Hello community, here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2014-09-06 12:18:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haproxy (Old) and /work/SRC/openSUSE:Factory/.haproxy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy" Changes: -------- --- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2014-08-25 11:05:25.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2014-09-06 12:18:15.000000000 +0200 @@ -1,0 +2,26 @@ +Wed Sep 3 07:35:14 UTC 2014 - [email protected] + +- update to 1.5.4 + - BUG: config: error in http-response replace-header number of arguments + - BUG/MINOR: Fix search for -p argument in systemd wrapper. + - BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an unknown encryption algorithm + - BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported + - MEDIUM: connection: add new bit in Proxy Protocol V2 + - BUG/MINOR: server: move the directive #endif to the end of file + - BUG/MEDIUM: http: tarpit timeout is reset + - BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc* + - BUG/MEDIUM: http: fix inverted condition in pat_match_meth() + - BUG/MEDIUM: http: fix improper parsing of HTTP methods for use with ACLs + - BUG/MINOR: pattern: remove useless allocation of unused trash in pat_parse_reg() + - BUG/MEDIUM: acl: correctly compute the output type when a converter is used + - CLEANUP: acl: cleanup some of the redundancy and spaghetti after last fix + - BUG/CRITICAL: http: don't update msg->sov once data start to leave the buffer + +- Dropped patches: + - 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch + - 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch + - 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch + - 0004-BUG-config-error-in-http-response-replace-header-num.patch + - 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch + +------------------------------------------------------------------- Old: ---- 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch 0004-BUG-config-error-in-http-response-replace-header-num.patch 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch haproxy-1.5.3.tar.gz New: ---- haproxy-1.5.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ --- /var/tmp/diff_new_pack.AXQ9m9/_old 2014-09-06 12:18:16.000000000 +0200 +++ /var/tmp/diff_new_pack.AXQ9m9/_new 2014-09-06 12:18:16.000000000 +0200 @@ -33,7 +33,7 @@ %bcond_without apparmor Name: haproxy -Version: 1.5.3 +Version: 1.5.4 Release: 0 # # @@ -61,11 +61,6 @@ Patch2: haproxy-makefile_lib.patch Patch3: sec-options.patch Patch4: haproxy-1.5_check_config_before_start.patch -Patch5: 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch -Patch6: 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch -Patch7: 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch -Patch8: 0004-BUG-config-error-in-http-response-replace-header-num.patch -Patch9: 0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch Source99: haproxy-rpmlintrc # Summary: The Reliable, High Performance TCP/HTTP Load Balancer @@ -99,11 +94,6 @@ %patch2 %patch3 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 %build %{__make} \ ++++++ haproxy-1.5.3.tar.gz -> haproxy-1.5.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/CHANGELOG new/haproxy-1.5.4/CHANGELOG --- old/haproxy-1.5.3/CHANGELOG 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/CHANGELOG 2014-09-02 13:54:16.000000000 +0200 @@ -1,6 +1,22 @@ ChangeLog : =========== +2014/09/02 : 1.5.4 + - BUG: config: error in http-response replace-header number of arguments + - BUG/MINOR: Fix search for -p argument in systemd wrapper. + - BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an unknown encryption algorithm + - BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported + - MEDIUM: connection: add new bit in Proxy Protocol V2 + - BUG/MINOR: server: move the directive #endif to the end of file + - BUG/MEDIUM: http: tarpit timeout is reset + - BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc* + - BUG/MEDIUM: http: fix inverted condition in pat_match_meth() + - BUG/MEDIUM: http: fix improper parsing of HTTP methods for use with ACLs + - BUG/MINOR: pattern: remove useless allocation of unused trash in pat_parse_reg() + - BUG/MEDIUM: acl: correctly compute the output type when a converter is used + - CLEANUP: acl: cleanup some of the redundancy and spaghetti after last fix + - BUG/CRITICAL: http: don't update msg->sov once data start to leave the buffer + 2014/07/25 : 1.5.3 - DOC: fix typo in Unix Socket commands - BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/README new/haproxy-1.5.4/README --- old/haproxy-1.5.3/README 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/README 2014-09-02 13:54:16.000000000 +0200 @@ -1,9 +1,9 @@ ---------------------- HAProxy how-to ---------------------- - version 1.5.3 + version 1.5.4 willy tarreau - 2014/07/25 + 2014/09/02 1) How to build it diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/VERDATE new/haproxy-1.5.4/VERDATE --- old/haproxy-1.5.3/VERDATE 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/VERDATE 2014-09-02 13:54:16.000000000 +0200 @@ -1,2 +1,2 @@ $Format:%ci$ -2014/07/25 +2014/09/02 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/VERSION new/haproxy-1.5.4/VERSION --- old/haproxy-1.5.3/VERSION 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/VERSION 2014-09-02 13:54:16.000000000 +0200 @@ -1 +1 @@ -1.5.3 +1.5.4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/doc/configuration.txt new/haproxy-1.5.4/doc/configuration.txt --- old/haproxy-1.5.3/doc/configuration.txt 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/doc/configuration.txt 2014-09-02 13:54:16.000000000 +0200 @@ -2,9 +2,9 @@ HAProxy Configuration Manual ---------------------- - version 1.5.3 + version 1.5.4 willy tarreau - 2014/07/25 + 2014/09/02 This document covers the configuration language as implemented in the version diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/examples/haproxy.spec new/haproxy-1.5.4/examples/haproxy.spec --- old/haproxy-1.5.3/examples/haproxy.spec 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/examples/haproxy.spec 2014-09-02 13:54:16.000000000 +0200 @@ -1,6 +1,6 @@ Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments Name: haproxy -Version: 1.5.3 +Version: 1.5.4 Release: 1 License: GPL Group: System Environment/Daemons @@ -76,6 +76,9 @@ %attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name} %changelog +* Tue Sep 2 2014 Willy Tarreau <[email protected]> +- updated to 1.5.4 + * Fri Jul 25 2014 Willy Tarreau <[email protected]> - updated to 1.5.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/include/proto/server.h new/haproxy-1.5.4/include/proto/server.h --- old/haproxy-1.5.3/include/proto/server.h 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/include/proto/server.h 2014-09-02 13:54:16.000000000 +0200 @@ -54,8 +54,6 @@ s->counters.last_sess = now.tv_sec; } -#endif /* _PROTO_SERVER_H */ - /* * Registers the server keyword list <kwl> as a list of valid keywords for next * parsing sessions. @@ -200,6 +198,8 @@ srv_clr_admin_flag(s, SRV_ADMF_FMAINT); } +#endif /* _PROTO_SERVER_H */ + /* * Local variables: * c-indent-level: 8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/include/proto/ssl_sock.h new/haproxy-1.5.4/include/proto/ssl_sock.h --- old/haproxy-1.5.3/include/proto/ssl_sock.h 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/include/proto/ssl_sock.h 2014-09-02 13:54:16.000000000 +0200 @@ -51,7 +51,8 @@ const char *ssl_sock_get_cipher_name(struct connection *conn); const char *ssl_sock_get_proto_version(struct connection *conn); char *ssl_sock_get_version(struct connection *conn); -int ssl_sock_get_cert_used(struct connection *conn); +int ssl_sock_get_cert_used_sess(struct connection *conn); +int ssl_sock_get_cert_used_conn(struct connection *conn); int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out); unsigned int ssl_sock_get_verify_result(struct connection *conn); #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/include/types/channel.h new/haproxy-1.5.4/include/types/channel.h --- old/haproxy-1.5.3/include/types/channel.h 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/include/types/channel.h 2014-09-02 13:54:16.000000000 +0200 @@ -105,7 +105,7 @@ #define CF_STREAMER 0x00010000 /* the producer is identified as streaming data */ #define CF_STREAMER_FAST 0x00020000 /* the consumer seems to eat the stream very fast */ -/* unused: 0x00040000 */ +#define CF_WROTE_DATA 0x00040000 /* some data were sent from this buffer */ #define CF_ANA_TIMEOUT 0x00080000 /* the analyser timeout has expired */ #define CF_READ_ATTACHED 0x00100000 /* the read side is attached for the first time */ #define CF_KERN_SPLICING 0x00200000 /* kernel splicing desired for this channel */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/include/types/connection.h new/haproxy-1.5.4/include/types/connection.h --- old/haproxy-1.5.3/include/types/connection.h 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/include/types/connection.h 2014-09-02 13:54:16.000000000 +0200 @@ -345,8 +345,9 @@ uint8_t sub_tlv[0]; }__attribute__((packed)); -#define PP2_CLIENT_SSL 0x01 -#define PP2_CLIENT_CERT 0x02 +#define PP2_CLIENT_SSL 0x01 +#define PP2_CLIENT_CERT_CONN 0x02 +#define PP2_CLIENT_CERT_SESS 0x04 #endif /* _TYPES_CONNECTION_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/acl.c new/haproxy-1.5.4/src/acl.c --- old/haproxy-1.5.3/src/acl.