diff -u -r -N squid-3.2.0.11/ChangeLog squid-3.2.0.12/ChangeLog --- squid-3.2.0.11/ChangeLog 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/ChangeLog 2011-09-16 23:37:30.000000000 +1200 @@ -1,3 +1,21 @@ +Changes to squid-3.2.0.12 (17 Sep 2011): + + - Regression Bug 3335: ICAP service is down + - Regression Bug 3322: adapt:: and icap:: format codes do not parse + - Regression Bug 3303: Support for non-English usernames in log files + - Regression Bug 3259: assertion failed: Connection.cc:29: 'fd<0' after REVIVED PARENT + - Regression: %I shows hostname on SSL error page + - Regression: FTP outgoing port always 'in use' on PASV connections + - Bug 3337: (partial) status 200 is not accepted for deny_info + - Bug 3319: Inconsistencies in error messages + - Bug 3281: pconn in-use while closing assertion + - Bug 3243: Fix cases: raw-IPv6, case variant FQDN, internal request + - Fixed max-stale check. Entities not exceeding max-stale were marked as stale + - Adjust format code %la for intercepted connections + - Log ICAP_ERR_GONE ICAP transaction outcome when ICAP initiator disappears early + - Send RST packet when closing an ICAP connection after a transaction error + - Support maximum field width for string access.log fields + Changes to squid-3.2.0.11 (28 Aug 2011): - Bug 3243: CVE-2009-0801 Bypass of browser same-origin access control diff -u -r -N squid-3.2.0.11/configure squid-3.2.0.12/configure --- squid-3.2.0.11/configure 2011-08-29 03:12:23.000000000 +1200 +++ squid-3.2.0.12/configure 2011-09-16 23:38:35.000000000 +1200 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.0.11. +# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.0.12. # # Report bugs to . # @@ -575,8 +575,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.2.0.11' -PACKAGE_STRING='Squid Web Proxy 3.2.0.11' +PACKAGE_VERSION='3.2.0.12' +PACKAGE_STRING='Squid Web Proxy 3.2.0.12' PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/' PACKAGE_URL='' @@ -1570,7 +1570,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.2.0.11 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.2.0.12 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1640,7 +1640,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.2.0.11:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.2.0.12:";; esac cat <<\_ACEOF @@ -2018,7 +2018,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.2.0.11 +Squid Web Proxy configure 3.2.0.12 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -3114,7 +3114,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.2.0.11, which was +It was created by Squid Web Proxy $as_me 3.2.0.12, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -3933,7 +3933,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.2.0.11' + VERSION='3.2.0.12' cat >>confdefs.h <<_ACEOF @@ -30543,7 +30543,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.2.0.11, which was +This file was extended by Squid Web Proxy $as_me 3.2.0.12, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -30609,7 +30609,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 3.2.0.11 +Squid Web Proxy config.status 3.2.0.12 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff -u -r -N squid-3.2.0.11/configure.ac squid-3.2.0.12/configure.ac --- squid-3.2.0.11/configure.ac 2011-08-29 03:12:23.000000000 +1200 +++ squid-3.2.0.12/configure.ac 2011-09-16 23:38:35.000000000 +1200 @@ -3,7 +3,7 @@ dnl dnl dnl -AC_INIT([Squid Web Proxy],[3.2.0.11],[http://www.squid-cache.org/bugs/],[squid]) +AC_INIT([Squid Web Proxy],[3.2.0.12],[http://www.squid-cache.org/bugs/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) diff -u -r -N squid-3.2.0.11/errors/af/ERR_AGENT_CONFIGURE squid-3.2.0.12/errors/af/ERR_AGENT_CONFIGURE --- squid-3.2.0.11/errors/af/ERR_AGENT_CONFIGURE 2011-08-29 03:16:15.000000000 +1200 +++ squid-3.2.0.12/errors/af/ERR_AGENT_CONFIGURE 2011-09-16 23:39:40.000000000 +1200 @@ -1 +1 @@ - Webblaaier se opstelling

FOUT

Web Browser Configuration

Your Web Browser configuration needs to be corrected to use this network.

How to find these settings in your browser:

For Firefox browsers go to:
  • Tools -> Options -> Advanced -> Network -> Connection Settings
  • In the HTTP proxy box type the proxy name %h and port %b.
For Internet Explorer browsers go to:
  • Tools -> Internet Options -> Connection -> LAN Settings ->Proxy
  • In the HTTP proxy box type the proxy name %h and port %b.
For Opera browsers go to:
  • Tools -> Preferences -> Advanced -> Network -> Proxy Servers
  • In the HTTP proxy box type the proxy name %h and port %b.

Die kasbediener se administrateur is %w.


\ No newline at end of file + Webblaaier se opstelling

FOUT

Web Browser Configuration

Die opstelling van u webblaaier moet reggestel word om hierdie netwerk te gebruik.

Hoe om hierdie instellings in die blaaier te vind:

Vir Firefox-blaaiers, gaan na:
  • Nutsgoed -> Opsies -> Gevorderd -> Netwerk -> Verbinding
  • In the HTTP proxy box type the proxy name %h and port %b.
Vir Internet Explorer-blaaiers, gaan na:
  • Tools -> Internet Options -> Connection -> LAN Settings ->Proxy
  • In the HTTP proxy box type the proxy name %h and port %b.
Vir Opera-blaaiers, gaan na:
  • Tools -> Preferences -> Advanced -> Network -> Proxy Servers
  • In the HTTP proxy box type the proxy name %h and port %b.

Die kasbediener se administrateur is %w.


\ No newline at end of file diff -u -r -N squid-3.2.0.11/errors/af/ERR_AGENT_WPAD squid-3.2.0.12/errors/af/ERR_AGENT_WPAD --- squid-3.2.0.11/errors/af/ERR_AGENT_WPAD 2011-08-29 03:16:16.000000000 +1200 +++ squid-3.2.0.12/errors/af/ERR_AGENT_WPAD 2011-09-16 23:39:41.000000000 +1200 @@ -1 +1 @@ - Webblaaier se opstelling

FOUT

Web Browser Configuration

Your Web Browser configuration needs to be corrected to use this network.

How to find these settings in your browser:

For Firefox browsers go to:
  • Tools -> Options -> Advanced -> Network -> Connection Settings
  • Select Auto-detect proxy settings for this network
For Internet Explorer browsers go to:
  • Tools -> Internet Options -> Connection -> LAN Settings ->Proxy
  • Select Automatically detect settings
For Opera browsers go to:
  • Tools -> Preferences -> Advanced -> Network -> Proxy Servers
  • Select Use Automatic proxy configuration

Die kasbediener se administrateur is %w.


\ No newline at end of file + Webblaaier se opstelling

FOUT

Web Browser Configuration

Die opstelling van u webblaaier moet reggestel word om hierdie netwerk te gebruik.

Hoe om hierdie instellings in die blaaier te vind:

Vir Firefox-blaaiers, gaan na:
  • Nutsgoed -> Opsies -> Gevorderd -> Netwerk -> Verbinding
  • Kies "Outospeur instaanopstelling vir hierdie netwerk"
Vir Internet Explorer-blaaiers, gaan na:
  • Tools -> Internet Options -> Connection -> LAN Settings ->Proxy
  • Select Automatically detect settings
Vir Opera-blaaiers, gaan na:
  • Tools -> Preferences -> Advanced -> Network -> Proxy Servers
  • Select Use Automatic proxy configuration

Die kasbediener se administrateur is %w.


\ No newline at end of file diff -u -r -N squid-3.2.0.11/errors/af/ERR_DIR_LISTING squid-3.2.0.12/errors/af/ERR_DIR_LISTING --- squid-3.2.0.11/errors/af/ERR_DIR_LISTING 2011-08-29 03:16:20.000000000 +1200 +++ squid-3.2.0.12/errors/af/ERR_DIR_LISTING 2011-09-16 23:39:43.000000000 +1200 @@ -1 +1 @@ - Gids: %U

Gids: %U/

Gidsinhoud:

%z
%g
Ouergids (Wortelgids)
\ No newline at end of file + Gids: %U

Gids: %U/

Gidsinhoud:

%z
%g
Ouergids (Wortelgids)
\ No newline at end of file diff -u -r -N squid-3.2.0.11/errors/af/ERR_DNS_FAIL squid-3.2.0.12/errors/af/ERR_DNS_FAIL --- squid-3.2.0.11/errors/af/ERR_DNS_FAIL 2011-08-29 03:16:21.000000000 +1200 +++ squid-3.2.0.12/errors/af/ERR_DNS_FAIL 2011-09-16 23:39:44.000000000 +1200 @@ -1 +1 @@ - FOUT: Die aangevraagde URL kon nie verkry word nie

ERROR

The requested URL could not be retrieved

Die volgende fout is teëgekom tydens verkryging van die URL: %U

Kan nie IP-adres vanaf gasheernaam %H bepaal nie

Die DNS-bediener het geantwoord:

%z

This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.

Die kasbediener se administrateur is %w.


\ No newline at end of file + FOUT: Die aangevraagde URL kon nie verkry word nie

ERROR

The requested URL could not be retrieved

Die volgende fout is teëgekom tydens verkryging van die URL: %U

Kan nie IP-adres vanaf gasheernaam %H bepaal nie

Die DNS-bediener het geantwoord:

%z

Dit beteken dat die kasbediener nie in staat was om die gasheernaam in die URL op te los nie. Kyk of die adres korrek is.

Die kasbediener se administrateur is %w.


\ No newline at end of file diff -u -r -N squid-3.2.0.11/errors/af/ERR_FTP_PUT_CREATED squid-3.2.0.12/errors/af/ERR_FTP_PUT_CREATED --- squid-3.2.0.11/errors/af/ERR_FTP_PUT_CREATED 2011-08-29 03:16:24.000000000 +1200 +++ squid-3.2.0.12/errors/af/ERR_FTP_PUT_CREATED 2011-09-16 23:39:47.000000000 +1200 @@ -1 +1 @@ - FTP PUT Successful.

Bewerking suksesvol

Lêer is geskep


\ No newline at end of file + FTP PUT suksesvol.

Bewerking suksesvol

Lêer is geskep


\ No newline at end of file diff -u -r -N squid-3.2.0.11/errors/af/ERR_FTP_PUT_ERROR squid-3.2.0.12/errors/af/ERR_FTP_PUT_ERROR --- squid-3.2.0.11/errors/af/ERR_FTP_PUT_ERROR 2011-08-29 03:16:26.000000000 +1200 +++ squid-3.2.0.12/errors/af/ERR_FTP_PUT_ERROR 2011-09-16 23:39:48.000000000 +1200 @@ -1 +1 @@ - FOUT: FTP upload failed

ERROR

FTP PUT upload failed

'n FTP-protokolfout het voorgekom tydens verkryging van die URL: %U

Squid het die volgende FTP-opdrag gestuur:

%f

Die bediener het geantwoord met:

%F

Dit beteken dat die FTP-bediener dalk nie toestemming of ruimte het om die lêer te stoor nie. Kontroleer die pad, toestemmings, skyfspasie en probeer weer.

Die kasbediener se administrateur is %w.


\ No newline at end of file + FOUT: FTP upload failed

ERROR

FTP PUT-oplaai het misluk

'n FTP-protokolfout het voorgekom tydens verkryging van die URL: %U

Squid het die volgende FTP-opdrag gestuur:

%f

Die bediener het geantwoord met:

%F

Dit beteken dat die FTP-bediener dalk nie toestemming of ruimte het om die lêer te stoor nie. Kontroleer die pad, toestemmings, skyfspasie en probeer weer.

Die kasbediener se administrateur is %w.


\ No newline at end of file diff -u -r -N squid-3.2.0.11/errors/af/ERR_FTP_PUT_MODIFIED squid-3.2.0.12/errors/af/ERR_FTP_PUT_MODIFIED --- squid-3.2.0.11/errors/af/ERR_FTP_PUT_MODIFIED 2011-08-29 03:16:26.000000000 +1200 +++ squid-3.2.0.12/errors/af/ERR_FTP_PUT_MODIFIED 2011-09-16 23:39:48.000000000 +1200 @@ -1 +1 @@ - FTP PUT Successful.

Bewerking suksesvol

Lêer is opgedateer


\ No newline at end of file + FTP PUT suksesvol.

Bewerking suksesvol

Lêer is opgedateer


\ No newline at end of file diff -u -r -N squid-3.2.0.11/errors/af/ERR_ONLY_IF_CACHED_MISS squid-3.2.0.12/errors/af/ERR_ONLY_IF_CACHED_MISS --- squid-3.2.0.11/errors/af/ERR_ONLY_IF_CACHED_MISS 2011-08-29 03:16:32.000000000 +1200 +++ squid-3.2.0.12/errors/af/ERR_ONLY_IF_CACHED_MISS 2011-09-16 23:39:53.000000000 +1200 @@ -1 +1 @@ - FOUT: Die aangevraagde URL kon nie verkry word nie

ERROR

The requested URL could not be retrieved

Die volgende fout is teëgekom tydens verkryging van die URL: %U

Valid document was not found in the cache and only-if-cached directive was specified.

You have issued a request with a only-if-cached cache control directive. The document was not found in the cache, or it required revalidation prohibited by the only-if-cached directive.

Die kasbediener se administrateur is %w.


\ No newline at end of file + FOUT: Die aangevraagde URL kon nie verkry word nie

ERROR

The requested URL could not be retrieved

Die volgende fout is teëgekom tydens verkryging van die URL: %U

Geldige dokument is nie in die kas gevind nie, en only-if-cached is gespesifiseer.

You have issued a request with a only-if-cached cache control directive. The document was not found in the cache, or it required revalidation prohibited by the only-if-cached directive.

Die kasbediener se administrateur is %w.


\ No newline at end of file diff -u -r -N squid-3.2.0.11/errors/af/ERR_SOCKET_FAILURE squid-3.2.0.12/errors/af/ERR_SOCKET_FAILURE --- squid-3.2.0.11/errors/af/ERR_SOCKET_FAILURE 2011-08-29 03:16:35.000000000 +1200 +++ squid-3.2.0.12/errors/af/ERR_SOCKET_FAILURE 2011-09-16 23:39:55.000000000 +1200 @@ -1 +1 @@ - FOUT: Die aangevraagde URL kon nie verkry word nie

ERROR

The requested URL could not be retrieved

Die volgende fout is teëgekom tydens verkryging van die URL: %U

Sokfout

Die stelsel het die volgende teruggestuur: %E

Squid is unable to create a TCP socket, presumably due to excessive load. Please retry your request.

Die kasbediener se administrateur is %w.


\ No newline at end of file + FOUT: Die aangevraagde URL kon nie verkry word nie

ERROR

The requested URL could not be retrieved

Die volgende fout is teëgekom tydens verkryging van die URL: %U

Sokfout

Die stelsel het die volgende teruggestuur: %E

Squid kan nie 'n TCP-sok skep nie, vermoedelik weens hoë lading. Probeer die navraag gerus weer.

Die kasbediener se administrateur is %w.


\ No newline at end of file diff -u -r -N squid-3.2.0.11/errors/af/ERR_UNSUP_REQ squid-3.2.0.12/errors/af/ERR_UNSUP_REQ --- squid-3.2.0.11/errors/af/ERR_UNSUP_REQ 2011-08-29 03:16:37.000000000 +1200 +++ squid-3.2.0.12/errors/af/ERR_UNSUP_REQ 2011-09-16 23:39:57.000000000 +1200 @@ -1 +1 @@ - FOUT: Die aangevraagde URL kon nie verkry word nie

ERROR

The requested URL could not be retrieved

Die volgende fout is teëgekom tydens verkryging van die URL: %U

Unsupported Request Method and Protocol

Squid ondersteun nie alle navraagmetodes vir alle toegangsprotokolle nie. Mens kan by voorbeeld nie 'n Gopher-navraag POST nie.

Die kasbediener se administrateur is %w.


\ No newline at end of file + FOUT: Die aangevraagde URL kon nie verkry word nie

ERROR

The requested URL could not be retrieved

Die volgende fout is teëgekom tydens verkryging van die URL: %U

Niegesteunde versoekmetode en -protokol

Squid ondersteun nie alle navraagmetodes vir alle toegangsprotokolle nie. Mens kan by voorbeeld nie 'n Gopher-navraag POST nie.

Die kasbediener se administrateur is %w.


\ No newline at end of file diff -u -r -N squid-3.2.0.11/helpers/basic_auth/DB/basic_db_auth.8 squid-3.2.0.12/helpers/basic_auth/DB/basic_db_auth.8 --- squid-3.2.0.11/helpers/basic_auth/DB/basic_db_auth.8 2011-08-29 03:38:13.000000000 +1200 +++ squid-3.2.0.12/helpers/basic_auth/DB/basic_db_auth.8 2011-09-16 23:54:03.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 1" -.TH BASIC_DB_AUTH 1 "2011-08-28" "perl v5.10.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 1 "2011-09-16" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.2.0.11/helpers/basic_auth/DB/basic_db_auth.pl.in squid-3.2.0.12/helpers/basic_auth/DB/basic_db_auth.pl.in --- squid-3.2.0.11/helpers/basic_auth/DB/basic_db_auth.pl.in 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/helpers/basic_auth/DB/basic_db_auth.pl.in 2011-09-16 23:37:30.000000000 +1200 @@ -127,6 +127,12 @@ $_dbh = DBI->connect($dsn, $db_user, $db_passwd); if (!defined $_dbh) { warn ("Could not connect to $dsn\n"); + my @driver_names = DBI->available_drivers(); + my $msg = "DSN drivers apparently installed, available:\n"; + foreach my $dn (@driver_names) { + $msg .= "\t$dn"; + } + warn($msg."\n"); return undef; } my $sql_query; diff -u -r -N squid-3.2.0.11/helpers/basic_auth/NCSA/basic_ncsa_auth.cc squid-3.2.0.12/helpers/basic_auth/NCSA/basic_ncsa_auth.cc --- squid-3.2.0.11/helpers/basic_auth/NCSA/basic_ncsa_auth.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/helpers/basic_auth/NCSA/basic_ncsa_auth.cc 2011-09-16 23:37:30.000000000 +1200 @@ -143,6 +143,9 @@ } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) { // Bug 3107: crypt() DES functionality silently truncates long passwords. SEND_OK(""); + } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) { + // Bug 3107: crypt() DES functionality silently truncates long passwords. + SEND_ERR("Password too long. Only 8 characters accepted."); #endif } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) { SEND_OK(""); diff -u -r -N squid-3.2.0.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.2.0.12/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-3.2.0.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2011-08-29 03:38:47.000000000 +1200 +++ squid-3.2.0.12/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2011-09-16 23:54:05.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1" -.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2011-08-28" "perl v5.10.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2011-09-16" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.2.0.11/include/Array.h squid-3.2.0.12/include/Array.h --- squid-3.2.0.11/include/Array.h 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/include/Array.h 2011-09-16 23:37:30.000000000 +1200 @@ -97,6 +97,8 @@ Vector &operator += (E item) {push_back(item); return *this;}; void insert (E); + const E &front() const; + E &front(); E &back(); E pop_back(); E shift(); // aka pop_front @@ -251,6 +253,22 @@ } template +const E & +Vector::front() const +{ + assert (size()); + return items[0]; +} + +template +E & +Vector::front() +{ + assert (size()); + return items[0]; +} + +template void Vector::prune(E item) { diff -u -r -N squid-3.2.0.11/include/version.h squid-3.2.0.12/include/version.h --- squid-3.2.0.11/include/version.h 2011-08-29 03:12:23.000000000 +1200 +++ squid-3.2.0.12/include/version.h 2011-09-16 23:38:35.000000000 +1200 @@ -9,7 +9,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1314544159 +#define SQUID_RELEASE_TIME 1316173049 #endif #ifndef APP_SHORTNAME diff -u -r -N squid-3.2.0.11/RELEASENOTES.html squid-3.2.0.12/RELEASENOTES.html --- squid-3.2.0.11/RELEASENOTES.html 2011-08-29 03:42:01.000000000 +1200 +++ squid-3.2.0.12/RELEASENOTES.html 2011-09-16 23:54:10.000000000 +1200 @@ -2,10 +2,10 @@ - Squid 3.2.0.11 release notes + Squid 3.2.0.12 release notes -

Squid 3.2.0.11 release notes

+

Squid 3.2.0.12 release notes

Squid Developers

@@ -73,7 +73,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.2.0.11 for testing.

+

The Squid Team are pleased to announce the release of Squid-3.2.0.12 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.2/ or the mirrors.

diff -u -r -N squid-3.2.0.11/src/AccessLogEntry.h squid-3.2.0.12/src/AccessLogEntry.h --- squid-3.2.0.11/src/AccessLogEntry.h 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/AccessLogEntry.h 2011-09-16 23:37:30.000000000 +1200 @@ -39,6 +39,7 @@ #if ICAP_CLIENT #include "adaptation/icap/Elements.h" #endif +#include "ProtoPort.h" /* forward decls */ class HttpReply; @@ -148,6 +149,7 @@ const char *ssluser; #endif + http_port_list *port; } cache; diff -u -r -N squid-3.2.0.11/src/adaptation/icap/Elements.cc squid-3.2.0.12/src/adaptation/icap/Elements.cc --- squid-3.2.0.11/src/adaptation/icap/Elements.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/adaptation/icap/Elements.cc 2011-09-16 23:37:30.000000000 +1200 @@ -8,6 +8,7 @@ { const XactOutcome xoUnknown = "ICAP_ERR_UNKNOWN"; +const XactOutcome xoGone = "ICAP_ERR_GONE"; const XactOutcome xoRace = "ICAP_ERR_RACE"; const XactOutcome xoError = "ICAP_ERR_OTHER"; const XactOutcome xoOpt = "ICAP_OPT"; diff -u -r -N squid-3.2.0.11/src/adaptation/icap/Elements.h squid-3.2.0.12/src/adaptation/icap/Elements.h --- squid-3.2.0.11/src/adaptation/icap/Elements.h 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/adaptation/icap/Elements.h 2011-09-16 23:37:30.000000000 +1200 @@ -64,6 +64,7 @@ typedef const char *XactOutcome; ///< transaction result for logging extern const XactOutcome xoUnknown; ///< initial value: outcome was not set +extern const XactOutcome xoGone; ///< initiator gone, will not continue extern const XactOutcome xoRace; ///< ICAP server closed pconn when we started extern const XactOutcome xoError; ///< all kinds of transaction errors extern const XactOutcome xoOpt; ///< OPTION transaction diff -u -r -N squid-3.2.0.11/src/adaptation/icap/ServiceRep.cc squid-3.2.0.12/src/adaptation/icap/ServiceRep.cc --- squid-3.2.0.11/src/adaptation/icap/ServiceRep.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/adaptation/icap/ServiceRep.cc 2011-09-16 23:37:30.000000000 +1200 @@ -115,7 +115,7 @@ } // pools connection if it is reusable or closes it -void Adaptation::Icap::ServiceRep::putConnection(const Comm::ConnectionPointer &conn, bool isReusable, const char *comment) +void Adaptation::Icap::ServiceRep::putConnection(const Comm::ConnectionPointer &conn, bool isReusable, bool sendReset, const char *comment) { Must(Comm::IsConnOpen(conn)); // do not pool an idle connection if we owe connections @@ -124,9 +124,14 @@ commUnsetConnTimeout(conn); theIdleConns->push(conn); } else { - debugs(93, 3, HERE << "closing pconn" << comment); - // comm_close will clear timeout - conn->close(); + debugs(93, 3, HERE << (sendReset ? "RST" : "FIN") << "-closing " << + comment); + // comm_close called from Connection::close will clear timeout + // TODO: add "bool sendReset = false" to Connection::close()? + if (sendReset) + comm_reset_close(conn); + else + conn->close(); } Must(theBusyConns > 0); diff -u -r -N squid-3.2.0.11/src/adaptation/icap/ServiceRep.h squid-3.2.0.12/src/adaptation/icap/ServiceRep.h --- squid-3.2.0.11/src/adaptation/icap/ServiceRep.h 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/adaptation/icap/ServiceRep.h 2011-09-16 23:37:30.000000000 +1200 @@ -111,7 +111,7 @@ bool allows204() const; bool allows206() const; Comm::ConnectionPointer getConnection(bool isRetriable, bool &isReused); - void putConnection(const Comm::ConnectionPointer &conn, bool isReusable, const char *comment); + void putConnection(const Comm::ConnectionPointer &conn, bool isReusable, bool sendReset, const char *comment); void noteConnectionUse(const Comm::ConnectionPointer &conn); void noteConnectionFailed(const char *comment); diff -u -r -N squid-3.2.0.11/src/adaptation/icap/Xaction.cc squid-3.2.0.12/src/adaptation/icap/Xaction.cc --- squid-3.2.0.11/src/adaptation/icap/Xaction.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/adaptation/icap/Xaction.cc 2011-09-16 23:37:30.000000000 +1200 @@ -204,8 +204,11 @@ if (reuseConnection) disableRetries(); + const bool reset = !reuseConnection && + (al.icap.outcome == xoGone || al.icap.outcome == xoError); + Adaptation::Icap::ServiceRep &s = service(); - s.putConnection(connection, reuseConnection, status()); + s.putConnection(connection, reuseConnection, reset, status()); writer = NULL; reader = NULL; @@ -476,8 +479,10 @@ { if (theInitiator.set()) { + debugs(93,4, HERE << "Initiator gone before ICAP transaction ended"); clearInitiator(); detailError(ERR_DETAIL_ICAP_INIT_GONE); + setOutcome(xoGone); mustStop("initiator aborted"); } diff -u -r -N squid-3.2.0.11/src/auth/basic/UserRequest.cc squid-3.2.0.12/src/auth/basic/UserRequest.cc --- squid-3.2.0.11/src/auth/basic/UserRequest.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/auth/basic/UserRequest.cc 2011-09-16 23:37:30.000000000 +1200 @@ -140,7 +140,7 @@ BasicAuthQueueNode *tmpnode; char *t = NULL; void *cbdata; - debugs(29, 9, HERE << "{" << (reply ? reply : "") << "}"); + debugs(29, 5, HERE << "{" << (reply ? reply : "") << "}"); if (reply) { if ((t = strchr(reply, ' '))) diff -u -r -N squid-3.2.0.11/src/base/Makefile.am squid-3.2.0.12/src/base/Makefile.am --- squid-3.2.0.11/src/base/Makefile.am 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/base/Makefile.am 2011-09-16 23:37:30.000000000 +1200 @@ -15,6 +15,8 @@ TidyPointer.h \ CbcPointer.h \ InstanceId.h \ + RunnersRegistry.cc \ + RunnersRegistry.h \ Subscription.h \ TextException.cc \ TextException.h diff -u -r -N squid-3.2.0.11/src/base/Makefile.in squid-3.2.0.12/src/base/Makefile.in --- squid-3.2.0.11/src/base/Makefile.in 2011-08-29 03:11:51.000000000 +1200 +++ squid-3.2.0.12/src/base/Makefile.in 2011-09-16 23:38:18.000000000 +1200 @@ -57,7 +57,7 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) libbase_la_LIBADD = am_libbase_la_OBJECTS = AsyncCall.lo AsyncJob.lo AsyncCallQueue.lo \ - TextException.lo + RunnersRegistry.lo TextException.lo libbase_la_OBJECTS = $(am_libbase_la_OBJECTS) DEFAULT_INCLUDES = depcomp = $(SHELL) $(top_srcdir)/cfgaux/depcomp @@ -320,6 +320,8 @@ TidyPointer.h \ CbcPointer.h \ InstanceId.h \ + RunnersRegistry.cc \ + RunnersRegistry.h \ Subscription.h \ TextException.cc \ TextException.h @@ -388,6 +390,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/AsyncCall.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/AsyncCallQueue.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/AsyncJob.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/RunnersRegistry.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/TextException.Plo@am__quote@ .cc.o: diff -u -r -N squid-3.2.0.11/src/base/RunnersRegistry.cc squid-3.2.0.12/src/base/RunnersRegistry.cc --- squid-3.2.0.11/src/base/RunnersRegistry.cc 1970-01-01 12:00:00.000000000 +1200 +++ squid-3.2.0.12/src/base/RunnersRegistry.cc 2011-09-16 23:37:30.000000000 +1200 @@ -0,0 +1,58 @@ +#include "config.h" +#include "base/RunnersRegistry.h" +#include +#include + +typedef std::list Runners; +typedef std::map Registries; + +/// all known registries +static Registries *TheRegistries = NULL; + +/// returns the requested runners list, initializing structures as needed +static Runners & +GetRunners(const RunnerRegistry ®istryId) +{ + if (!TheRegistries) + TheRegistries = new Registries; + + if (TheRegistries->find(registryId) == TheRegistries->end()) + (*TheRegistries)[registryId] = new Runners; + + return *(*TheRegistries)[registryId]; +} + +int +RegisterRunner(const RunnerRegistry ®istryId, RegisteredRunner *rr) +{ + Runners &runners = GetRunners(registryId); + runners.push_back(rr); + return runners.size(); +} + +int +ActivateRegistered(const RunnerRegistry ®istryId) +{ + Runners &runners = GetRunners(registryId); + typedef Runners::iterator RRI; + for (RRI i = runners.begin(); i != runners.end(); ++i) + (*i)->run(registryId); + return runners.size(); +} + +void +DeactivateRegistered(const RunnerRegistry ®istryId) +{ + Runners &runners = GetRunners(registryId); + typedef Runners::iterator RRI; + while (!runners.empty()) { + delete runners.back(); + runners.pop_back(); + } +} + +bool +UseThisStatic(const void *) +{ + return true; +} diff -u -r -N squid-3.2.0.11/src/base/RunnersRegistry.h squid-3.2.0.12/src/base/RunnersRegistry.h --- squid-3.2.0.11/src/base/RunnersRegistry.h 1970-01-01 12:00:00.000000000 +1200 +++ squid-3.2.0.12/src/base/RunnersRegistry.h 2011-09-16 23:37:30.000000000 +1200 @@ -0,0 +1,61 @@ +#ifndef SQUID_BASE_RUNNERSREGISTRY_H +#define SQUID_BASE_RUNNERSREGISTRY_H + +/** + * This API allows virtually any module to register with a well-known registry, + * be activated by some central processor at some registry-specific time, and + * be deactiveated by some central processor at some registry-specific time. + * + * For example, main.cc may activate registered I/O modules after parsing + * squid.conf and deactivate them before exiting. + * + * A module in this context is code providing a functionality or service to the + * rest of Squid, such as src/DiskIO/Blocking, src/fs/ufs, or Cache Manager. A + * module must declare a RegisteredRunner child class to implement activation and + * deactivation logic using the run() method and destructor, respectively. + * + * This API allows the registry to determine the right [de]activation time for + * each group of similar modules, without knowing any module specifics. + * + */ + +/// well-known registries +typedef enum { + /// managed by main.cc; activated after parsing squid.conf and + /// deactivated before freeing configuration-related memory or exit()-ing + rrAfterConfig, + + rrEnd ///< not a real registry, just a label to mark the end of enum +} RunnerRegistry; + +/// a runnable registrant API +class RegisteredRunner +{ +public: + // called when this runner's registry is deactivated + virtual ~RegisteredRunner() {} + + // called when this runner's registry is activated + virtual void run(const RunnerRegistry &r) = 0; +}; + + +/// registers a given runner with the given registry and returns registry count +int RegisterRunner(const RunnerRegistry ®istry, RegisteredRunner *rr); + +/// calls run() methods of all runners in the given registry +int ActivateRegistered(const RunnerRegistry ®istry); +/// deletes all runners in the given registry +void DeactivateRegistered(const RunnerRegistry ®istry); + + +/// convenience function to "use" an otherwise unreferenced static variable +bool UseThisStatic(const void *); + +/// convenience macro: register one RegisteredRunner kid as early as possible +#define RunnerRegistrationEntry(Registry, Who) \ + static const bool Who ## _RegisteredWith_ ## Registry = \ + RegisterRunner(Registry, new Who) > 0 && \ + UseThisStatic(& Who ## _RegisteredWith_ ## Registry); + +#endif /* SQUID_BASE_RUNNERSREGISTRY_H */ diff -u -r -N squid-3.2.0.11/src/cf.data.pre squid-3.2.0.12/src/cf.data.pre --- squid-3.2.0.11/src/cf.data.pre 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/cf.data.pre 2011-09-16 23:37:30.000000000 +1200 @@ -1164,18 +1164,23 @@ LOC: Config.accessList.miss DEFAULT: none DOC_START - Use to force your neighbors to use you as a sibling instead of - a parent. For example: + Determins whether network access is permitted when satisfying a request. + + For example; + to force your neighbors to use you as a sibling instead of + a parent. acl localclients src 172.16.0.0/16 miss_access allow localclients miss_access deny !localclients - This means only your local clients are allowed to fetch - MISSES and all other clients can only fetch HITS. + This means only your local clients are allowed to fetch relayed/MISS + replies from the network and all other clients can only fetch cached + objects (HITs). - By default, allow all clients who passed the http_access rules - to fetch MISSES from us. + + The default for this setting allows all clients who passed the + http_access rules to relay via this proxy. This clause only supports fast acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -2869,8 +2874,12 @@ ' output as-is - left aligned - width field width. If starting with 0 the - output is zero padded + + width minimum and/or maximum field width: + [width_min][.width_max] + When minimum starts with 0, the field is zero-padded. + String values exceeding maximum width are truncated. + {arg} argument such as header name etc Format codes: @@ -2890,6 +2899,9 @@ >la Local IP address the client connected to >lp Local port number the client connected to + la Local listening IP address the client connection was connected to. + lp Local listening port number the client connection was connected to. + a %Ss/%03>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh logformat referrer %ts.%03tu %>a %{Referer}>h %ru logformat useragent %>a [%tl] "%{User-Agent}>h" @@ -3690,12 +3702,20 @@ DEFAULT: on LOC: Config.onoff.redir_rewrites_host DOC_START - By default Squid rewrites any Host: header in redirected - requests. If you are running an accelerator this may - not be a wanted effect of a redirector. - + To preserve same-origin security policies in browsers and + prevent Host: header forgery by redirectors Squid rewrites + any Host: header in redirected requests. + + If you are running an accelerator this may not be a wanted + effect of a redirector. This directive enables you disable + Host: alteration in reverse-proxy traffic. + WARNING: Entries are cached on the result of the URL rewriting process, so be careful if you have domain-virtual hosts. + + WARNING: Squid and other software verifies the URL and Host + are matching, so be careful not to relay through other proxies + or inspecting firewalls with this disabled. DOC_END NAME: url_rewrite_access redirector_access @@ -6563,11 +6583,12 @@ returning a chain of services to be used next. The services are specified using the X-Next-Services ICAP response header value, formatted as a comma-separated list of service names. - Each named service should be configured in squid.conf and - should have the same method and vectoring point as the current - ICAP transaction. Services violating these rules are ignored. - An empty X-Next-Services value results in an empty plan which - ends the current adaptation. + Each named service should be configured in squid.conf. Other + services are ignored. An empty X-Next-Services value results + in an empty plan which ends the current adaptation. + + Dynamic adaptation plan may cross or cover multiple supported + vectoring points in their natural processing order. Routing is not allowed by default: the ICAP X-Next-Services response header is ignored. @@ -7094,6 +7115,7 @@ TYPE: onoff LOC: Config.onoff.ignore_unknown_nameservers DEFAULT: on +IFDEF: !USE_DNSSERVERS DOC_START By default Squid checks that DNS responses are received from the same IP addresses they are sent to. If they @@ -7106,6 +7128,7 @@ TYPE: onoff DEFAULT: on LOC: Config.onoff.dns_require_A +IFDEF: !USE_DNSSERVERS DOC_START Standard practice with DNS is to lookup either A or AAAA records and use the results if it succeeds. Only looking up the other if @@ -7356,10 +7379,16 @@ LOC: Config.retry.onerror DEFAULT: off DOC_START - If set to on Squid will automatically retry requests when - receiving an error response. This is mainly useful if you - are in a complex cache hierarchy to work around access - control errors. + If set to ON Squid will automatically retry requests when + receiving an error response with status 403 (Forbidden), + 500 (Internal Error), 501 or 503 (Service not available). + Status 502 and 504 (Gateway errors) are always retried. + + This is mainly useful if you are in a complex cache hierarchy to + work around access control errors. + + NOTE: This retry will attempt to find another working destination. + Which is different from the server which just failed. DOC_END NAME: as_whois_server diff -u -r -N squid-3.2.0.11/src/client_side.cc squid-3.2.0.12/src/client_side.cc --- squid-3.2.0.11/src/client_side.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/client_side.cc 2011-09-16 23:37:30.000000000 +1200 @@ -640,7 +640,10 @@ al.cache.caddr.SetNoAddr(); - if (getConn() != NULL) al.cache.caddr = getConn()->log_addr; + if (getConn() != NULL) { + al.cache.caddr = getConn()->log_addr; + al.cache.port = cbdataReference(getConn()->port); + } al.cache.requestSize = req_sz; al.cache.requestHeadersSize = req_sz; @@ -2011,6 +2014,9 @@ if (internalCheck(url)) { /* prepend our name & port */ http->uri = xstrdup(internalLocalUri(NULL, url)); + // We just re-wrote the URL. Must replace the Host: header. + // But have not parsed there yet!! flag for local-only handling. + http->flags.internal = 1; return; } @@ -3420,7 +3426,7 @@ if (!(ssl = httpsCreate(details, sslContext))) return; - debugs(33, 5, HERE << details << " accepted, starting SSL negotiation."); + debugs(33, 4, HERE << details << " accepted, starting SSL negotiation."); fd_note(details->fd, "client https connect"); if (s->http.tcp_keepalive.enabled) { diff -u -r -N squid-3.2.0.11/src/client_side_request.cc squid-3.2.0.12/src/client_side_request.cc --- squid-3.2.0.11/src/client_side_request.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/client_side_request.cc 2011-09-16 23:37:30.000000000 +1200 @@ -552,8 +552,10 @@ void ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B) { - debugs(85, 1, "SECURITY ALERT: Host: header forgery detected from " << http->getConn()->clientConnection << - " (" << A << " does not match " << B << ")"); + debugs(85, DBG_IMPORTANT, "SECURITY ALERT: Host header forgery detected on " << + http->getConn()->clientConnection << " (" << A << " does not match " << B << ")"); + debugs(85, DBG_IMPORTANT, "SECURITY ALERT: By user agent: " << http->request->header.getStr(HDR_USER_AGENT)); + debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << urlCanonical(http->request)); // IP address validation for Host: failed. reject the connection. clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data; @@ -579,7 +581,6 @@ { // Require a Host: header. const char *host = http->request->header.getStr(HDR_HOST); - char *hostB = NULL; if (!host) { // TODO: dump out the HTTP/1.1 error about missing host header. @@ -589,32 +590,34 @@ return; } + if (http->request->flags.internal) { + // TODO: kill this when URL handling allows partial URLs out of accel mode + // and we no longer screw with the URL just to add our internal host there + debugs(85, 6, HERE << "validate skipped due to internal composite URL."); + http->doCallouts(); + return; + } + // Locate if there is a port attached, strip ready for IP lookup char *portStr = NULL; - uint16_t port = 0; + char *hostB = xstrdup(host); + host = hostB; if (host[0] == '[') { // IPv6 literal. - // check for a port? - hostB = xstrdup(host+1); portStr = strchr(hostB, ']'); - if (!portStr) { - safe_free(hostB); // well, that wasn't an IPv6 literal. - } else { - *portStr = '\0'; - if (*(++portStr) == ':') - port = xatoi(++portStr); - else - portStr=NULL; // no port to check. + if (portStr && *(++portStr) != ':') { + portStr = NULL; } - if (hostB) - host = hostB; // point host at the local version for lookup - } else if (strrchr(host, ':') != NULL) { + } else { // Domain or IPv4 literal with port - hostB = xstrdup(host); portStr = strrchr(hostB, ':'); - *portStr = '\0'; - port = xatoi(++portStr); - host = hostB; // point host at the local version for lookup + } + + uint16_t port = 0; + if (portStr) { + *portStr = '\0'; // strip the ':' + if (*(++portStr) != '\0') + port = xatoi(portStr); } debugs(85, 3, HERE << "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL")); @@ -630,7 +633,11 @@ // verify the destination DNS is one of the Host: headers IPs ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this); } - } else if (strcmp(host, http->request->GetHost()) != 0) { + } else if (strlen(host) != strlen(http->request->GetHost())) { + // Verify forward-proxy requested URL domain matches the Host: header + debugs(85, 3, HERE << "FAIL on validate URL domain length " << http->request->GetHost() << " matches Host: " << host); + hostHeaderVerifyFailed(host, http->request->GetHost()); + } else if (matchDomainName(host, http->request->GetHost()) != 0) { // Verify forward-proxy requested URL domain matches the Host: header debugs(85, 3, HERE << "FAIL on validate URL domain " << http->request->GetHost() << " matches Host: " << host); hostHeaderVerifyFailed(host, http->request->GetHost()); @@ -863,7 +870,7 @@ void ClientRequestContext::clientRedirectStart() { - debugs(33, 5, "clientRedirectStart: '" << http->uri << "'"); + debugs(33, 5, HERE << "'" << http->uri << "'"); if (Config.accessList.redirector) { acl_checklist = clientAclChecklistCreate(Config.accessList.redirector, http); diff -u -r -N squid-3.2.0.11/src/comm/Connection.cc squid-3.2.0.12/src/comm/Connection.cc --- squid-3.2.0.11/src/comm/Connection.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/comm/Connection.cc 2011-09-16 23:37:30.000000000 +1200 @@ -26,11 +26,9 @@ static int64_t lost_conn = 0; Comm::Connection::~Connection() { - assert(fd < 0); // These should never occur now. - if (fd >= 0) { - debugs(5, 0, "NOTE: Orphan Comm::Connection: " << *this); - debugs(5, 0, "NOTE: Orphaned Comm::Connections: " << ++lost_conn); + debugs(5, 0, "BUG: Orphan Comm::Connection: " << *this); + debugs(5, 0, "NOTE: " << ++lost_conn << " Orphans since last started."); close(); } diff -u -r -N squid-3.2.0.11/src/comm/ModDevPoll.cc squid-3.2.0.12/src/comm/ModDevPoll.cc --- squid-3.2.0.11/src/comm/ModDevPoll.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/comm/ModDevPoll.cc 2011-09-16 23:37:30.000000000 +1200 @@ -247,13 +247,9 @@ Comm::SetSelect(int fd, unsigned int type, PF * handler, void *client_data, time_t timeout) { assert(fd >= 0); - debugs( - 5, - DEBUG_DEVPOLL ? 0 : 8, - HERE << "FD " << fd << ",type=" << type - << ",handler=" << handler << ",client_data=" << client_data - << ",timeout=" << timeout << ")" - ); + debugs(5, 5, HERE << "FD " << fd << ", type=" << type << + ", handler=" << handler << ", client_data=" << client_data << + ", timeout=" << timeout); /* POLLIN/POLLOUT are defined in */ fde *F = &fd_table[fd]; diff -u -r -N squid-3.2.0.11/src/comm/ModEpoll.cc squid-3.2.0.12/src/comm/ModEpoll.cc --- squid-3.2.0.11/src/comm/ModEpoll.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/comm/ModEpoll.cc 2011-09-16 23:37:30.000000000 +1200 @@ -132,7 +132,7 @@ struct epoll_event ev; assert(fd >= 0); - debugs(5, DEBUG_EPOLL ? 0 : 8, HERE << "FD " << fd << ", type=" << type << + debugs(5, 5, HERE << "FD " << fd << ", type=" << type << ", handler=" << handler << ", client_data=" << client_data << ", timeout=" << timeout); diff -u -r -N squid-3.2.0.11/src/comm/ModKqueue.cc squid-3.2.0.12/src/comm/ModKqueue.cc --- squid-3.2.0.11/src/comm/ModKqueue.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/comm/ModKqueue.cc 2011-09-16 23:37:30.000000000 +1200 @@ -194,6 +194,9 @@ fde *F = &fd_table[fd]; assert(fd >= 0); assert(F->flags.open); + debugs(5, 5, HERE << "FD " << fd << ", type=" << type << + ", handler=" << handler << ", client_data=" << client_data << + ", timeout=" << timeout); if (type & COMM_SELECT_READ) { kq_update_events(fd, EVFILT_READ, handler); diff -u -r -N squid-3.2.0.11/src/comm/ModPoll.cc squid-3.2.0.12/src/comm/ModPoll.cc --- squid-3.2.0.11/src/comm/ModPoll.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/comm/ModPoll.cc 2011-09-16 23:37:30.000000000 +1200 @@ -144,7 +144,9 @@ fde *F = &fd_table[fd]; assert(fd >= 0); assert(F->flags.open); - debugs(5, 5, "commSetSelect: FD " << fd << " type " << type); + debugs(5, 5, HERE << "FD " << fd << ", type=" << type << + ", handler=" << handler << ", client_data=" << client_data << + ", timeout=" << timeout); if (type & COMM_SELECT_READ) { F->read_handler = handler; @@ -513,7 +515,7 @@ } if (revents & (POLLWRNORM | POLLOUT | POLLHUP | POLLERR)) { - debugs(5, 5, "comm_poll: FD " << fd << " ready for writing"); + debugs(5, 6, "comm_poll: FD " << fd << " ready for writing"); if ((hdl = F->write_handler)) { PROF_start(comm_write_handler); diff -u -r -N squid-3.2.0.11/src/comm/ModSelect.cc squid-3.2.0.12/src/comm/ModSelect.cc --- squid-3.2.0.11/src/comm/ModSelect.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/comm/ModSelect.cc 2011-09-16 23:37:30.000000000 +1200 @@ -139,7 +139,9 @@ fde *F = &fd_table[fd]; assert(fd >= 0); assert(F->flags.open); - debugs(5, 5, HERE << "FD " << fd << " type " << type); + debugs(5, 5, HERE << "FD " << fd << ", type=" << type << + ", handler=" << handler << ", client_data=" << client_data << + ", timeout=" << timeout); if (type & COMM_SELECT_READ) { F->read_handler = handler; @@ -585,7 +587,7 @@ } F = &fd_table[fd]; - debugs(5, 5, "comm_select: FD " << fd << " ready for writing"); + debugs(5, 6, "comm_select: FD " << fd << " ready for writing"); if ((hdl = F->write_handler)) { F->write_handler = NULL; diff -u -r -N squid-3.2.0.11/src/comm/ModSelectWin32.cc squid-3.2.0.12/src/comm/ModSelectWin32.cc --- squid-3.2.0.11/src/comm/ModSelectWin32.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/comm/ModSelectWin32.cc 2011-09-16 23:37:30.000000000 +1200 @@ -138,7 +138,9 @@ fde *F = &fd_table[fd]; assert(fd >= 0); assert(F->flags.open); - debugs(5, 5, "commSetSelect: FD " << fd << " type " << type); + debugs(5, 5, HERE << "FD " << fd << ", type=" << type << + ", handler=" << handler << ", client_data=" << client_data << + ", timeout=" << timeout); if (type & COMM_SELECT_READ) { F->read_handler = handler; @@ -608,7 +610,7 @@ } F = &fd_table[fd]; - debugs(5, 5, "comm_select: FD " << fd << " ready for writing"); + debugs(5, 6, "comm_select: FD " << fd << " ready for writing"); if ((hdl = F->write_handler)) { F->write_handler = NULL; diff -u -r -N squid-3.2.0.11/src/comm.cc squid-3.2.0.12/src/comm.cc --- squid-3.2.0.11/src/comm.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/comm.cc 2011-09-16 23:37:30.000000000 +1200 @@ -106,7 +106,7 @@ bool isOpen(const int fd) { - return fd >= 0 && fd_table[fd].flags.open != 0; + return fd >= 0 && fd_table && fd_table[fd].flags.open != 0; } /** @@ -1021,7 +1021,7 @@ * closed, TCP generates a RESET */ void -comm_reset_close(Comm::ConnectionPointer &conn) +comm_reset_close(const Comm::ConnectionPointer &conn) { struct linger L; L.l_onoff = 1; diff -u -r -N squid-3.2.0.11/src/comm.h squid-3.2.0.12/src/comm.h --- squid-3.2.0.11/src/comm.h 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/comm.h 2011-09-16 23:37:30.000000000 +1200 @@ -19,7 +19,7 @@ extern void _comm_close(int fd, char const *file, int line); #define comm_close(x) (_comm_close((x), __FILE__, __LINE__)) SQUIDCEXTERN void old_comm_reset_close(int fd); -SQUIDCEXTERN void comm_reset_close(Comm::ConnectionPointer &conn); +SQUIDCEXTERN void comm_reset_close(const Comm::ConnectionPointer &conn); #if LINGERING_CLOSE SQUIDCEXTERN void comm_lingering_close(int fd); #endif diff -u -r -N squid-3.2.0.11/src/errorpage.cc squid-3.2.0.12/src/errorpage.cc --- squid-3.2.0.11/src/errorpage.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/errorpage.cc 2011-09-16 23:37:30.000000000 +1200 @@ -485,15 +485,15 @@ self_destruct(); } else if ( /* >= 200 && */ info->page_redirect < 300 && strchr(&(page_name[4]), ':')) { // 2xx require a local template file - debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " is not valid on '" << page_name << "'"); + debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " requires a template on '" << page_name << "'"); self_destruct(); - } else if (/* >= 300 && */ info->page_redirect <= 399 && !strchr(&(page_name[4]), ':')) { + } else if (info->page_redirect >= 300 && info->page_redirect <= 399 && !strchr(&(page_name[4]), ':')) { // 3xx require an absolute URL - debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " is not valid on '" << page_name << "'"); + debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " requires a URL on '" << page_name << "'"); self_destruct(); } else if (info->page_redirect >= 400 /* && <= 599 */ && strchr(&(page_name[4]), ':')) { // 4xx/5xx require a local template file - debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " is not valid on '" << page_name << "'"); + debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " requires a template on '" << page_name << "'"); self_destruct(); } // else okay. @@ -892,8 +892,8 @@ break; case 'I': - if (request && request->hier.host[0] != '\0') // if non-empty string - mb.Printf("%s", request->hier.host); + if (request && request->hier.tcpServer != NULL) + p = request->hier.tcpServer->remote.NtoA(ntoabuf,MAX_IPSTRLEN); else if (!building_deny_info_url) p = "[unknown]"; break; diff -u -r -N squid-3.2.0.11/src/filemap.cc squid-3.2.0.12/src/filemap.cc --- squid-3.2.0.11/src/filemap.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/filemap.cc 2011-09-16 23:37:30.000000000 +1200 @@ -76,6 +76,7 @@ assert(fm->max_n_files <= (1 << 24)); /* swap_filen is 25 bits, signed */ fm->nwords = fm->max_n_files >> LONG_BIT_SHIFT; debugs(8, 3, "file_map_grow: creating space for " << fm->max_n_files << " files"); + debugs(8, 5, "--> " << fm->nwords << " words of " << sizeof(*fm->file_map) << " bytes each"); fm->file_map = (unsigned long *)xcalloc(fm->nwords, sizeof(*fm->file_map)); debugs(8, 3, "copying " << old_sz << " old bytes"); memcpy(fm->file_map, old_map, old_sz); diff -u -r -N squid-3.2.0.11/src/format/Format.cc squid-3.2.0.12/src/format/Format.cc --- squid-3.2.0.11/src/format/Format.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/format/Format.cc 2011-09-16 23:37:30.000000000 +1200 @@ -12,6 +12,8 @@ #include "SquidTime.h" #include "Store.h" +/// Convert a string to NULL pointer if it is "" +#define strOrNull(s) ((s)==NULL||(s)[0]=='\0'?NULL:(s)) Format::Format::Format(const char *n) : format(NULL), @@ -365,14 +367,32 @@ } break; - case LFT_CLIENT_LOCAL_IP_OLD_31: + case LFT_LOCAL_LISTENING_IP: { + // avoid logging a dash if we have reliable info + const bool interceptedAtKnownPort = (al->request->flags.spoof_client_ip || + al->request->flags.intercepted) && al->cache.port; + if (interceptedAtKnownPort) { + const bool portAddressConfigured = !al->cache.port->s.IsAnyAddr(); + if (portAddressConfigured) + out = al->cache.port->s.NtoA(tmp, sizeof(tmp)); + } else if (al->tcpClient != NULL) + out = al->tcpClient->local.NtoA(tmp, sizeof(tmp)); + } + break; + case LFT_CLIENT_LOCAL_IP: if (al->tcpClient != NULL) { out = al->tcpClient->local.NtoA(tmp,sizeof(tmp)); } break; - case LFT_CLIENT_LOCAL_PORT_OLD_31: + case LFT_LOCAL_LISTENING_PORT: + if (al->cache.port) { + outint = al->cache.port->s.GetPort(); + doint = 1; + } + break; + case LFT_CLIENT_LOCAL_PORT: if (al->tcpClient != NULL) { outint = al->tcpClient->local.GetPort(); @@ -726,44 +746,27 @@ break; case LFT_USER_NAME: - out = QuoteUrlEncodeUsername(al->cache.authuser); - + out = strOrNull(al->cache.authuser); if (!out) - out = QuoteUrlEncodeUsername(al->cache.extuser); - + out = strOrNull(al->cache.extuser); #if USE_SSL - if (!out) - out = QuoteUrlEncodeUsername(al->cache.ssluser); - + out = strOrNull(al->cache.ssluser); #endif - if (!out) - out = QuoteUrlEncodeUsername(al->cache.rfc931); - - dofree = 1; - + out = strOrNull(al->cache.rfc931); break; case LFT_USER_LOGIN: - out = QuoteUrlEncodeUsername(al->cache.authuser); - - dofree = 1; - + out = strOrNull(al->cache.authuser); break; case LFT_USER_IDENT: - out = QuoteUrlEncodeUsername(al->cache.rfc931); - - dofree = 1; - + out = strOrNull(al->cache.rfc931); break; case LFT_USER_EXTERNAL: - out = QuoteUrlEncodeUsername(al->cache.extuser); - - dofree = 1; - + out = strOrNull(al->cache.extuser); break; /* case LFT_USER_REALM: */ @@ -1049,11 +1052,18 @@ } } - if (fmt->width) { + // enforce width limits if configured + const bool haveMaxWidth = fmt->precision && !doint && !dooff; + if (haveMaxWidth || fmt->width) { + const int minWidth = fmt->width ? + static_cast(fmt->width) : 0; + const int maxWidth = haveMaxWidth ? + static_cast(fmt->precision) : strlen(out); + if (fmt->left) - mb.Printf("%-*s", (int) fmt->width, out); + mb.Printf("%-*.*s", minWidth, maxWidth, out); else - mb.Printf("%*s", (int) fmt->width, out); + mb.Printf("%*.*s", minWidth, maxWidth, out); } else mb.append(out, strlen(out)); } else { diff -u -r -N squid-3.2.0.11/src/format/Tokens.cc squid-3.2.0.12/src/format/Tokens.cc --- squid-3.2.0.11/src/format/Tokens.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/format/Tokens.cc 2011-09-16 23:37:30.000000000 +1200 @@ -62,9 +62,9 @@ static struct TokenTableEntry TokenTable2C[] = { {">la", LFT_CLIENT_LOCAL_IP}, - {"la", LFT_CLIENT_LOCAL_IP_OLD_31}, + {"la", LFT_LOCAL_LISTENING_IP}, {">lp", LFT_CLIENT_LOCAL_PORT}, - {"lp", LFT_CLIENT_LOCAL_PORT_OLD_31}, + {"lp", LFT_LOCAL_LISTENING_PORT}, /*{ "lA", LFT_LOCAL_NAME }, */ {"st", LFT_REQUEST_SIZE_TOTAL }, + {">st", LFT_REQUEST_SIZE_TOTAL }, /*{ ">sl", LFT_REQUEST_SIZE_LINE }, * / / * the request line "GET ... " */ - { ">sh", LFT_REQUEST_SIZE_HEADERS }, + {">sh", LFT_REQUEST_SIZE_HEADERS }, /*{ ">sb", LFT_REQUEST_SIZE_BODY }, */ /*{ ">sB", LFT_REQUEST_SIZE_BODY_NO_TE }, */ @@ -131,7 +131,7 @@ {"st", LFT_ICAP_BYTES_SENT}, - {"icap::h", LFT_ICAP_REQ_HEADER}, - {"icap::st", LFT_ICAP_BYTES_SENT}, + {"h", LFT_ICAP_REQ_HEADER}, + {"2 byte tokens static struct TokenTableEntry TokenTableMisc[] = { {">eui", LFT_CLIENT_EUI}, - { "err_code", LFT_SQUID_ERROR }, - { "err_detail", LFT_SQUID_ERROR_DETAIL }, + {"err_code", LFT_SQUID_ERROR }, + {"err_detail", LFT_SQUID_ERROR_DETAIL }, {NULL, LFT_NONE} /* this must be last */ }; @@ -496,16 +496,6 @@ type = LFT_HTTP_SENT_STATUS_CODE; break; - case LFT_CLIENT_LOCAL_IP_OLD_31: - debugs(46, 0, "WARNING: The \"la\" formatting code is deprecated. Use the \">la\" instead."); - type = LFT_CLIENT_LOCAL_IP; - break; - - case LFT_CLIENT_LOCAL_PORT_OLD_31: - debugs(46, 0, "WARNING: The \"lp\" formatting code is deprecated. Use the \">lp\" instead."); - type = LFT_CLIENT_LOCAL_PORT; - break; - case LFT_SERVER_LOCAL_IP_OLD_27: debugs(46, 0, "WARNING: The \"oa\" formatting code is deprecated. Use the \"local.IsAnyAddr()) return; + // ensure that at minimum the wildcard local matches remote protocol + if (conn->remote.IsIPv4()) + conn->local.SetIPv4(); + // maybe use TPROXY client address if (request && request->flags.spoof_client_ip) { if (!conn->getPeer() || !conn->getPeer()->options.no_tproxy) { diff -u -r -N squid-3.2.0.11/src/ftp.cc squid-3.2.0.12/src/ftp.cc --- squid-3.2.0.11/src/ftp.