedSessionCacheRr: public Ipc::Mem::RegisteredRunner +{ +public: + /* RegisteredRunner API */ + SharedSessionCacheRr(): owner(nullptr) {} + virtual void useConfig(); + virtual ~SharedSessionCacheRr(); + +protected: + virtual void create(); + +private: + Ipc::MemMap::Owner *owner; +}; + +RunnerRegistrationEntry(SharedSessionCacheRr); + +void +SharedSessionCacheRr::useConfig() +{ +#if USE_OPENSSL // while Ssl:: bits in use + if (Ssl::SessionCache || !isTlsServer()) //no need to configure ssl session cache. + return; + + Ipc::Mem::RegisteredRunner::useConfig(); + initializeSessionCache(); +#endif +} + +void +SharedSessionCacheRr::create() +{ + if (!isTlsServer()) //no need to configure ssl session cache. + return; + +#if USE_OPENSSL // while Ssl:: bits in use + if (int items = Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot)) + owner = Ipc::MemMap::Init(Ssl::SessionCacheName, items); +#endif +} + +SharedSessionCacheRr::~SharedSessionCacheRr() +{ + // XXX: Enable after testing to reduce at-exit memory "leaks". + // delete Ssl::SessionCache; + + delete owner; +} + diff -u -r -N squid-4.0.6/src/SquidString.h squid-4.0.7/src/SquidString.h --- squid-4.0.6/src/SquidString.h 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/SquidString.h 2016-02-24 06:47:50.000000000 +1300 @@ -80,6 +80,13 @@ _SQUID_INLINE_ int caseCmp(char const *, size_type count) const; _SQUID_INLINE_ int caseCmp(String const &) const; + /// Whether creating a totalLen-character string is safe (i.e., unlikely to assert). + /// Optional extras can be used for overflow-safe length addition. + /// Implementation has to add 1 because many String allocation methods do. + static bool CanGrowTo(size_type totalLen, const size_type extras = 0) { return SafeAdd(totalLen, extras) && SafeAdd(totalLen, 1); } + /// whether appending growthLen characters is safe (i.e., unlikely to assert) + bool canGrowBy(const size_type growthLen) const { return CanGrowTo(size(), growthLen); } + String substr(size_type from, size_type to) const; _SQUID_INLINE_ void cut(size_type newLength); @@ -95,10 +102,14 @@ _SQUID_INLINE_ bool nilCmp(bool, bool, int &) const; /* never reference these directly! */ - size_type size_; /* buffer size; 64K limit */ + size_type size_; /* buffer size; limited by SizeMax_ */ size_type len_; /* current length */ + static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers + /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_ + static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; } + char *buf_; _SQUID_INLINE_ void set(char const *loc, char const ch); diff -u -r -N squid-4.0.6/src/ssl/helper.cc squid-4.0.7/src/ssl/helper.cc --- squid-4.0.6/src/ssl/helper.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/ssl/helper.cc 2016-02-24 06:47:50.000000000 +1300 @@ -231,7 +231,8 @@ if (Ssl::CertValidationHelper::HelperCache && (validationResponse->resultCode == ::Helper::Okay || validationResponse->resultCode == ::Helper::Error)) { Ssl::CertValidationResponse::Pointer *item = new Ssl::CertValidationResponse::Pointer(validationResponse); - Ssl::CertValidationHelper::HelperCache->add(crtdvdData->query.c_str(), item); + if (!Ssl::CertValidationHelper::HelperCache->add(crtdvdData->query.c_str(), item)) + delete item; } SSL_free(crtdvdData->ssl); diff -u -r -N squid-4.0.6/src/ssl/support.cc squid-4.0.7/src/ssl/support.cc --- squid-4.0.6/src/ssl/support.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/ssl/support.cc 2016-02-24 06:47:50.000000000 +1300 @@ -33,9 +33,8 @@ #include