'Introduction and a patch'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-dev
Subject:    Introduction and a patch
From:       Greg Sheard <greg () ecsc ! co ! uk>
Date:       2002-09-30 8:01:45
Message-ID: 1033372905.21470.17.camel () morai-heg ! dark ! lan
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


Hi,

I work for a security company in Yorkshire, England, and many of the
solutions we provide use Squid for proxying and caching. We've
previously used squidGuard as a redirector, but are now moving away and
relying on Squid's built-in features. One of the biggest problems with
squidGuard is the lack of support for filtering UTF-8 and other
encodings, apart from the generic US-ASCII. I noticed that Squid also
lacks this, so I wrote the code.

Key parts of Squid that are of interest to me are:
* ACLs - especially the regex ones
* Security features
* Cache peering
* Authentication

Attached is a patch to give UTF-8 blocking support. It's come through
testing here, and I'd welcome any feedback. In summary, it adds the new
directive uri_utf (like uri_whitespace) with the possible states DENY
and ALLOW.

Cheers,

Greg Sheard
Technical Director
ECSC Ltd.
www.ecsc.co.uk

#include <legal_disclaimer.h>

"You have enemies? Good. That means you've
stood up for something, sometime in your life."
 -- Sir Winston Churchill

["squid-2.5-utf.patch" (squid-2.5-utf.patch)]

diff -urN squid-2.5.STABLE1/src/cache_cf.c squid-patched/src/cache_cf.c
--- squid-2.5.STABLE1/src/cache_cf.c	Sat Sep  7 16:13:59 2002
+++ squid-patched/src/cache_cf.c	Mon Sep 30 09:06:17 2002
@@ -2150,6 +2150,33 @@
     storeAppendPrintf(entry, "%s %s\n", name, s);
 }
 
+#define free_uri_utf free_int
+
+static void
+parse_uri_utf(int *var)
+{
+    char *token = strtok(NULL, w_space);
+    if (token == NULL)
+	self_destruct();
+    if (!strcasecmp(token, "deny"))
+	*var = URI_UTF_DENY;
+    else if (!strcasecmp(token, "allow"))
+	*var = URI_UTF_ALLOW;
+    else
+	self_destruct();
+}
+
+static void
+dump_uri_utf(StoreEntry * entry, const char *name, int var)
+{
+    char *s;
+    if (var == URI_UTF_ALLOW)
+	s = "allow";
+    else
+	s = "deny";
+    storeAppendPrintf(entry, "%s %s\n", name, s);
+}
+
 static void
 free_removalpolicy(RemovalPolicySettings ** settings)
 {
diff -urN squid-2.5.STABLE1/src/cf.data.pre squid-patched/src/cf.data.pre
--- squid-2.5.STABLE1/src/cf.data.pre	Wed Sep  4 14:35:01 2002
+++ squid-patched/src/cf.data.pre	Mon Sep 30 09:06:17 2002
@@ -3459,6 +3459,22 @@
 		violation.
 DOC_END
 
+NAME: uri_utf
+TYPE: uri_utf
+LOC: Config.uri_utf
+DEFAULT: deny
+DOC_START
+	What to do with requests that have UTF8 or other non-ASCII
+	encoded characters in the URI.  Options:
+
+	deny:	The request is denied.  The user receives an "Invalid
+		Request" message.
+	allow:	The request is allowed and the URI is not changed.  The
+		encoded characters remain in the URI.  Note the
+		encoding is passed to redirector processes if they are
+		in use.
+DOC_END
+
 NAME: broken_posts
 TYPE: acl_access
 DEFAULT: none
diff -urN squid-2.5.STABLE1/src/defines.h squid-patched/src/defines.h
--- squid-2.5.STABLE1/src/defines.h	Thu Aug  8 21:17:39 2002
+++ squid-patched/src/defines.h	Mon Sep 30 09:06:17 2002
@@ -279,6 +279,9 @@
 #define URI_WHITESPACE_CHOP 3
 #define URI_WHITESPACE_DENY 4
 
+#define URI_UTF_ALLOW 0
+#define URI_UTF_DENY 1
+
 #ifndef _PATH_DEVNULL
 #define _PATH_DEVNULL "/dev/null"
 #endif
diff -urN squid-2.5.STABLE1/src/protos.h squid-patched/src/protos.h
--- squid-2.5.STABLE1/src/protos.h	Sat Sep  7 16:13:05 2002
+++ squid-patched/src/protos.h	Mon Sep 30 09:06:17 2002
@@ -1162,6 +1162,7 @@
 extern const char *gb_to_str(const gb_t *);
 extern void gb_flush(gb_t *);	/* internal, do not use this */
 extern int stringHasWhitespace(const char *);
+extern int stringHasUTF(const char *);
 extern int stringHasCntl(const char *);
 extern void linklistPush(link_list **, void *);
 extern void *linklistShift(link_list **);
diff -urN squid-2.5.STABLE1/src/structs.h squid-patched/src/structs.h
--- squid-2.5.STABLE1/src/structs.h	Sun Sep  8 00:11:23 2002
+++ squid-patched/src/structs.h	Mon Sep 30 09:06:17 2002
@@ -650,6 +650,7 @@
     } comm_incoming;
     int max_open_disk_fds;
     int uri_whitespace;
+    int uri_utf;
     size_t rangeOffsetLimit;
 #if MULTICAST_MISS_STREAM
     struct {
diff -urN squid-2.5.STABLE1/src/tools.c squid-patched/src/tools.c
--- squid-2.5.STABLE1/src/tools.c	Sat Sep  7 16:13:05 2002
+++ squid-patched/src/tools.c	Mon Sep 30 09:06:17 2002
@@ -890,6 +890,22 @@
     return strpbrk(s, w_space) != NULL;
 }
 
+int
+stringHasUTF(const char *s)
+{
+    char *pc = NULL;
+    pc = index(s, '%');
+    while (1) {
+	if (pc == NULL) return 0;
+	pc++;
+	if (*pc >= '8' || *pc < '0') {
+	    return 1;
+	}
+    pc = index(pc, '%');
+    }
+    return 0;
+}
+
 void
 linklistPush(link_list ** L, void *p)
 {
diff -urN squid-2.5.STABLE1/src/url.c squid-patched/src/url.c
--- squid-2.5.STABLE1/src/url.c	Thu Sep 12 06:21:00 2002
+++ squid-patched/src/url.c	Mon Sep 30 09:06:17 2002
@@ -353,6 +353,16 @@
 	    *q = '\0';
 	}
     }
+    if (stringHasUTF(urlpath)) {
+	debug(23, 2) ("urlParse: URI has UTF: {%s}\n", url);
+	switch (Config.uri_utf) {
+	case URI_UTF_ALLOW:
+	    break;
+	case URI_UTF_DENY:
+	default:
+	    return NULL;
+	}
+    }
     request = requestCreate(method, protocol, urlpath);
     xstrncpy(request->host, host, SQUIDHOSTNAMELEN);
     xstrncpy(request->login, login, MAX_LOGIN_SZ);

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic