[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-dev
Subject: Introduction and a patch
From: Greg Sheard <greg () ecsc ! co ! uk>
Date: 2002-09-30 8:01:45
Message-ID: 1033372905.21470.17.camel () morai-heg ! dark ! lan
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
Hi,
I work for a security company in Yorkshire, England, and many of the
solutions we provide use Squid for proxying and caching. We've
previously used squidGuard as a redirector, but are now moving away and
relying on Squid's built-in features. One of the biggest problems with
squidGuard is the lack of support for filtering UTF-8 and other
encodings, apart from the generic US-ASCII. I noticed that Squid also
lacks this, so I wrote the code.
Key parts of Squid that are of interest to me are:
* ACLs - especially the regex ones
* Security features
* Cache peering
* Authentication
Attached is a patch to give UTF-8 blocking support. It's come through
testing here, and I'd welcome any feedback. In summary, it adds the new
directive uri_utf (like uri_whitespace) with the possible states DENY
and ALLOW.
Cheers,
Greg Sheard
Technical Director
ECSC Ltd.
www.ecsc.co.uk
#include <legal_disclaimer.h>
"You have enemies? Good. That means you've
stood up for something, sometime in your life."
-- Sir Winston Churchill
["squid-2.5-utf.patch" (squid-2.5-utf.patch)]
diff -urN squid-2.5.STABLE1/src/cache_cf.c squid-patched/src/cache_cf.c
--- squid-2.5.STABLE1/src/cache_cf.c Sat Sep 7 16:13:59 2002
+++ squid-patched/src/cache_cf.c Mon Sep 30 09:06:17 2002
@@ -2150,6 +2150,33 @@
storeAppendPrintf(entry, "%s %s\n", name, s);
}
+#define free_uri_utf free_int
+
+static void
+parse_uri_utf(int *var)
+{
+ char *token = strtok(NULL, w_space);
+ if (token == NULL)
+ self_destruct();
+ if (!strcasecmp(token, "deny"))
+ *var = URI_UTF_DENY;
+ else if (!strcasecmp(token, "allow"))
+ *var = URI_UTF_ALLOW;
+ else
+ self_destruct();
+}
+
+static void
+dump_uri_utf(StoreEntry * entry, const char *name, int var)
+{
+ char *s;
+ if (var == URI_UTF_ALLOW)
+ s = "allow";
+ else
+ s = "deny";
+ storeAppendPrintf(entry, "%s %s\n", name, s);
+}
+
static void
free_removalpolicy(RemovalPolicySettings ** settings)
{
diff -urN squid-2.5.STABLE1/src/cf.data.pre squid-patched/src/cf.data.pre
--- squid-2.5.STABLE1/src/cf.data.pre Wed Sep 4 14:35:01 2002
+++ squid-patched/src/cf.data.pre Mon Sep 30 09:06:17 2002
@@ -3459,6 +3459,22 @@
violation.
DOC_END
+NAME: uri_utf
+TYPE: uri_utf
+LOC: Config.uri_utf
+DEFAULT: deny
+DOC_START
+ What to do with requests that have UTF8 or other non-ASCII
+ encoded characters in the URI. Options:
+
+ deny: The request is denied. The user receives an "Invalid
+ Request" message.
+ allow: The request is allowed and the URI is not changed. The
+ encoded characters remain in the URI. Note the
+ encoding is passed to redirector processes if they are
+ in use.
+DOC_END
+
NAME: broken_posts
TYPE: acl_access
DEFAULT: none
diff -urN squid-2.5.STABLE1/src/defines.h squid-patched/src/defines.h
--- squid-2.5.STABLE1/src/defines.h Thu Aug 8 21:17:39 2002
+++ squid-patched/src/defines.h Mon Sep 30 09:06:17 2002
@@ -279,6 +279,9 @@
#define URI_WHITESPACE_CHOP 3
#define URI_WHITESPACE_DENY 4
+#define URI_UTF_ALLOW 0
+#define URI_UTF_DENY 1
+
#ifndef _PATH_DEVNULL
#define _PATH_DEVNULL "/dev/null"
#endif
diff -urN squid-2.5.STABLE1/src/protos.h squid-patched/src/protos.h
--- squid-2.5.STABLE1/src/protos.h Sat Sep 7 16:13:05 2002
+++ squid-patched/src/protos.h Mon Sep 30 09:06:17 2002
@@ -1162,6 +1162,7 @@
extern const char *gb_to_str(const gb_t *);
extern void gb_flush(gb_t *); /* internal, do not use this */
extern int stringHasWhitespace(const char *);
+extern int stringHasUTF(const char *);
extern int stringHasCntl(const char *);
extern void linklistPush(link_list **, void *);
extern void *linklistShift(link_list **);
diff -urN squid-2.5.STABLE1/src/structs.h squid-patched/src/structs.h
--- squid-2.5.STABLE1/src/structs.h Sun Sep 8 00:11:23 2002
+++ squid-patched/src/structs.h Mon Sep 30 09:06:17 2002
@@ -650,6 +650,7 @@
} comm_incoming;
int max_open_disk_fds;
int uri_whitespace;
+ int uri_utf;
size_t rangeOffsetLimit;
#if MULTICAST_MISS_STREAM
struct {
diff -urN squid-2.5.STABLE1/src/tools.c squid-patched/src/tools.c
--- squid-2.5.STABLE1/src/tools.c Sat Sep 7 16:13:05 2002
+++ squid-patched/src/tools.c Mon Sep 30 09:06:17 2002
@@ -890,6 +890,22 @@
return strpbrk(s, w_space) != NULL;
}
+int
+stringHasUTF(const char *s)
+{
+ char *pc = NULL;
+ pc = index(s, '%');
+ while (1) {
+ if (pc == NULL) return 0;
+ pc++;
+ if (*pc >= '8' || *pc < '0') {
+ return 1;
+ }
+ pc = index(pc, '%');
+ }
+ return 0;
+}
+
void
linklistPush(link_list ** L, void *p)
{
diff -urN squid-2.5.STABLE1/src/url.c squid-patched/src/url.c
--- squid-2.5.STABLE1/src/url.c Thu Sep 12 06:21:00 2002
+++ squid-patched/src/url.c Mon Sep 30 09:06:17 2002
@@ -353,6 +353,16 @@
*q = '\0';
}
}
+ if (stringHasUTF(urlpath)) {
+ debug(23, 2) ("urlParse: URI has UTF: {%s}\n", url);
+ switch (Config.uri_utf) {
+ case URI_UTF_ALLOW:
+ break;
+ case URI_UTF_DENY:
+ default:
+ return NULL;
+ }
+ }
request = requestCreate(method, protocol, urlpath);
xstrncpy(request->host, host, SQUIDHOSTNAMELEN);
xstrncpy(request->login, login, MAX_LOGIN_SZ);
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic