diff -u -r -N squid-3.2.9/ChangeLog squid-3.2.10/ChangeLog --- squid-3.2.9/ChangeLog 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/ChangeLog 2013-04-27 15:07:29.000000000 +1200 @@ -1,3 +1,17 @@ + +Changes to squid-3.2.10 (27 Apr 2013): + + - Bug 3833: squidclient: Option '-k' is not present in man(1) page + - Bug 3825: basic_ncsa_auth: segfaulting with glibc-2.17 + - Bug 3822: Locate LDAP and SASL headers for BSD support + - Bug 3817: Memory leak in SSL cert validate for alt_name peer certs + - Bug 3774: 'squid -k reconfigure' drops rock cache + - Bug 3565: Resuming postponed accept kills Squid + - HTTP/1.1: partial support for no-cache and private controls with parameters + - ssl_crtd: fix helpers dying during startup on ARM + - GNU Hurd: define MAP_NORESERVE as no-op when missing + - BSD: fix enter_suid/leave_suid build errors in ip/Intercept.cc + Changes to squid-3.2.9 (12 Mar 2013): - Regression fix: Accept-Language header parse diff -u -r -N squid-3.2.9/configure squid-3.2.10/configure --- squid-3.2.9/configure 2013-03-12 23:17:19.000000000 +1300 +++ squid-3.2.10/configure 2013-04-27 15:08:32.000000000 +1200 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.9. +# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.10. # # Report bugs to . # @@ -575,8 +575,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.2.9' -PACKAGE_STRING='Squid Web Proxy 3.2.9' +PACKAGE_VERSION='3.2.10' +PACKAGE_STRING='Squid Web Proxy 3.2.10' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1571,7 +1571,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.2.9 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.2.10 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1641,7 +1641,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.2.9:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.2.10:";; esac cat <<\_ACEOF @@ -2019,7 +2019,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.2.9 +Squid Web Proxy configure 3.2.10 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -3115,7 +3115,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.2.9, which was +It was created by Squid Web Proxy $as_me 3.2.10, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -3934,7 +3934,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.2.9' + VERSION='3.2.10' cat >>confdefs.h <<_ACEOF @@ -30894,7 +30894,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.2.9, which was +This file was extended by Squid Web Proxy $as_me 3.2.10, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -30960,7 +30960,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 3.2.9 +Squid Web Proxy config.status 3.2.10 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff -u -r -N squid-3.2.9/configure.ac squid-3.2.10/configure.ac --- squid-3.2.9/configure.ac 2013-03-12 23:17:18.000000000 +1300 +++ squid-3.2.10/configure.ac 2013-04-27 15:08:32.000000000 +1200 @@ -1,4 +1,4 @@ -AC_INIT([Squid Web Proxy],[3.2.9],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[3.2.10],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) diff -u -r -N squid-3.2.9/helpers/basic_auth/DB/basic_db_auth.8 squid-3.2.10/helpers/basic_auth/DB/basic_db_auth.8 --- squid-3.2.9/helpers/basic_auth/DB/basic_db_auth.8 2013-03-12 23:46:22.000000000 +1300 +++ squid-3.2.10/helpers/basic_auth/DB/basic_db_auth.8 2013-04-27 15:31:04.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 1" -.TH BASIC_DB_AUTH 1 "2013-03-12" "perl v5.10.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 1 "2013-04-26" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.2.9/helpers/basic_auth/LDAP/config.test squid-3.2.10/helpers/basic_auth/LDAP/config.test --- squid-3.2.9/helpers/basic_auth/LDAP/config.test 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/helpers/basic_auth/LDAP/config.test 2013-04-27 15:07:29.000000000 +1200 @@ -1,5 +1,5 @@ #!/bin/sh -if [ -f /usr/include/ldap.h ]; then +if [ -f /usr/include/ldap.h -o -f /usr/local/include/ldap.h ]; then exit 0 fi if [ -f /usr/include/winldap.h ]; then diff -u -r -N squid-3.2.9/helpers/basic_auth/NCSA/basic_ncsa_auth.cc squid-3.2.10/helpers/basic_auth/NCSA/basic_ncsa_auth.cc --- squid-3.2.9/helpers/basic_auth/NCSA/basic_ncsa_auth.cc 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/helpers/basic_auth/NCSA/basic_ncsa_auth.cc 2013-04-27 15:07:29.000000000 +1200 @@ -144,19 +144,20 @@ rfc1738_unescape(user); rfc1738_unescape(passwd); u = (user_data *) hash_lookup(hash, user); + char *crypted = NULL; if (u == NULL) { SEND_ERR("No such user"); #if HAVE_CRYPT - } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) { + } else if (strlen(passwd) <= 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) { // Bug 3107: crypt() DES functionality silently truncates long passwords. SEND_OK(""); - } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) { + } else if (strlen(passwd) > 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) { // Bug 3107: crypt() DES functionality silently truncates long passwords. SEND_ERR("Password too long. Only 8 characters accepted."); #endif - } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) { + } else if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) { SEND_OK(""); - } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) { + } else if ( (crypted = md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) { SEND_OK(""); } else { SEND_ERR("Wrong password"); diff -u -r -N squid-3.2.9/helpers/basic_auth/SASL/config.test squid-3.2.10/helpers/basic_auth/SASL/config.test --- squid-3.2.9/helpers/basic_auth/SASL/config.test 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/helpers/basic_auth/SASL/config.test 2013-04-27 15:07:29.000000000 +1200 @@ -1,8 +1,8 @@ #!/bin/sh -if [ -f /usr/include/sasl.h ]; then +if [ -f /usr/include/sasl.h -o -f /usr/local/include/sasl.h ]; then exit 0 fi -if [ -f /usr/include/sasl/sasl.h ]; then +if [ -f /usr/include/sasl/sasl.h -o -f /usr/local/include/sasl/sasl.h ]; then exit 0 fi exit 1 diff -u -r -N squid-3.2.9/helpers/digest_auth/eDirectory/config.test squid-3.2.10/helpers/digest_auth/eDirectory/config.test --- squid-3.2.9/helpers/digest_auth/eDirectory/config.test 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/helpers/digest_auth/eDirectory/config.test 2013-04-27 15:07:29.000000000 +1200 @@ -1,5 +1,5 @@ #!/bin/sh -if [ -f /usr/include/ldap.h ]; then +if [ -f /usr/include/ldap.h -o -f /usr/local/include/ldap.h ]; then exit 0 fi if [ -f /usr/include/winldap.h ]; then diff -u -r -N squid-3.2.9/helpers/digest_auth/LDAP/config.test squid-3.2.10/helpers/digest_auth/LDAP/config.test --- squid-3.2.9/helpers/digest_auth/LDAP/config.test 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/helpers/digest_auth/LDAP/config.test 2013-04-27 15:07:29.000000000 +1200 @@ -1,5 +1,5 @@ #!/bin/sh -if [ -f /usr/include/ldap.h ]; then +if [ -f /usr/include/ldap.h -o -f /usr/local/include/ldap.h ]; then exit 0 fi if [ -f /usr/include/winldap.h ]; then diff -u -r -N squid-3.2.9/helpers/external_acl/eDirectory_userip/config.test squid-3.2.10/helpers/external_acl/eDirectory_userip/config.test --- squid-3.2.9/helpers/external_acl/eDirectory_userip/config.test 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/helpers/external_acl/eDirectory_userip/config.test 2013-04-27 15:07:29.000000000 +1200 @@ -1,6 +1,6 @@ #!/bin/sh -if [ -f /usr/include/ldap.h ]; then +if [ -f /usr/include/ldap.h -o -f /usr/local/include/ldap.h ]; then exit 0 fi if [ -f /usr/include/winldap.h ]; then diff -u -r -N squid-3.2.9/helpers/external_acl/LDAP_group/config.test squid-3.2.10/helpers/external_acl/LDAP_group/config.test --- squid-3.2.9/helpers/external_acl/LDAP_group/config.test 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/helpers/external_acl/LDAP_group/config.test 2013-04-27 15:07:29.000000000 +1200 @@ -1,5 +1,5 @@ #!/bin/sh -if [ -f /usr/include/ldap.h ]; then +if [ -f /usr/include/ldap.h -o -f /usr/local/include/ldap.h ]; then exit 0 fi if [ -f /usr/include/winldap.h ]; then diff -u -r -N squid-3.2.9/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.2.10/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-3.2.9/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2013-03-12 23:46:35.000000000 +1300 +++ squid-3.2.10/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2013-04-27 15:31:08.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1" -.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-03-12" "perl v5.10.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-04-26" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.2.9/include/version.h squid-3.2.10/include/version.h --- squid-3.2.9/include/version.h 2013-03-12 23:17:19.000000000 +1300 +++ squid-3.2.10/include/version.h 2013-04-27 15:08:32.000000000 +1200 @@ -9,7 +9,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1363083354 +#define SQUID_RELEASE_TIME 1367032047 #endif #ifndef APP_SHORTNAME diff -u -r -N squid-3.2.9/RELEASENOTES.html squid-3.2.10/RELEASENOTES.html --- squid-3.2.9/RELEASENOTES.html 2013-03-12 23:47:23.000000000 +1300 +++ squid-3.2.10/RELEASENOTES.html 2013-04-27 15:31:18.000000000 +1200 @@ -2,10 +2,10 @@ - Squid 3.2.9 release notes + Squid 3.2.10 release notes -

Squid 3.2.9 release notes

+

Squid 3.2.10 release notes

Squid Developers

@@ -72,7 +72,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.2.9.

+

The Squid Team are pleased to announce the release of Squid-3.2.10.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.2/ or the mirrors.

diff -u -r -N squid-3.2.9/src/cache_cf.cc squid-3.2.10/src/cache_cf.cc --- squid-3.2.9/src/cache_cf.cc 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/cache_cf.cc 2013-04-27 15:07:29.000000000 +1200 @@ -600,6 +600,7 @@ memConfigure(); /* Sanity checks */ + Config.cacheSwap.n_strands = 0; // no diskers by default if (Config.cacheSwap.swapDirs == NULL) { /* Memory-only cache probably in effect. */ /* turn off the cache rebuild delays... */ diff -u -r -N squid-3.2.9/src/client_side_request.cc squid-3.2.10/src/client_side_request.cc --- squid-3.2.9/src/client_side_request.cc 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/client_side_request.cc 2013-04-27 15:07:29.000000000 +1200 @@ -1031,7 +1031,7 @@ if (!request->flags.ignore_cc) { if (request->cache_control) { - if (request->cache_control->noCache()) + if (request->cache_control->hasNoCache()) no_cache=true; // RFC 2616: treat Pragma:no-cache as if it was Cache-Control:no-cache when Cache-Control is missing diff -u -r -N squid-3.2.9/src/comm/AcceptLimiter.cc squid-3.2.10/src/comm/AcceptLimiter.cc --- squid-3.2.9/src/comm/AcceptLimiter.cc 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/comm/AcceptLimiter.cc 2013-04-27 15:07:29.000000000 +1200 @@ -6,29 +6,33 @@ Comm::AcceptLimiter Comm::AcceptLimiter::Instance_; -Comm::AcceptLimiter &Comm::AcceptLimiter::Instance() +Comm::AcceptLimiter & +Comm::AcceptLimiter::Instance() { return Instance_; } void -Comm::AcceptLimiter::defer(Comm::TcpAcceptor *afd) +Comm::AcceptLimiter::defer(const Comm::TcpAcceptor::Pointer &afd) { - ++ afd->isLimited; + ++ (afd->isLimited); debugs(5, 5, HERE << afd->conn << " x" << afd->isLimited); - deferred.push_back(afd); + deferred_.push_back(afd); } void -Comm::AcceptLimiter::removeDead(const Comm::TcpAcceptor *afd) +Comm::AcceptLimiter::removeDead(const Comm::TcpAcceptor::Pointer &afd) { - for (unsigned int i = 0; i < deferred.size() && afd->isLimited > 0; i++) { - if (deferred[i] == afd) { - -- deferred[i]->isLimited; - deferred[i] = NULL; // fast. kick() will skip empty entries later. + uint64_t abandonedClients = 0; + for (unsigned int i = 0; i < deferred_.size() && afd->isLimited > 0; ++i) { + if (deferred_[i] == afd) { + -- deferred_[i]->isLimited; + deferred_[i] = NULL; // fast. kick() will skip empty entries later. debugs(5, 5, HERE << afd->conn << " x" << afd->isLimited); + ++abandonedClients; } } + debugs(5,4, HERE << "Abandoned " << abandonedClients << " client TCP SYN by closing socket: " << afd->conn); } void @@ -37,12 +41,13 @@ // TODO: this could be optimized further with an iterator to search // looking for first non-NULL, followed by dumping the first N // with only one shift()/pop_front operation + // OR, by reimplementing as a list instead of Vector. - debugs(5, 5, HERE << " size=" << deferred.size()); - while (deferred.size() > 0 && fdNFree() >= RESERVED_FD) { + debugs(5, 5, HERE << " size=" << deferred_.size()); + while (deferred_.size() > 0 && fdNFree() >= RESERVED_FD) { /* NP: shift() is equivalent to pop_front(). Giving us a FIFO queue. */ - TcpAcceptor *temp = deferred.shift(); - if (temp != NULL) { + TcpAcceptor::Pointer temp = deferred_.shift(); + if (temp.valid()) { debugs(5, 5, HERE << " doing one."); -- temp->isLimited; temp->acceptNext(); diff -u -r -N squid-3.2.9/src/comm/AcceptLimiter.h squid-3.2.10/src/comm/AcceptLimiter.h --- squid-3.2.9/src/comm/AcceptLimiter.h 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/comm/AcceptLimiter.h 2013-04-27 15:07:29.000000000 +1200 @@ -2,12 +2,11 @@ #define _SQUID_SRC_COMM_ACCEPT_LIMITER_H #include "Array.h" +#include "comm/TcpAcceptor.h" namespace Comm { -class TcpAcceptor; - /** * FIFO Queue holding listener socket handlers which have been activated * ready to dupe their FD and accept() a new client connection. @@ -18,6 +17,16 @@ * removeDead - used only by Comm layer ConnAcceptor to remove themselves when dying. * kick - used by Comm layer when FD are closed. */ +/* TODO this algorithm can be optimized further: + * + * 1) reduce overheads by only pushing one entry per port to the list? + * use TcpAcceptor::isLimited as a flag whether to re-list when kick()'ing + * or to NULL an entry while scanning the list for empty spaces. + * Side effect: TcpAcceptor->kick() becomes allowed to pull off multiple accept()'s in bunches + * + * 2) re-implement as a list instead of vector? + * storing head/tail pointers for fast push/pop and avoiding the whole shift() overhead + */ class AcceptLimiter { @@ -26,10 +35,10 @@ static AcceptLimiter &Instance(); /** delay accepting a new client connection. */ - void defer(Comm::TcpAcceptor *afd); + void defer(const TcpAcceptor::Pointer &afd); /** remove all records of an acceptor. Only to be called by the ConnAcceptor::swanSong() */ - void removeDead(const Comm::TcpAcceptor *afd); + void removeDead(const TcpAcceptor::Pointer &afd); /** try to accept and begin processing any delayed client connections. */ void kick(); @@ -38,7 +47,7 @@ static AcceptLimiter Instance_; /** FIFO queue */ - Vector deferred; + Vector deferred_; }; }; // namepace Comm diff -u -r -N squid-3.2.9/src/comm/TcpAcceptor.h squid-3.2.10/src/comm/TcpAcceptor.h --- squid-3.2.9/src/comm/TcpAcceptor.h 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/comm/TcpAcceptor.h 2013-04-27 15:07:29.000000000 +1200 @@ -1,17 +1,11 @@ #ifndef SQUID_COMM_TCPACCEPTOR_H #define SQUID_COMM_TCPACCEPTOR_H -#include "base/AsyncCall.h" +#include "base/AsyncJob.h" +#include "base/CbcPointer.h" #include "base/Subscription.h" -#include "CommCalls.h" #include "comm_err_t.h" #include "comm/forward.h" -#include "comm/TcpAcceptor.h" -#include "ip/Address.h" - -#if HAVE_MAP -#include -#endif namespace Comm { @@ -32,6 +26,9 @@ */ class TcpAcceptor : public AsyncJob { +public: + typedef CbcPointer Pointer; + private: virtual void start(); virtual bool doneAll() const; diff -u -r -N squid-3.2.9/src/DiskIO/Mmapped/MmappedFile.cc squid-3.2.10/src/DiskIO/Mmapped/MmappedFile.cc --- squid-3.2.9/src/DiskIO/Mmapped/MmappedFile.cc 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/DiskIO/Mmapped/MmappedFile.cc 2013-04-27 15:07:29.000000000 +1200 @@ -11,6 +11,11 @@ #include "DiskIO/WriteRequest.h" #include +// Some systems such as Hurd provide mmap() API but do not support MAP_NORESERVE +#ifndef MAP_NORESERVE +#define MAP_NORESERVE 0 +#endif + CBDATA_CLASS_INIT(MmappedFile); // helper class to deal with mmap(2) offset alignment and other low-level specs diff -u -r -N squid-3.2.9/src/http.cc squid-3.2.10/src/http.cc --- squid-3.2.9/src/http.cc 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/http.cc 2013-04-27 15:07:29.000000000 +1200 @@ -361,6 +361,16 @@ } // NP: request CC:no-cache only means cache READ is forbidden. STORE is permitted. + if (rep->cache_control && rep->cache_control->hasNoCache() && rep->cache_control->noCache().defined()) { + /* TODO: we are allowed to cache when no-cache= has parameters. + * Provided we strip away any of the listed headers unless they are revalidated + * successfully (ie, must revalidate AND these headers are prohibited on stale replies). + * That is a bit tricky for squid right now so we avoid caching entirely. + */ + debugs(22, 3, HERE << "NO because server reply Cache-Control:no-cache has parameters"); + return 0; + } + // NP: request CC:private is undefined. We ignore. // NP: other request CC flags are limiters on HIT/MISS. We don't care about here. @@ -372,16 +382,21 @@ } // RFC 2616 section 14.9.1 - MUST NOT cache any response with CC:private in a shared cache like Squid. + // CC:private overrides CC:public when both are present in a response. // TODO: add a shared/private cache configuration possibility. if (rep->cache_control && - rep->cache_control->Private() && + rep->cache_control->hasPrivate() && !REFRESH_OVERRIDE(ignore_private)) { + /* TODO: we are allowed to cache when private= has parameters. + * Provided we strip away any of the listed headers unless they are revalidated + * successfully (ie, must revalidate AND these headers are prohibited on stale replies). + * That is a bit tricky for squid right now so we avoid caching entirely. + */ debugs(22, 3, HERE << "NO because server reply Cache-Control:private"); return 0; } - // NP: being conservative; CC:private overrides CC:public when both are present in a response. - } + // RFC 2068, sec 14.9.4 - MUST NOT cache any response with Authentication UNLESS certain CC controls are present // allow HTTP violations to IGNORE those controls (ie re-block caching Auth) if (request && (request->flags.auth || request->flags.auth_sent) && !REFRESH_OVERRIDE(ignore_auth)) { @@ -410,8 +425,8 @@ // NP: given the must-revalidate exception we should also be able to exempt no-cache. // HTTPbis WG verdict on this is that it is omitted from the spec due to being 'unexpected' by // some. The caching+revalidate is not exactly unsafe though with Squids interpretation of no-cache - // as equivalent to must-revalidate in the reply. - } else if (rep->cache_control->noCache() && !REFRESH_OVERRIDE(ignore_must_revalidate)) { + // (without parameters) as equivalent to must-revalidate in the reply. + } else if (rep->cache_control->hasNoCache() && !rep->cache_control->noCache().defined() && !REFRESH_OVERRIDE(ignore_must_revalidate)) { debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:no-cache (equivalent to must-revalidate)"); mayStore = true; #endif @@ -967,10 +982,22 @@ if (!ignoreCacheControl) { if (rep->cache_control) { - if (rep->cache_control->proxyRevalidate() || - rep->cache_control->mustRevalidate() || - rep->cache_control->noCache() || - rep->cache_control->hasSMaxAge()) + // We are required to revalidate on many conditions. + // For security reasons we do so even if storage was caused by refresh_pattern ignore-* option + + // CC:must-revalidate or CC:proxy-revalidate + const bool ccMustRevalidate = (rep->cache_control->proxyRevalidate() || rep->cache_control->mustRevalidate()); + + // CC:no-cache (only if there are no parameters) + const bool ccNoCacheNoParams = (rep->cache_control->hasNoCache() && rep->cache_control->noCache().undefined()); + + // CC:s-maxage=N + const bool ccSMaxAge = rep->cache_control->hasSMaxAge(); + + // CC:private (yes, these can sometimes be stored) + const bool ccPrivate = rep->cache_control->hasPrivate(); + + if (ccMustRevalidate || ccNoCacheNoParams || ccSMaxAge || ccPrivate) EBIT_SET(entry->flags, ENTRY_REVALIDATE); } #if USE_HTTP_VIOLATIONS // response header Pragma::no-cache is undefined in HTTP @@ -1809,7 +1836,7 @@ #endif /* Add max-age only without no-cache */ - if (!cc->hasMaxAge() && !cc->noCache()) { + if (!cc->hasMaxAge() && !cc->hasNoCache()) { const char *url = entry ? entry->url() : urlCanonical(request); cc->maxAge(getMaxAge(url)); diff -u -r -N squid-3.2.9/src/HttpHdrCc.cc squid-3.2.10/src/HttpHdrCc.cc --- squid-3.2.9/src/HttpHdrCc.cc 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/HttpHdrCc.cc 2013-04-27 15:07:29.000000000 +1200 @@ -192,15 +192,42 @@ } break; + case CC_PRIVATE: { + String temp; + if (!p) { + // Value parameter is optional. + private_.clean(); + } else if (/* p &&*/ httpHeaderParseQuotedString(p, (ilen-nlen-1), &temp)) { + private_.append(temp); + } else { + debugs(65, 2, "cc: invalid private= specs near '" << item << "'"); + } + // to be safe we ignore broken parameters, but always remember the 'private' part. + setMask(type,true); + } + break; + + case CC_NO_CACHE: { + String temp; + if (!p) { + // On Requests, missing value parameter is expected syntax. + // On Responses, value parameter is optional. + setMask(type,true); + no_cache.clean(); + } else if (/* p &&*/ httpHeaderParseQuotedString(p, (ilen-nlen-1), &temp)) { + // On Requests, a value parameter is invalid syntax. + // XXX: identify when parsing request header and dump err message here. + setMask(type,true); + no_cache.append(temp); + } else { + debugs(65, 2, "cc: invalid no-cache= specs near '" << item << "'"); + } + } + break; + case CC_PUBLIC: Public(true); break; - case CC_PRIVATE: - Private(true); - break; - case CC_NO_CACHE: - noCache(true); - break; case CC_NO_STORE: noStore(true); break; diff -u -r -N squid-3.2.9/src/HttpHdrCc.h squid-3.2.10/src/HttpHdrCc.h --- squid-3.2.9/src/HttpHdrCc.h 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/HttpHdrCc.h 2013-04-27 15:07:29.000000000 +1200 @@ -71,15 +71,27 @@ //manipulation for Cache-Control: private header bool hasPrivate() const {return isSet(CC_PRIVATE);} - bool Private() const {return isSet(CC_PRIVATE);} - void Private(bool v) {setMask(CC_PRIVATE,v);} - void clearPrivate() {setMask(CC_PRIVATE,false);} + const String &Private() const {return private_;} + void Private(String &v) { + setMask(CC_PRIVATE,true); + // uses append for multi-line headers + if (private_.defined()) + private_.append(","); + private_.append(v); + } + void clearPrivate() {setMask(CC_PRIVATE,false); private_.clean();} //manipulation for Cache-Control: no-cache header bool hasNoCache() const {return isSet(CC_NO_CACHE);} - bool noCache() const {return isSet(CC_NO_CACHE);} - void noCache(bool v) {setMask(CC_NO_CACHE,v);} - void clearNoCache() {setMask(CC_NO_CACHE,false);} + const String &noCache() const {return no_cache;} + void noCache(String &v) { + setMask(CC_NO_CACHE,true); + // uses append for multi-line headers + if (no_cache.defined()) + no_cache.append(","); + no_cache.append(v); + } + void clearNoCache() {setMask(CC_NO_CACHE,false); no_cache.clean();} //manipulation for Cache-Control: no-store header bool hasNoStore() const {return isSet(CC_NO_STORE);} @@ -163,6 +175,9 @@ int32_t max_stale; int32_t stale_if_error; int32_t