diff -u squid-2.6.1/debian/changelog squid-2.6.1/debian/changelog --- squid-2.6.1/debian/changelog +++ squid-2.6.1/debian/changelog @@ -1,3 +1,9 @@ +squid (2.6.1-3ubuntu1.3) edgy-security; urgency=low + + * Fix Ubuntu bug 68818 (transparent proxy doesn't work) + + -- Stéphane Graber Sat, 17 Mar 2007 23:49:27 +0100 + squid (2.6.1-3ubuntu1.2) edgy-security; urgency=low * SECURITY UPDATE: multiple denial of service vulnerabilities. diff -u squid-2.6.1/debian/patches/00list squid-2.6.1/debian/patches/00list --- squid-2.6.1/debian/patches/00list +++ squid-2.6.1/debian/patches/00list @@ -3,6 +3,7 @@ 03-no-append-domain-localhost 04-smb-auth 06-unlinkd +08-ubuntu-bugfix-68818 48-kfreebsd-kqueue 55-ftp-segfault 56-external-acl-crash only in patch2: unchanged: --- squid-2.6.1.orig/debian/patches/08-ubuntu-bugfix-68818.dpatch +++ squid-2.6.1/debian/patches/08-ubuntu-bugfix-68818.dpatch @@ -0,0 +1,248 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 08-ubuntu-bugfix-68818.dpatch by Stéphane Graber +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix Ubuntu bug 868818 (Transparent proxy) (Based on patch from Squid bug 1650) + +@DPATCH@ + +diff -Nrup squid_2.6.1.orig/configure squid_2.6.1/configure +--- squid_2.6.1.orig/configure 2006-07-01 20:42:47.000000000 +0200 ++++ squid_2.6.1/configure 2007-03-17 23:29:15.000000000 +0100 +@@ -1,5 +1,5 @@ + #! /bin/sh +-# From configure.in Revision: 1.384 . ++# From configure.in Revision. + # Guess values for system-dependent variables and create Makefiles. + # Generated by GNU Autoconf 2.59 for Squid Web Proxy 2.6.STABLE1. + # +@@ -907,8 +907,6 @@ Optional Features: + --enable-forw-via-db Enable Forw/Via database + --enable-cache-digests Use Cache Digests + see http://www.squid-cache.org/FAQ/FAQ-16.html +- --enable-auth-on-acceleration +- Enable authentication in accelerators + --enable-default-err-language=lang + Select default language for Error pages (see + errors directory) +@@ -4220,20 +4218,6 @@ _ACEOF + + fi; + +-# Check whether --enable-auth-on-acceleration or --disable-auth-on-acceleration was given. +-if test "${enable_auth_on_acceleration+set}" = set; then +- enableval="$enable_auth_on_acceleration" +- if test "$enableval" = "yes" ; then +- echo "AUTH_ON_ACCELERATION enabled" +- +-cat >>confdefs.h <<\_ACEOF +-#define AUTH_ON_ACCELERATION 1 +-_ACEOF +- +- fi +- +-fi; +- + # Check whether --enable-default-err-language or --disable-default-err-language was given. + if test "${enable_default_err_language+set}" = set; then + enableval="$enable_default_err_language" +diff -Nrup squid_2.6.1.orig/configure.in squid_2.6.1/configure.in +--- squid_2.6.1.orig/configure.in 2006-07-01 20:42:47.000000000 +0200 ++++ squid_2.6.1/configure.in 2007-03-17 23:29:15.000000000 +0100 +@@ -736,15 +736,6 @@ AC_ARG_ENABLE(cache-digests, + fi + ]) + +-AC_ARG_ENABLE(auth-on-acceleration, +-[ --enable-auth-on-acceleration +- Enable authentication in accelerators], +-[ if test "$enableval" = "yes" ; then +- echo "AUTH_ON_ACCELERATION enabled" +- AC_DEFINE(AUTH_ON_ACCELERATION, 1, [Enable authentication support in accelerators]) +- fi +-]) +- + dnl Select Default Error language + AC_ARG_ENABLE(default-err-language, + [ --enable-default-err-language=lang +diff -Nrup squid_2.6.1.orig/include/autoconf.h.in squid_2.6.1/include/autoconf.h.in +--- squid_2.6.1.orig/include/autoconf.h.in 2006-06-21 22:33:46.000000000 +0200 ++++ squid_2.6.1/include/autoconf.h.in 2007-03-17 23:29:15.000000000 +0100 +@@ -3,9 +3,6 @@ + /* Defines how many threads aufs uses for I/O */ + #undef AUFS_IO_THREADS + +-/* Enable