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/ftp.cc 2011-09-16 23:37:30.000000000 +1200 @@ -2723,6 +2723,7 @@ Comm::ConnectionPointer conn = new Comm::Connection; conn->local = ftpState->ctrl.conn->local; + conn->local.SetPort(0); conn->remote = ipaddr; conn->remote.SetPort(port); @@ -3232,7 +3233,7 @@ if (code == 125 || (code == 150 && Comm::IsConnOpen(ftpState->data.conn))) { /* Begin data transfer */ - debugs(9, 3, HERE << "reading data channel"); + debugs(9, 3, HERE << "begin data transfer from " << ftpState->data.conn->remote << " (" << ftpState->data.conn->local << ")"); ftpState->switchTimeoutToDataChannel(); ftpState->maybeReadVirginBody(); ftpState->state = READING_DATA; diff -u -r -N squid-3.2.0.11/src/gopher.cc squid-3.2.0.12/src/gopher.cc --- squid-3.2.0.11/src/gopher.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/gopher.cc 2011-09-16 23:37:30.000000000 +1200 @@ -464,14 +464,6 @@ gopherState->len += llen; break; } - if (!lpos) { - /* there is no complete line in inbuf */ - /* copy it to temp buffer */ - /* note: llen is adjusted above */ - memcpy(gopherState->buf + gopherState->len, pos, llen); - gopherState->len += llen; - break; - } if (gopherState->len != 0) { /* there is something left from last tx. */ memcpy(line, gopherState->buf, gopherState->len); diff -u -r -N squid-3.2.0.11/src/helper.cc squid-3.2.0.12/src/helper.cc --- squid-3.2.0.11/src/helper.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/helper.cc 2011-09-16 23:37:30.000000000 +1200 @@ -1093,6 +1093,7 @@ dlink_node *n; helper_server *srv; helper_server *selected = NULL; + debugs(84, 5, "GetFirstAvailable: Running servers " << hlp->childs.n_running); if (hlp->childs.n_running == 0) return NULL; @@ -1119,12 +1120,17 @@ } /* Check for overload */ - if (!selected) + if (!selected) { + debugs(84, 5, "GetFirstAvailable: None available."); return NULL; + } - if (selected->stats.pending >= (hlp->childs.concurrency ? hlp->childs.concurrency : 1)) + if (selected->stats.pending >= (hlp->childs.concurrency ? hlp->childs.concurrency : 1)) { + debugs(84, 3, "GetFirstAvailable: Least-loaded helper is overloaded!"); return NULL; + } + debugs(84, 5, "GetFirstAvailable: returning srv-" << selected->index); return selected; } diff -u -r -N squid-3.2.0.11/src/htcp.cc squid-3.2.0.12/src/htcp.cc --- squid-3.2.0.11/src/htcp.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/htcp.cc 2011-09-16 23:37:30.000000000 +1200 @@ -1171,7 +1171,6 @@ } static void - htcpHandleTstRequest(htcpDataHeader * dhdr, char *buf, int sz, Ip::Address &from) { /* buf should be a SPECIFIER */ @@ -1193,27 +1192,27 @@ s->setDataHeader(dhdr); if (NULL == s) { - debugs(31, 2, "htcpHandleTstRequest: htcpUnpackSpecifier failed"); + debugs(31, 3, "htcpHandleTstRequest: htcpUnpackSpecifier failed"); htcpLogHtcp(from, dhdr->opcode, LOG_UDP_INVALID, dash_str); return; } if (!s->request) { - debugs(31, 2, "htcpHandleTstRequest: failed to parse request"); + debugs(31, 3, "htcpHandleTstRequest: failed to parse request"); htcpLogHtcp(from, dhdr->opcode, LOG_UDP_INVALID, dash_str); htcpFreeSpecifier(s); return; } if (!htcpAccessAllowed(Config.accessList.htcp, s, from)) { - debugs(31, 2, "htcpHandleTstRequest: Access denied"); + debugs(31, 3, "htcpHandleTstRequest: Access denied"); htcpLogHtcp(from, dhdr->opcode, LOG_UDP_DENIED, s->uri); htcpFreeSpecifier(s); return; } - debugs(31, 3, "htcpHandleTstRequest: " << s->method << " " << s->uri << " " << s->version); - debugs(31, 3, "htcpHandleTstRequest: " << s->req_hdrs); + debugs(31, 2, "HTCP TST request: " << s->method << " " << s->uri << " " << s->version); + debugs(31, 2, "HTCP TST headers: " << s->req_hdrs); s->checkHit(); } @@ -1251,7 +1250,7 @@ htcpSpecifier *s; /* buf[0/1] is reserved and reason */ int reason = buf[1] << 4; - debugs(31, 3, "htcpHandleClr: reason=" << reason); + debugs(31, 2, "HTCP CLR reason: " << reason); buf += 2; sz -= 2; @@ -1272,21 +1271,21 @@ } if (!s->request) { - debugs(31, 2, "htcpHandleTstRequest: failed to parse request"); + debugs(31, 3, "htcpHandleTstRequest: failed to parse request"); htcpLogHtcp(from, hdr->opcode, LOG_UDP_INVALID, dash_str); htcpFreeSpecifier(s); return; } if (!htcpAccessAllowed(Config.accessList.htcp_clr, s, from)) { - debugs(31, 2, "htcpHandleClr: Access denied"); + debugs(31, 3, "htcpHandleClr: Access denied"); htcpLogHtcp(from, hdr->opcode, LOG_UDP_DENIED, s->uri); htcpFreeSpecifier(s); return; } - debugs(31, 5, "htcpHandleClr: " << s->method << " " << s->uri << " " << s->version); - debugs(31, 5, "htcpHandleClr: request headers: " << s->req_hdrs); + debugs(31, 2, "HTCP CLR request: " << s->method << " " << s->uri << " " << s->version); + debugs(31, 2, "HTCP CLR headers: " << s->req_hdrs); /* Release objects from cache * analog to clientPurgeRequest in client_side.c diff -u -r -N squid-3.2.0.11/src/http.cc squid-3.2.0.12/src/http.cc --- squid-3.2.0.11/src/http.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/http.cc 2011-09-16 23:37:30.000000000 +1200 @@ -2212,12 +2212,12 @@ } if (!Comm::IsConnOpen(serverConnection)) { - debugs(11,2, HERE << "ignoring broken POST for closed " << serverConnection); + debugs(11, 3, HERE << "ignoring broken POST for closed " << serverConnection); assert(closeHandler != NULL); return true; // prevent caller from proceeding as if nothing happened } - debugs(11, 2, "finishingBrokenPost: fixing broken POST"); + debugs(11, 3, "finishingBrokenPost: fixing broken POST"); typedef CommCbMemFunT Dialer; requestSender = JobCallback(11,5, Dialer, this, HttpStateData::wroteLast); diff -u -r -N squid-3.2.0.11/src/HttpHeader.cc squid-3.2.0.12/src/HttpHeader.cc --- squid-3.2.0.11/src/HttpHeader.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/HttpHeader.cc 2011-09-16 23:37:30.000000000 +1200 @@ -877,8 +877,7 @@ assert_eid(e->id); assert(e->name.size()); - debugs(55, 9, this << " adding entry: " << e->id << " at " << - entries.count); + debugs(55, 7, HERE << this << " adding entry: " << e->id << " at " << entries.count); if (CBIT_TEST(mask, e->id)) Headers[e->id].stat.repCount++; @@ -900,8 +899,7 @@ assert(e); assert_eid(e->id); - debugs(55, 7, this << " adding entry: " << e->id << " at " << - entries.count); + debugs(55, 7, HERE << this << " adding entry: " << e->id << " at " << entries.count); if (CBIT_TEST(mask, e->id)) Headers[e->id].stat.repCount++; diff -u -r -N squid-3.2.0.11/src/icmp/Icmp4.cc squid-3.2.0.12/src/icmp/Icmp4.cc --- squid-3.2.0.11/src/icmp/Icmp4.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/icmp/Icmp4.cc 2011-09-16 23:37:30.000000000 +1200 @@ -141,7 +141,7 @@ ((sockaddr_in*)S->ai_addr)->sin_port = 0; assert(icmp_pktsize <= MAX_PKT4_SZ); - debugs(42, 2, HERE << "Send ICMP packet to " << to << "."); + debugs(42, 5, HERE << "Send ICMP packet to " << to << "."); x = sendto(icmp_sock, (const void *) pkt, diff -u -r -N squid-3.2.0.11/src/ip/Address.cc squid-3.2.0.12/src/ip/Address.cc --- squid-3.2.0.11/src/ip/Address.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/ip/Address.cc 2011-09-16 23:37:30.000000000 +1200 @@ -826,7 +826,10 @@ /* some external code may have blindly memset a parent. */ /* thats okay, our default is known */ if ( IsAnyAddr() ) { - memcpy(buf,"::\0", min(static_cast(3),blen)); + if (IsIPv6()) + memcpy(buf,"::\0", min(static_cast(3),blen)); + else if (IsIPv4()) + memcpy(buf,"0.0.0.0\0", min(static_cast(8),blen)); return buf; } diff -u -r -N squid-3.2.0.11/src/ipcache.cc squid-3.2.0.12/src/ipcache.cc --- squid-3.2.0.11/src/ipcache.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/ipcache.cc 2011-09-16 23:37:30.000000000 +1200 @@ -487,6 +487,7 @@ return -1; } + debugs(14, 3, "ipcacheParse: " << nr << " answers for '" << name << "'"); assert(answers); for (k = 0; k < nr; k++) { diff -u -r -N squid-3.2.0.11/src/log/access_log.cc squid-3.2.0.12/src/log/access_log.cc --- squid-3.2.0.11/src/log/access_log.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/log/access_log.cc 2011-09-16 23:37:30.000000000 +1200 @@ -596,6 +596,7 @@ HTTPMSGUNLOCK(aLogEntry->icap.reply); HTTPMSGUNLOCK(aLogEntry->icap.request); #endif + cbdataReferenceDone(aLogEntry->cache.port); } int diff -u -r -N squid-3.2.0.11/src/main.cc squid-3.2.0.12/src/main.cc --- squid-3.2.0.11/src/main.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/main.cc 2011-09-16 23:37:30.000000000 +1200 @@ -47,6 +47,7 @@ #if USE_AUTH #include "auth/Gadgets.h" #endif +#include "base/RunnersRegistry.h" #include "base/Subscription.h" #include "base/TextException.h" #if USE_DELAY_POOLS @@ -1427,6 +1428,11 @@ /* NOTREACHED */ } + debugs(1,2, HERE << "Doing post-config initialization\n"); + leave_suid(); + ActivateRegistered(rrAfterConfig); + enter_suid(); + if (!opt_no_daemon && Config.workers > 0) watch_child(argv); @@ -1785,6 +1791,10 @@ #endif if (!TheKids.someRunning() && !TheKids.shouldRestartSome()) { + leave_suid(); + DeactivateRegistered(rrAfterConfig); + enter_suid(); + if (TheKids.someSignaled(SIGINT) || TheKids.someSignaled(SIGTERM)) { syslog(LOG_ALERT, "Exiting due to unexpected forced shutdown"); exit(1); @@ -1884,6 +1894,7 @@ Store::Root().sync(); /* Flush log close */ StoreFileSystem::FreeAllFs(); DiskIOModule::FreeAllModules(); + DeactivateRegistered(rrAfterConfig); #if LEAK_CHECK_MODE && 0 /* doesn't work at the moment */ configFreeMemory(); diff -u -r -N squid-3.2.0.11/src/mgr/Action.cc squid-3.2.0.12/src/mgr/Action.cc --- squid-3.2.0.11/src/mgr/Action.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/mgr/Action.cc 2011-09-16 23:37:30.000000000 +1200 @@ -70,7 +70,8 @@ // Assume most kid classes are fully aggregatable (i.e., they do not dump // local info at all). Do not import the remote HTTP fd into our Comm // space; collect and send an IPC msg with collected info to Coordinator. - request.conn->close(); + ::close(request.conn->fd); + request.conn->fd = -1; collect(); sendResponse(request.requestId); } diff -u -r -N squid-3.2.0.11/src/neighbors.cc squid-3.2.0.12/src/neighbors.cc --- squid-3.2.0.11/src/neighbors.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/neighbors.cc 2011-09-16 23:37:30.000000000 +1200 @@ -1341,7 +1341,8 @@ } p->testing_now--; - return; + conn->close(); + // TODO: log this traffic. } static void diff -u -r -N squid-3.2.0.11/src/pconn.cc squid-3.2.0.12/src/pconn.cc --- squid-3.2.0.11/src/pconn.