min_fresh; + String private_; ///< List of headers sent as value for CC:private="...". May be empty/undefined if the value is missing. + String no_cache; ///< List of headers sent as value for CC:no-cache="...". May be empty/undefined if the value is missing. + /// low-level part of the public set method, performs no checks _SQUID_INLINE_ void setMask(http_hdr_cc_type id, bool newval=true); _SQUID_INLINE_ void setValue(int32_t &value, int32_t new_value, http_hdr_cc_type hdr, bool setting=true); diff -u -r -N squid-3.2.9/src/ip/Intercept.cc squid-3.2.10/src/ip/Intercept.cc --- squid-3.2.9/src/ip/Intercept.cc 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/ip/Intercept.cc 2013-04-27 15:07:29.000000000 +1200 @@ -34,6 +34,7 @@ #include "comm/Connection.h" #include "ip/Intercept.h" #include "fde.h" +#include "src/tools.h" #if IPF_TRANSPARENT diff -u -r -N squid-3.2.9/src/ssl/ssl_crtd.cc squid-3.2.10/src/ssl/ssl_crtd.cc --- squid-3.2.9/src/ssl/ssl_crtd.cc 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/ssl/ssl_crtd.cc 2013-04-27 15:07:29.000000000 +1200 @@ -263,7 +263,7 @@ int serial = (getCurrentTime() - 1200000000); size_t max_db_size = 0; size_t fs_block_size = 2048; - char c; + int8_t c; bool create_new_db = false; bool show_sn = false; std::string db_path; diff -u -r -N squid-3.2.9/src/ssl/support.cc squid-3.2.10/src/ssl/support.cc --- squid-3.2.9/src/ssl/support.cc 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/ssl/support.cc 2013-04-27 15:07:29.000000000 +1200 @@ -177,8 +177,10 @@ } ASN1_STRING *cn_data = check->d.dNSName; - if ( (*check_func)(check_data, cn_data) == 0) + if ( (*check_func)(check_data, cn_data) == 0) { + sk_GENERAL_NAME_pop_free(altnames, GENERAL_NAME_free); return 1; + } } sk_GENERAL_NAME_pop_free(altnames, GENERAL_NAME_free); } diff -u -r -N squid-3.2.9/src/tests/stub_libcomm.cc squid-3.2.10/src/tests/stub_libcomm.cc --- squid-3.2.9/src/tests/stub_libcomm.cc 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/src/tests/stub_libcomm.cc 2013-04-27 15:07:29.000000000 +1200 @@ -8,8 +8,8 @@ #include "comm/AcceptLimiter.h" Comm::AcceptLimiter dummy; Comm::AcceptLimiter & Comm::AcceptLimiter::Instance() STUB_RETVAL(dummy) -void Comm::AcceptLimiter::defer(Comm::TcpAcceptor *afd) STUB -void Comm::AcceptLimiter::removeDead(const Comm::TcpAcceptor *afd) STUB +void Comm::AcceptLimiter::defer(const Comm::TcpAcceptor::Pointer &afd) STUB +void Comm::AcceptLimiter::removeDead(const Comm::TcpAcceptor::Pointer &afd) STUB void Comm::AcceptLimiter::kick() STUB #include "comm/Connection.h" diff -u -r -N squid-3.2.9/tools/squidclient.1 squid-3.2.10/tools/squidclient.1 --- squid-3.2.9/tools/squidclient.1 2013-03-12 23:15:58.000000000 +1300 +++ squid-3.2.10/tools/squidclient.1 2013-04-27 15:07:29.000000000 +1200 @@ -7,7 +7,7 @@ . .SH SYNOPSIS .if !'po4a'hide' .B squidclient -.if !'po4a'hide' .B "[ \-arsv ] [ \-A" +.if !'po4a'hide' .B "[ \-aknNrsv ] [ \-A" string .if !'po4a'hide' .B "] [ \-g" count @@ -25,8 +25,6 @@ local host .if !'po4a'hide' .B "] [ \-m" method -.if !'po4a'hide' .B "] [ \-n" -.if !'po4a'hide' .B "] [ \-N" .if !'po4a'hide' .B "] [ \-p" port .if !'po4a'hide' .B "] [ \-P" @@ -98,6 +96,10 @@ Host header content . .if !'po4a'hide' .TP +.if !'po4a'hide' .B "\-k" +Keep the connection active. Default is to do only one request then close. +. +.if !'po4a'hide' .TP .if !'po4a'hide' .B "\-l host" Specify a local IP address to bind to. Default is none. .