authentication support in accelerators */ +-#undef AUTH_ON_ACCELERATION +- + /* If you are upset that the cachemgr.cgi form comes up with the hostname + field blank, then define this to getfullhostname() */ + #undef CACHEMGR_HOSTNAME +diff -Nrup squid_2.6.1.orig/src/acl.c squid_2.6.1/src/acl.c +--- squid_2.6.1.orig/src/acl.c 2006-06-18 01:31:03.000000000 +0200 ++++ squid_2.6.1/src/acl.c 2007-03-17 23:29:15.000000000 +0100 +@@ -400,6 +400,10 @@ aclParseType(void *current) + type->accelerated = 1; + continue; + } ++ if (strcmp(t, "transparent") == 0) { ++ type->transparent = 1; ++ continue; ++ } + if (strcmp(t, "internal") == 0) { + type->internal = 1; + continue; +@@ -1679,6 +1683,8 @@ aclMatchType(acl_request_type * type, re + { + if (type->accelerated && request->flags.accelerated) + return 1; ++ if (type->transparent && request->flags.transparent) ++ return 1; + if (type->internal && request->flags.internal) + return 1; + return 0; +@@ -1691,20 +1697,15 @@ aclAuthenticated(aclCheck_t * checklist) + http_hdr_type headertype; + if (NULL == r) { + return -1; +- } else if (!r->flags.accelerated) { +- /* Proxy authorization on proxy requests */ +- headertype = HDR_PROXY_AUTHORIZATION; +- } else if (r->flags.internal) { +- /* WWW authorization on accelerated internal requests */ +- headertype = HDR_AUTHORIZATION; +- } else { +-#if AUTH_ON_ACCELERATION ++ } else if (r->flags.accelerated) { + /* WWW authorization on accelerated requests */ + headertype = HDR_AUTHORIZATION; +-#else +- debug(28, 1) ("aclAuthenticated: authentication not applicable on accelerated requests.\n"); ++ } else if (r->flags.transparent) { ++ debug(28, 1) ("aclAuthenticated: authentication not applicable on transparently intercepted requests.\n"); + return -1; +-#endif ++ } else { ++ /* Proxy authorization on proxy requests */ ++ headertype = HDR_PROXY_AUTHORIZATION; + } + /* get authed here */ + /* Note: this fills in checklist->auth_user_request when applicable (auth incomplete) */ +@@ -2911,6 +2912,8 @@ aclDumpType(acl_request_type * type) + wordlistAdd(&W, "accelerated"); + if (type->internal) + wordlistAdd(&W, "internal"); ++ if (type->transparent) ++ wordlistAdd(&W, "transparent"); + return W; + } + +diff -Nrup squid_2.6.1.orig/src/client_side.c squid_2.6.1/src/client_side.c +--- squid_2.6.1.orig/src/client_side.c 2006-06-30 23:23:05.000000000 +0200 ++++ squid_2.6.1/src/client_side.c 2007-03-17 23:29:15.000000000 +0100 +@@ -3482,7 +3482,7 @@ clientProcessMiss(clientHttpRequest * ht + /* + * Deny loops when running in accelerator/transproxy mode. + */ +- if (http->flags.accel && r->flags.loopdetect) { ++ if (r->flags.loopdetect && (http->flags.accel || http->flags.transparent)) { + http->al.http.code = HTTP_FORBIDDEN; + err = errorCon(ERR_ACCESS_DENIED, HTTP_FORBIDDEN); + err->request = requestLink(http->orig_request); +@@ -3681,16 +3681,20 @@ parseHttpRequest(ConnStateData * conn, m + #endif + + /* handle "accelerated" objects (and internal) */ +- if (method == METHOD_CONNECT); /* Nothing to do */ +- else if (*url == '/') ++ if (method == METHOD_CONNECT) { ++ if (conn->port->accel) ++ goto invalid_request; ++ } else if (*url == '/') + accel:{ + int vhost = conn->port->vhost || conn->port->transparent; +- int vport = conn->port->vport || conn->transparent; ++ int vport = conn->port->vport; ++ int accel = conn->port->accel; ++ if (!vport && conn->transparent) ++ vport = ntohs(conn->me.sin_port); + if (Config.onoff.global_internal_static && conn->port->accel && internalCheck(url)) { + /* prepend our name & port */ + http->uri = xstrdup(internalStoreUri("", url)); + http->flags.internal = 1; +- http->flags.accel = 1; + debug(33, 5) ("INTERNAL REWRITE: '%s'\n", http->uri); + } else if (vhost && (t = mime_get_header(req_hdr, "Host"))) { + url_sz = strlen(url) + 32 + Config.appendDomainLen + +@@ -3722,14 +3726,14 @@ parseHttpRequest(ConnStateData * conn, m + /* prepend our name & port */ + http->uri = xstrdup(internalStoreUri("", url)); + http->flags.internal = 1; +- http->flags.accel = 1; + debug(33, 5) ("INTERNAL REWRITE: '%s'\n", http->uri); + } else { + goto invalid_request; + } +- http->flags.accel = 1; +- } else if (conn->transparent) { +- http->flags.accel = 1; ++ if (accel) ++ http->flags.accel = 1; ++ else if (conn->port->transparent) ++ http->flags.transparent = 1; + } else if (conn->port->accel) { + http->flags.accel = 1; + if (!conn->port->vhost) { +@@ -3741,9 +3745,6 @@ parseHttpRequest(ConnStateData * conn, m + url = (char *) "/"; + goto accel; + } +- } else { +- /* Proxy request */ +- http->flags.accel = 0; + } + if (!http->uri) { + /* No special rewrites have been applied above, use the +@@ -3751,7 +3752,6 @@ parseHttpRequest(ConnStateData * conn, m + url_sz = strlen(url) + Config.appendDomainLen + 5; + http->uri = xcalloc(url_sz, 1); + strcpy(http->uri, url); +- http->flags.accel = 0; + } + if (!stringHasCntl(http->uri)) + http->log_uri = xstrndup(http->uri, MAX_URL); +@@ -3987,6 +3987,7 @@ clientReadRequest(int fd, void *data) + request->flags.tproxy = conn->port->tproxy; + #endif + request->flags.accelerated = http->flags.accel; ++ request->flags.transparent = http->flags.transparent; + /* + * cache the Content-length value in request_t. + */ +diff -Nrup squid_2.6.1.orig/src/structs.h squid_2.6.1/src/structs.h +--- squid_2.6.1.orig/src/structs.h 2006-06-30 23:23:05.000000000 +0200 ++++ squid_2.6.1/src/structs.h 2007-03-17 23:29:15.000000000 +0100 +@@ -346,6 +346,7 @@ struct _relist { + + struct _acl_request_type { + unsigned int accelerated:1; ++ unsigned int transparent:1; + unsigned int internal:1; + }; + +@@ -1190,6 +1191,7 @@ struct _clientHttpRequest { + AccessLogEntry al; + struct { + unsigned int accel:1; ++ unsigned int transparent:1; + unsigned int internal:1; + unsigned int done_copying:1; + unsigned int purging:1; +@@ -1785,6 +1787,7 @@ struct _request_flags { + unsigned int nocache_hack:1; /* for changing/ignoring no-cache requests */ + #endif + unsigned int accelerated:1; ++ unsigned int transparent:1; + unsigned int internal:1; + unsigned int body_sent:1; + unsigned int reset_tcp:1; only in patch2: unchanged: --- squid-2.6.1.orig/debian/patches/patch-68818 +++ squid-2.6.1/debian/patches/patch-68818 @@ -0,0 +1,240 @@ +diff -u -p -u -r1.388 configure +--- configure 1 Jul 2006 18:42:04 -0000 1.388 ++++ configure 3 Jul 2006 23:53:31 -0000 +@@ -1,5 +1,5 @@ + #! /bin/sh +-# From configure.in Revision: 1.384 . ++# From configure.in Revision. + # Guess values for system-dependent variables and create Makefiles. + # Generated by GNU Autoconf 2.59 for Squid Web Proxy 2.6.STABLE1-CVS. + # +@@ -907,8 +907,6 @@ Optional Features: + --enable-forw-via-db Enable Forw/Via database + --enable-cache-digests Use Cache Digests + see http://www.squid-cache.org/FAQ/FAQ-16.html +- --enable-auth-on-acceleration +- Enable authentication in accelerators + --enable-default-err-language=lang + Select default language for Error pages (see + errors directory) +@@ -4220,20 +4218,6 @@ _ACEOF + + fi; + +-# Check whether --enable-auth-on-acceleration or --disable-auth-on-acceleration was given. +-if test "${enable_auth_on_acceleration+set}" = set; then +- enableval="$enable_auth_on_acceleration" +- if test "$enableval" = "yes" ; then +- echo "AUTH_ON_ACCELERATION enabled" +- +-cat >>confdefs.h <<\_ACEOF +-#define AUTH_ON_ACCELERATION 1 +-_ACEOF +- +- fi +- +-fi; +- + # Check whether --enable-default-err-language or --disable-default-err-language was given. + if test "${enable_default_err_language+set}" = set; then + enableval="$enable_default_err_language" +diff -u -p -u -r1.384 configure.in +--- configure.in 1 Jul 2006 18:41:21 -0000 1.384 ++++ configure.in 3 Jul 2006 23:53:32 -0000 +@@ -736,15 +736,6 @@ AC_ARG_ENABLE(cache-digests, + fi + ]) + +-AC_ARG_ENABLE(auth-on-acceleration, +-[ --enable-auth-on-acceleration +- Enable authentication in accelerators], +-[ if test "$enableval" = "yes" ; then +- echo "AUTH_ON_ACCELERATION enabled" +- AC_DEFINE(AUTH_ON_ACCELERATION, 1, [Enable authentication support in accelerators]) +- fi +-]) +- + dnl Select Default Error language + AC_ARG_ENABLE(default-err-language, + [ --enable-default-err-language=lang +diff -u -p -u -r1.153 autoconf.h.in +--- include/autoconf.h.in 21 Jun 2006 20:33:46 -0000 1.153 ++++ include/autoconf.h.in 3 Jul 2006 23:53:32 -0000 +@@ -3,9 +3,6 @@ + /* Defines how many threads aufs uses for I/O */ + #undef AUFS_IO_THREADS + +-/* Enable authentication support in accelerators */ +-#undef AUTH_ON_ACCELERATION +- + /* If you are upset that the cachemgr.cgi form comes up with the hostname + field blank, then define this to getfullhostname() */ + #undef CACHEMGR_HOSTNAME +diff -u -p -u -r1.303 acl.c +--- src/acl.c 17 Jun 2006 23:31:03 -0000 1.303 ++++ src/acl.c 3 Jul 2006 23:53:32 -0000 +@@ -400,6 +400,10 @@ aclParseType(void *current) + type->accelerated = 1; + continue; + } ++ if (strcmp(t, "transparent") == 0) { ++ type->transparent = 1; ++ continue; ++ } + if (strcmp(t, "internal") == 0) { + type->internal = 1; + continue; +@@ -1679,6 +1683,8 @@ aclMatchType(acl_request_type * type, re + { + if (type->accelerated && request->flags.accelerated) + return 1; ++ if (type->transparent && request->flags.transparent) ++ return 1; + if (type->internal && request->flags.internal) + return 1; + return 0; +@@ -1691,20 +1697,15 @@ aclAuthenticated(aclCheck_t * checklist) + http_hdr_type headertype; + if (NULL == r) { + return -1; +- } else if (!r->flags.accelerated) { +- /* Proxy authorization on proxy requests */ +- headertype = HDR_PROXY_AUTHORIZATION; +- } else if (r->flags.internal) { +- /* WWW authorization on accelerated internal requests */ +- headertype = HDR_AUTHORIZATION; +- } else { +-#if AUTH_ON_ACCELERATION ++ } else if (r->flags.accelerated) { + /* WWW authorization on accelerated requests */ + headertype = HDR_AUTHORIZATION; +-#else +- debug(28, 1) ("aclAuthenticated: authentication not applicable on accelerated requests.\n"); ++ } else if (r->flags.transparent) { ++ debug(28, 1) ("aclAuthenticated: authentication not applicable on transparently intercepted requests.\n"); + return -1; +-#endif ++ } else { ++ /* Proxy authorization on proxy requests */ ++ headertype = HDR_PROXY_AUTHORIZATION; + } + /* get authed here */ + /* Note: this fills in checklist->auth_user_request when applicable (auth incomplete) */ +@@ -2911,6 +2912,8 @@ aclDumpType(acl_request_type * type) + wordlistAdd(&W, "accelerated"); + if (type->internal) + wordlistAdd(&W, "internal"); ++ if (type->transparent) ++ wordlistAdd(&W, "transparent"); + return W; + } + +diff -u -p -u -r1.656 client_side.c +--- src/client_side.c 30 Jun 2006 21:23:05 -0000 1.656 ++++ src/client_side.c 3 Jul 2006 23:53:32 -0000 +@@ -3482,7 +3482,7 @@ clientProcessMiss(clientHttpRequest * ht + /* + * Deny loops when running in accelerator/transproxy mode. + */ +- if (http->flags.accel && r->flags.loopdetect) { ++ if (r->flags.loopdetect && (http->flags.accel || http->flags.transparent)) { + http->al.http.code = HTTP_FORBIDDEN; + err = errorCon(ERR_ACCESS_DENIED, HTTP_FORBIDDEN); + err->request = requestLink(http->orig_request); +@@ -3681,16 +3681,20 @@ parseHttpRequest(ConnStateData * conn, m + #endif + + /* handle "accelerated" objects (and internal) */ +- if (method == METHOD_CONNECT); /* Nothing to do */ +- else if (*url == '/') ++ if (method == METHOD_CONNECT) { ++ if (conn->port->accel) ++ goto invalid_request; ++ } else if (*url == '/') + accel:{ + int vhost = conn->port->vhost || conn->port->transparent; +- int vport = conn->port->vport || conn->transparent; ++ int vport = conn->port->vport; ++ int accel = conn->port->accel; ++ if (!vport && conn->transparent) ++ vport = ntohs(conn->me.sin_port); + if (Config.onoff.global_internal_static && conn->port->accel && internalCheck(url)) { + /* prepend our name & port */ + http->uri = xstrdup(internalStoreUri("", url)); + http->flags.internal = 1; +- http->flags.accel = 1; + debug(33, 5) ("INTERNAL REWRITE: '%s'\n", http->uri); + } else if (vhost && (t = mime_get_header(req_hdr, "Host"))) { + url_sz = strlen(url) + 32 + Config.appendDomainLen + +@@ -3722,14 +3726,14 @@ parseHttpRequest(ConnStateData * conn, m + /* prepend our name & port */ + http->uri = xstrdup(internalStoreUri("", url)); + http->flags.internal = 1; +- http->flags.accel = 1; + debug(33, 5) ("INTERNAL REWRITE: '%s'\n", http->uri); + } else { + goto invalid_request; + } +- http->flags.accel = 1; +- } else if (conn->transparent) { +- http->flags.accel = 1; ++ if (accel) ++ http->flags.accel = 1; ++ else if (conn->port->transparent) ++ http->flags.transparent = 1; + } else if (conn->port->accel) { + http->flags.accel = 1; + if (!conn->port->vhost) { +@@ -3741,9 +3745,6 @@ parseHttpRequest(ConnStateData * conn, m + url = (char *) "/"; + goto accel; + } +- } else { +- /* Proxy request */ +- http->flags.accel = 0; + } + if (!http->uri) { + /* No special rewrites have been applied above, use the +@@ -3751,7 +3752,6 @@ parseHttpRequest(ConnStateData * conn, m + url_sz = strlen(url) + Config.appendDomainLen + 5; + http->uri = xcalloc(url_sz, 1); + strcpy(http->uri, url); +- http->flags.accel = 0; + } + if (!stringHasCntl(http->uri)) + http->log_uri = xstrndup(http->uri, MAX_URL); +@@ -3987,6 +3987,7 @@ clientReadRequest(int fd, void *data) + request->flags.tproxy = conn->port->tproxy; + #endif + request->flags.accelerated = http->flags.accel; ++ request->flags.transparent = http->flags.transparent; + /* + * cache the Content-length value in request_t. + */ +diff -u -p -u -r1.489 structs.h +--- src/structs.h 30 Jun 2006 21:23:05 -0000 1.489 ++++ src/structs.h 3 Jul 2006 23:53:32 -0000 +@@ -346,6 +346,7 @@ struct _relist { + + struct _acl_request_type { + unsigned int accelerated:1; ++ unsigned int transparent:1; + unsigned int internal:1; + }; + +@@ -1190,6 +1191,7 @@ struct _clientHttpRequest { + AccessLogEntry al; + struct { + unsigned int accel:1; ++ unsigned int transparent:1; + unsigned int internal:1; + unsigned int done_copying:1; + unsigned int purging:1; +@@ -1785,6 +1787,7 @@ struct _request_flags { + unsigned int nocache_hack:1; /* for changing/ignoring no-cache requests */ + #endif + unsigned int accelerated:1; ++ unsigned int transparent:1; + unsigned int internal:1; + unsigned int body_sent:1; + unsigned int reset_tcp:1;