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/pconn.cc 2011-09-16 23:37:30.000000000 +1200 @@ -89,6 +89,7 @@ } /** Remove the entry at specified index. + * May perform a shuffle of list entries to fill the gap. * \retval false The index is not an in-use entry. */ bool @@ -194,22 +195,35 @@ commSetConnTimeout(conn, Config.Timeout.pconn, timeoutCall); } +/// Determine whether an entry in the idle list is available for use. +/// Returns false if the entry is unset, closed or closing. +bool +IdleConnList::isAvailable(int i) const +{ + const Comm::ConnectionPointer &conn = theList_[i]; + + // connection already closed. useless. + if (!Comm::IsConnOpen(conn)) + return false; + + // our connection early-read/close handler is scheduled to run already. unsafe + if (!COMMIO_FD_READCB(conn->fd)->active()) + return false; + + return true; +} + Comm::ConnectionPointer IdleConnList::pop() { for (int i=size_-1; i>=0; i--) { - // Is the FD pending completion of the closure callback? - // this flag is set while our early-read/close handler is - // waiting for a remote response. It gets unset when the - // handler is scheduled. - //The following check is disabled for now until we have a - // correct implementation of the read_pending flag - //if (!fd_table[theList_[i]->fd].flags.read_pending) - // continue; + if (!isAvailable(i)) + continue; - // connection already closed. useless. - if (!Comm::IsConnOpen(theList_[i])) + // our connection timeout handler is scheduled to run already. unsafe for now. + // TODO: cancel the pending timeout callback and allow re-use of the conn. + if (fd_table[theList_[i]->fd].timeoutHandler == NULL) continue; // finally, a match. pop and return it. @@ -242,17 +256,7 @@ for (int i=size_-1; i>=0; i--) { - // Is the FD pending completion of the closure callback? - // this flag is set while our early-read/close handler is - // waiting for a remote response. It gets unset when the - // handler is scheduled. - //The following check is disabled for now until we have a - // correct implementation of the read_pending flag - //if (!fd_table[theList_[i]->fd].flags.read_pending) - // continue; - - // connection already closed. useless. - if (!Comm::IsConnOpen(theList_[i])) + if (!isAvailable(i)) continue; // local end port is required, but dont match. @@ -263,6 +267,11 @@ if (keyCheckAddr && key->local.matchIPAddr(theList_[i]->local) != 0) continue; + // our connection timeout handler is scheduled to run already. unsafe for now. + // TODO: cancel the pending timeout callback and allow re-use of the conn. + if (fd_table[theList_[i]->fd].timeoutHandler == NULL) + continue; + // finally, a match. pop and return it. Comm::ConnectionPointer result = theList_[i]; /* may delete this */ @@ -274,27 +283,33 @@ return Comm::ConnectionPointer(); } +/* might delete list */ +void +IdleConnList::findAndClose(const Comm::ConnectionPointer &conn) +{ + const int index = findIndexOf(conn); + if (index >= 0) { + /* might delete this */ + removeAt(index); + clearHandlers(conn); + conn->close(); + } +} + void IdleConnList::Read(const Comm::ConnectionPointer &conn, char *buf, size_t len, comm_err_t flag, int xerrno, void *data) { debugs(48, 3, HERE << len << " bytes from " << conn); if (flag == COMM_ERR_CLOSING) { - /* Bail out early on COMM_ERR_CLOSING - close handlers will tidy up for us */ + debugs(48, 3, HERE << "COMM_ERR_CLOSING from " << conn); + /* Bail out on COMM_ERR_CLOSING - may happen when shutdown aborts our idle FD */ return; } IdleConnList *list = (IdleConnList *) data; - int index = list->findIndexOf(conn); - if (index >= 0) { - /* might delete list */ - list->removeAt(index); - list->clearHandlers(conn); - } - // else we lost a race. - // Somebody started using the pconn since the remote end disconnected. - // pass the closure info on! - conn->close(); + /* may delete list/data */ + list->findAndClose(conn); } void @@ -302,13 +317,8 @@ { debugs(48, 3, HERE << io.conn); IdleConnList *list = static_cast(io.data); - int index = list->findIndexOf(io.conn); - assert(index>=0); - if (index >= 0) { - /* might delete list */ - list->removeAt(index); - io.conn->close(); - } + /* may delete list/data */ + list->findAndClose(io.conn); } /* ========== PconnPool PRIVATE FUNCTIONS ============================================ */ diff -u -r -N squid-3.2.0.11/src/pconn.h squid-3.2.0.12/src/pconn.h --- squid-3.2.0.11/src/pconn.h 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/pconn.h 2011-09-16 23:37:30.000000000 +1200 @@ -55,8 +55,10 @@ void closeN(size_t count); private: + bool isAvailable(int i) const; bool removeAt(int index); int findIndexOf(const Comm::ConnectionPointer &conn) const; + void findAndClose(const Comm::ConnectionPointer &conn); static IOCB Read; static CTCB Timeout; diff -u -r -N squid-3.2.0.11/src/peer_digest.cc squid-3.2.0.12/src/peer_digest.cc --- squid-3.2.0.11/src/peer_digest.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/peer_digest.cc 2011-09-16 23:37:30.000000000 +1200 @@ -917,7 +917,7 @@ assert(fetch->entry && fetch->request); if (fetch->old_entry) { - debugs(72, 2, "peerDigestFetchFinish: deleting old entry"); + debugs(72, 3, "peerDigestFetchFinish: deleting old entry"); storeUnregister(fetch->old_sc, fetch->old_entry, fetch); fetch->old_entry->releaseRequest(); fetch->old_entry->unlock(); diff -u -r -N squid-3.2.0.11/src/peer_select.cc squid-3.2.0.12/src/peer_select.cc --- squid-3.2.0.11/src/peer_select.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/peer_select.cc 2011-09-16 23:37:30.000000000 +1200 @@ -156,8 +156,6 @@ psstate->callback_data = cbdataReference(callback_data); - psstate->direct = DIRECT_UNKNOWN; - #if USE_CACHE_DIGESTS request->hier.peer_select_start = current_time; @@ -177,6 +175,18 @@ psstate->acl_checklist = NULL; debugs(44, 3, "peerCheckNeverDirectDone: " << answer); psstate->never_direct = answer; + switch (answer) { + case ACCESS_ALLOWED: + /** if always_direct says YES, do that. */ + psstate->direct = DIRECT_YES; + debugs(44, 3, HERE << "direct = " << DirectStr[psstate->direct] << " (never_direct allow)"); + break; + case ACCESS_DENIED: // not relevant. + break; + default: // Oops. Failed to get a result. + debugs(44, DBG_IMPORTANT, "WARNING: never_direct resulted in " << answer << ". Username ACLs are not reliable here."); + assert(answer != ACCESS_DUNNO); + } peerSelectFoo(psstate); } @@ -187,6 +197,18 @@ psstate->acl_checklist = NULL; debugs(44, 3, "peerCheckAlwaysDirectDone: " << answer); psstate->always_direct = answer; + switch (answer) { + case ACCESS_ALLOWED: + /** if always_direct says YES, do that. */ + psstate->direct = DIRECT_YES; + debugs(44, 3, HERE << "direct = " << DirectStr[psstate->direct] << " (always_direct allow)"); + break; + case ACCESS_DENIED: // not relevant. + break; + default: // Oops. Failed to get a result. + debugs(44, DBG_IMPORTANT, "WARNING: always_direct resulted in " << answer << ". Username ACLs are not reliable here."); + assert(answer != ACCESS_DUNNO); + } peerSelectFoo(psstate); } @@ -344,41 +366,34 @@ HttpRequest *request = ps->request; debugs(44, 3, "peerSelectFoo: '" << RequestMethodStr(request->method) << " " << request->GetHost() << "'"); - /** If we don't known whether DIRECT is permitted ... */ + /** If we don't know whether DIRECT is permitted ... */ if (ps->direct == DIRECT_UNKNOWN) { - if (ps->always_direct == ACCESS_DUNNO && Config.accessList.AlwaysDirect) { + if (ps->always_direct == ACCESS_DUNNO) { + debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (always_direct to be checked)"); /** check always_direct; */ - ps->acl_checklist = new ACLFilledChecklist( - Config.accessList.AlwaysDirect, - request, - NULL); /* ident */ + ps->acl_checklist = new ACLFilledChecklist(Config.accessList.AlwaysDirect, request, NULL); ps->acl_checklist->nonBlockingCheck(peerCheckAlwaysDirectDone, ps); return; - } else if (ps->always_direct == ACCESS_ALLOWED) { - /** if always_direct says YES, do that. */ - ps->direct = DIRECT_YES; - } else if (ps->never_direct == ACCESS_DUNNO && Config.accessList.NeverDirect) { + } else if (ps->never_direct == ACCESS_DUNNO) { + debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (never_direct to be checked)"); /** check never_direct; */ - ps->acl_checklist = new ACLFilledChecklist( - Config.accessList.NeverDirect, - request, - NULL); /* ident */ - ps->acl_checklist->nonBlockingCheck(peerCheckNeverDirectDone, - ps); + ps->acl_checklist = new ACLFilledChecklist(Config.accessList.NeverDirect, request, NULL); + ps->acl_checklist->nonBlockingCheck(peerCheckNeverDirectDone, ps); return; - } else if (ps->never_direct == ACCESS_ALLOWED) { - /** if always_direct says NO, do that. */ - ps->direct = DIRECT_NO; } else if (request->flags.no_direct) { /** if we are accelerating, direct is not an option. */ ps->direct = DIRECT_NO; + debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (forced non-direct)"); } else if (request->flags.loopdetect) { /** if we are in a forwarding-loop, direct is not an option. */ ps->direct = DIRECT_YES; + debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (forwarding loop detected)"); } else if (peerCheckNetdbDirect(ps)) { ps->direct = DIRECT_YES; + debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (checkNetdbDirect)"); } else { ps->direct = DIRECT_MAYBE; + debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (default)"); } debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct]); @@ -865,9 +880,9 @@ ps_state::ps_state() : request (NULL), entry (NULL), - always_direct(ACCESS_DUNNO), - never_direct(ACCESS_DUNNO), - direct (0), + always_direct(Config.accessList.AlwaysDirect?ACCESS_DUNNO:ACCESS_DENIED), + never_direct(Config.accessList.NeverDirect?ACCESS_DUNNO:ACCESS_DENIED), + direct(DIRECT_UNKNOWN), callback (NULL), callback_data (NULL), servers (NULL), diff -u -r -N squid-3.2.0.11/src/refresh.cc squid-3.2.0.12/src/refresh.cc --- squid-3.2.0.11/src/refresh.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/refresh.cc 2011-09-16 23:37:30.000000000 +1200 @@ -392,7 +392,7 @@ * NOTE: max-stale config blocks the overrides. */ int max_stale = (R->max_stale >= 0 ? R->max_stale : Config.maxStale); - if ( max_stale >= 0 && staleness < max_stale) { + if ( max_stale >= 0 && staleness > max_stale) { debugs(22, 3, "refreshCheck: YES: max-stale limit"); if (request) request->flags.fail_on_validation_err = 1; diff -u -r -N squid-3.2.0.11/src/SquidString.h squid-3.2.0.12/src/SquidString.h --- squid-3.2.0.11/src/SquidString.h 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/SquidString.h 2011-09-16 23:37:30.000000000 +1200 @@ -181,6 +181,8 @@ _SQUID_INLINE_ std::ostream & operator<<(std::ostream& os, String const &aString); +_SQUID_INLINE_ bool operator<(const String &a, const String &b); + #if _USE_INLINE_ #include "String.cci" #endif diff -u -r -N squid-3.2.0.11/src/ssl/certificate_db.cc squid-3.2.0.12/src/ssl/certificate_db.cc --- squid-3.2.0.11/src/ssl/certificate_db.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/ssl/certificate_db.cc 2011-09-16 23:37:30.000000000 +1200 @@ -393,7 +393,7 @@ corrupt = true; // Create indexes in db. -#if OPENSSL_VERSION_NUMBER > 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x1000004fL if (!corrupt && !TXT_DB_create_index(temp_db.get(), cnlSerial, NULL, LHASH_HASH_FN(index_serial), LHASH_COMP_FN(index_serial))) corrupt = true; @@ -433,7 +433,7 @@ return false; bool removed_one = false; -#if OPENSSL_VERSION_NUMBER > 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x1000004fL for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); i++) { const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i)); #else @@ -444,7 +444,7 @@ if (!sslDateIsInTheFuture(current_row[cnlExp_date])) { std::string filename(cert_full + "/" + current_row[cnlSerial] + ".pem"); FileLocker cert_locker(filename); -#if OPENSSL_VERSION_NUMBER > 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x1000004fL sk_OPENSSL_PSTRING_delete(db.get()->data, i); #else sk_delete(db.get()->data, i); @@ -466,14 +466,14 @@ if (!db) return false; -#if OPENSSL_VERSION_NUMBER > 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x1000004fL if (sk_OPENSSL_PSTRING_num(db.get()->data) == 0) #else if (sk_num(db.get()->data) == 0) #endif return false; -#if OPENSSL_VERSION_NUMBER > 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x1000004fL const char **row = (const char **)sk_OPENSSL_PSTRING_value(db.get()->data, 0); #else const char **row = (const char **)sk_value(db.get()->data, 0); @@ -481,7 +481,7 @@ std::string filename(cert_full + "/" + row[cnlSerial] + ".pem"); FileLocker cert_locker(filename); -#if OPENSSL_VERSION_NUMBER > 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x1000004fL sk_OPENSSL_PSTRING_delete(db.get()->data, 0); #else sk_delete(db.get()->data, 0); @@ -498,7 +498,7 @@ if (!db) return false; -#if OPENSSL_VERSION_NUMBER > 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x1000004fL for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); i++) { const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i)); #else @@ -508,7 +508,7 @@ if (host == current_row[cnlName]) { std::string filename(cert_full + "/" + current_row[cnlSerial] + ".pem"); FileLocker cert_locker(filename); -#if OPENSSL_VERSION_NUMBER > 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x1000004fL sk_OPENSSL_PSTRING_delete(db.get()->data, i); #else sk_delete(db.get()->data, i); diff -u -r -N squid-3.2.0.11/src/ssl/ssl_crtd.cc squid-3.2.0.12/src/ssl/ssl_crtd.cc --- squid-3.2.0.11/src/ssl/ssl_crtd.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/ssl/ssl_crtd.cc 2011-09-16 23:37:30.000000000 +1200 @@ -123,6 +123,8 @@ if (!strncasecmp(unit, B_GBYTES_STR, strlen(B_GBYTES_STR))) return 1 << 30; + std::cerr << "WARNING: Unknown bytes unit '" << unit << "'" << std::endl; + return 0; } diff -u -r -N squid-3.2.0.11/src/ssl/support.cc squid-3.2.0.12/src/ssl/support.cc --- squid-3.2.0.11/src/ssl/support.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/ssl/support.cc 2011-09-16 23:37:30.000000000 +1200 @@ -654,7 +654,7 @@ debugs(83, 5, "Using SSLv2."); method = SSLv2_server_method(); #else - debugs(83, 1, "SSLv2 is not available in this Proxy."); + debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); return NULL; #endif break; @@ -711,31 +711,33 @@ } } - debugs(83, 1, "Using certificate in " << certfile); + debugs(83, DBG_IMPORTANT, "Using certificate in " << certfile); if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) { ssl_error = ERR_get_error(); - debugs(83, 0, "Failed to acquire SSL certificate '" << certfile << "': " << ERR_error_string(ssl_error, NULL) ); - goto error; + debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL certificate '" << certfile << "': " << ERR_error_string(ssl_error, NULL)); + SSL_CTX_free(sslContext); + return NULL; } - debugs(83, 1, "Using private key in " << keyfile); + debugs(83, DBG_IMPORTANT, "Using private key in " << keyfile); ssl_ask_password(sslContext, keyfile); if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) { ssl_error = ERR_get_error(); - debugs(83, 0, "Failed to acquire SSL private key '" << keyfile << "': " << ERR_error_string(ssl_error, NULL) ); - goto error; + debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL private key '" << keyfile << "': " << ERR_error_string(ssl_error, NULL)); + SSL_CTX_free(sslContext); + return NULL; } debugs(83, 5, "Comparing private and public SSL keys."); if (!SSL_CTX_check_private_key(sslContext)) { ssl_error = ERR_get_error(); - debugs(83, 0, "SSL private key '" << - certfile << "' does not match public key '" << - keyfile << "': " << ERR_error_string(ssl_error, NULL) ); - goto error; + debugs(83, DBG_CRITICAL, "ERROR: SSL private key '" << certfile << "' does not match public key '" << + keyfile << "': " << ERR_error_string(ssl_error, NULL)); + SSL_CTX_free(sslContext); + return NULL; } debugs(83, 9, "Setting RSA key generation callback."); @@ -745,15 +747,13 @@ if ((CAfile || CApath) && !SSL_CTX_load_verify_locations(sslContext, CAfile, CApath)) { ssl_error = ERR_get_error(); - debugs(83, 1, "Error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL) ); - debugs(83, 1, "continuing anyway..." ); + debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL)); } if (!(fl & SSL_FLAG_NO_DEFAULT_CA) && !SSL_CTX_set_default_verify_paths(sslContext)) { ssl_error = ERR_get_error(); - debugs(83, 1, "Error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL) ); - debugs(83, 1, "continuing anyway..." ); + debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL)); } if (clientCA) { @@ -762,8 +762,9 @@ cert_names = SSL_load_client_CA_file(clientCA); if (cert_names == NULL) { - debugs(83, 1, "Error loading the client CA certificates from '" << clientCA << "\': " << ERR_error_string(ERR_get_error(),NULL) ); - goto error; + debugs(83, DBG_IMPORTANT, "ERROR: loading the client CA certificates from '" << clientCA << "\': " << ERR_error_string(ERR_get_error(),NULL)); + SSL_CTX_free(sslContext); + return NULL; } ERR_clear_error(); @@ -806,10 +807,10 @@ } if (!dh) - debugs(83, 1, "WARNING: Failed to read DH parameters '" << dhfile << "'"); + debugs(83, DBG_IMPORTANT, "WARNING: Failed to read DH parameters '" << dhfile << "'"); else if (dh && DH_check(dh, &codes) == 0) { if (codes) { - debugs(83, 1, "WARNING: Failed to verify DH parameters '" << dhfile << "' (" << std::hex << codes << ")"); + debugs(83, DBG_IMPORTANT, "WARNING: Failed to verify DH parameters '" << dhfile << "' (" << std::hex << codes << ")"); DH_free(dh); dh = NULL; } @@ -823,11 +824,6 @@ SSL_CTX_set_ex_data(sslContext, ssl_ctx_ex_index_dont_verify_domain, (void *) -1); return sslContext; - -error: - SSL_CTX_free(sslContext); - - return NULL; } SSL_CTX * @@ -857,7 +853,7 @@ debugs(83, 5, "Using SSLv2."); method = SSLv2_client_method(); #else - debugs(83, 1, "SSLv2 is not available in this Proxy."); + debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); return NULL; #endif break; @@ -931,7 +927,7 @@ SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb); if (fl & SSL_FLAG_DONT_VERIFY_PEER) { - debugs(83, 1, "NOTICE: Peer certificates are not verified for validity!"); + debugs(83, 2, "NOTICE: Peer certificates are not verified for validity!"); SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL); } else { debugs(83, 9, "Setting certificate verification callback."); @@ -942,8 +938,7 @@ if ((CAfile || CApath) && !SSL_CTX_load_verify_locations(sslContext, CAfile, CApath)) { ssl_error = ERR_get_error(); - debugs(83, 1, "Error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL)); - debugs(83, 1, "continuing anyway..." ); + debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL)); } if (CRLfile) { @@ -962,8 +957,7 @@ if (!(fl & SSL_FLAG_NO_DEFAULT_CA) && !SSL_CTX_set_default_verify_paths(sslContext)) { ssl_error = ERR_get_error(); - debugs(83, 1, "Error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL) ); - debugs(83, 1, "continuing anyway..."); + debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL)); } return sslContext; diff -u -r -N squid-3.2.0.11/src/String.cci squid-3.2.0.12/src/String.cci --- squid-3.2.0.11/src/String.cci 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/String.cci 2011-09-16 23:37:30.000000000 +1200 @@ -200,3 +200,9 @@ os.write(aString.rawBuf(),aString.size()); return os; } + +bool +operator<(const String &a, const String &b) +{ + return a.cmp(b) < 0; +} diff -u -r -N squid-3.2.0.11/src/tests/STUB.h squid-3.2.0.12/src/tests/STUB.h --- squid-3.2.0.11/src/tests/STUB.h 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/tests/STUB.h 2011-09-16 23:37:30.000000000 +1200 @@ -1,11 +1,43 @@ #ifndef STUB #include "fatal.h" +/** \group STUB + * + * A set of useful macros to create stub_* files. + * + * Intended for use building unit tests, if a stubbed function is called + * by any code it is linked to it will abort with a message indicating + * which API file is missing from the linked dependencies. + * + * Usage: + * at the top of your intended stub file define STUB_API to be the + * name of the .cc file or library you are providing a stub of + * then include this STUB.h header. + * + * #define STUB_API "foo/libexample.la" + * #include "tests/STUB.h" + */ + +/// macro to stub a void function. #define STUB { fatal(STUB_API " required"); } + +/** macro to stub a function with return value. + * Aborts unit tests requiring its definition with a message about the missing linkage + */ #define STUB_RETVAL(x) { fatal(STUB_API " required"); return x; } -//#define STUB_RETREF(x) { fatal(STUB_API " required"); x* o = new (x); return *o; } -// NP: no () around the x here + +/** macro to stub a function which returns a reference to dynamic + * Aborts unit tests requiring its definition with a message about the missing linkage + * This macro uses 'new x' to construct a stack vailable for the reference, may leak. + * \param x may be the type to define or a constructor call with parameter values + */ #define STUB_RETREF(x) { fatal(STUB_API " required"); return new x; } + +/** macro to stub a function which returns a reference to static + * Aborts unit tests requiring its definition with a message about the missing linkage + * This macro uses static variable definition to avoid leaks. + * \param x the type name to define + */ #define STUB_RETSTATREF(x) { fatal(STUB_API " required"); static x v; return v; } #endif /* STUB */ diff -u -r -N squid-3.2.0.11/src/tools.cc squid-3.2.0.12/src/tools.cc --- squid-3.2.0.11/src/tools.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/tools.cc 2011-09-16 23:37:30.000000000 +1200 @@ -1050,7 +1050,7 @@ #if HAVE_SETRLIMIT && defined(RLIMIT_VMEM) if (getrlimit(RLIMIT_VMEM, &rl) < 0) { - debugs(50, 0, "getrlimit: RLIMIT_VMEM: " << xstrerror()); + debugs(50, DBG_CRITICAL, "getrlimit: RLIMIT_VMEM: " << xstrerror()); } else if (rl.rlim_max > rl.rlim_cur) { rl.rlim_cur = rl.rlim_max; /* set it to the max */ @@ -1073,7 +1073,7 @@ sigemptyset(&sa.sa_mask); if (sigaction(sig, &sa, NULL) < 0) - debugs(50, 0, "sigaction: sig=" << sig << " func=" << func << ": " << xstrerror()); + debugs(50, DBG_CRITICAL, "sigaction: sig=" << sig << " func=" << func << ": " << xstrerror()); #else #if _SQUID_MSWIN_ diff -u -r -N squid-3.2.0.11/src/wccp2.cc squid-3.2.0.12/src/wccp2.cc --- squid-3.2.0.11/src/wccp2.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/wccp2.cc 2011-09-16 23:37:30.000000000 +1200 @@ -985,12 +985,12 @@ debugs(80, 5, "wccp2ConnectionOpen: Called"); if (wccp2_numrouters == 0 || !wccp2_service_list_head) { - debugs(80, 2, "WCCPv2 Disabled."); + debugs(80, 2, "WCCPv2 Disabled. No IPv4 Router(s) configured."); return; } if ( !Config.Wccp2.address.SetIPv4() ) { - debugs(80, 0, "WCCPv2 Disabled. " << Config.Wccp2.address << " is not an IPv4 address."); + debugs(80, DBG_CRITICAL, "WCCPv2 Disabled. Local address " << Config.Wccp2.address << " is not an IPv4 address."); return; } @@ -2135,7 +2135,7 @@ service_id = GetInteger(); if (service_id < 0 || service_id > 255) { - debugs(80, 0, "wccp2ParseServiceInfo: service info id " << service_id << " is out of range (0..255)"); + debugs(80, DBG_CRITICAL, "ERROR: invalid WCCP service id " << service_id << " (must be between 0 .. 255)"); self_destruct(); } @@ -2306,7 +2306,7 @@ service_id = GetInteger(); if (service_id < 0 || service_id > 255) { - debugs(80, 1, "parse_wccp2_service_info: invalid service id " << service_id << " (must be between 0 .. 255)"); + debugs(80, DBG_CRITICAL, "ERROR: invalid WCCP service id " << service_id << " (must be between 0 .. 255)"); self_destruct(); } diff -u -r -N squid-3.2.0.11/src/wccp.cc squid-3.2.0.12/src/wccp.cc --- squid-3.2.0.11/src/wccp.cc 2011-08-29 03:09:21.000000000 +1200 +++ squid-3.2.0.12/src/wccp.cc 2011-09-16 23:37:30.000000000 +1200 @@ -139,12 +139,12 @@ } if ( !Config.Wccp.router.SetIPv4() ) { - debugs(1, 1, "WCCPv1 Disabled. Router " << Config.Wccp.router << " is not IPv4."); + debugs(80, DBG_CRITICAL, "WCCPv1 Disabled. Router " << Config.Wccp.router << " is not an IPv4 address."); return; } if ( !Config.Wccp.address.SetIPv4() ) { - debugs(1, 1, "WCCPv1 Disabled. Local address " << Config.Wccp.address << " is not IPv4."); + debugs(80, DBG_CRITICAL, "WCCPv1 Disabled. Local address " << Config.Wccp.address << " is not an IPv4 address."); return; }