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/acl.c 2014-09-02 13:54:16.000000000 +0200 @@ -145,7 +145,6 @@ const char *begw; const char *endw; const char *endt; - unsigned long prev_type; int cur_type; int nbargs; int operator = STD_OP_EQ; @@ -161,6 +160,7 @@ struct pat_ref *ref; struct pattern_expr *pattern_expr; int load_as_map = 0; + int acl_conv_found = 0; /* First, we look for an ACL keyword. And if we don't find one, then * we look for a sample fetch expression starting with a sample fetch @@ -229,8 +229,10 @@ /* look for the begining of the converters list. Those directly attached * to the ACL keyword are found just after <arg> which points to the comma. + * If we find any converter, then we don't use the ACL keyword's match + * anymore but the one related to the converter's output type. */ - prev_type = smp->fetch->out_type; + cur_type = smp->fetch->out_type; while (*arg) { struct sample_conv *conv; struct sample_conv_expr *conv_expr; @@ -289,19 +291,20 @@ } /* If impossible type conversion */ - if (!sample_casts[prev_type][conv->in_type]) { + if (!sample_casts[cur_type][conv->in_type]) { memprintf(err, "ACL keyword '%s' : conv method '%s' cannot be applied.", aclkw->kw, ckw); goto out_free_smp; } - prev_type = conv->out_type; + cur_type = conv->out_type; conv_expr = calloc(1, sizeof(struct sample_conv_expr)); if (!conv_expr) goto out_free_smp; LIST_ADDQ(&(smp->conv_exprs), &(conv_expr->list)); conv_expr->conv = conv; + acl_conv_found = 1; if (arg != endw) { int err_arg; @@ -347,6 +350,7 @@ memprintf(err, "%s in ACL expression '%s'", *err, *args); goto out_return; } + cur_type = smp_expr_output_type(smp); } expr = (struct acl_expr *)calloc(1, sizeof(*expr)); @@ -357,38 +361,26 @@ pattern_init_head(&expr->pat); - expr->kw = aclkw ? aclkw->kw : smp->fetch->kw; - expr->pat.parse = aclkw ? aclkw->parse : NULL; - expr->pat.index = aclkw ? aclkw->index : NULL; - expr->pat.match = aclkw ? aclkw->match : NULL; - expr->pat.delete = aclkw ? aclkw->delete : NULL; - expr->pat.prune = aclkw ? aclkw->prune : NULL; - expr->pat.expect_type = smp->fetch->out_type; - expr->smp = smp; - smp = NULL; - - /* Fill NULL pointers with values provided by the pattern.c arrays */ - if (aclkw) { - if (!expr->pat.parse) - expr->pat.parse = pat_parse_fcts[aclkw->match_type]; - - if (!expr->pat.index) - expr->pat.index = pat_index_fcts[aclkw->match_type]; - - if (!expr->pat.match) - expr->pat.match = pat_match_fcts[aclkw->match_type]; - - if (!expr->pat.delete) - expr->pat.delete = pat_delete_fcts[aclkw->match_type]; - - if (!expr->pat.prune) - expr->pat.prune = pat_prune_fcts[aclkw->match_type]; + expr->pat.expect_type = cur_type; + expr->smp = smp; + expr->kw = smp->fetch->kw; + smp = NULL; /* don't free it anymore */ + + if (aclkw && !acl_conv_found) { + expr->kw = aclkw->kw; + expr->pat.parse = aclkw->parse ? aclkw->parse : pat_parse_fcts[aclkw->match_type]; + expr->pat.index = aclkw->index ? aclkw->index : pat_index_fcts[aclkw->match_type]; + expr->pat.match = aclkw->match ? aclkw->match : pat_match_fcts[aclkw->match_type]; + expr->pat.delete = aclkw->delete ? aclkw->delete : pat_delete_fcts[aclkw->match_type]; + expr->pat.prune = aclkw->prune ? aclkw->prune : pat_prune_fcts[aclkw->match_type]; } if (!expr->pat.parse) { - /* some types can be automatically converted */ - - switch (expr->smp ? expr->smp->fetch->out_type : aclkw->smp->out_type) { + /* Parse/index/match functions depend on the expression type, + * so we have to map them now. Some types can be automatically + * converted. + */ + switch (cur_type) { case SMP_T_BOOL: expr->pat.parse = pat_parse_fcts[PAT_MATCH_BOOL]; expr->pat.index = pat_index_fcts[PAT_MATCH_BOOL]; @@ -427,7 +419,6 @@ } /* Additional check to protect against common mistakes */ - cur_type = smp_expr_output_type(expr->smp); if (expr->pat.parse && cur_type != SMP_T_BOOL && !*args[1]) { Warning("parsing acl keyword '%s' :\n" " no pattern to match against were provided, so this ACL will never match.\n" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/auth.c new/haproxy-1.5.4/src/auth.c --- old/haproxy-1.5.3/src/auth.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/auth.c 2014-09-02 13:54:16.000000000 +0200 @@ -252,7 +252,7 @@ fprintf(stderr, ", crypt=%s\n", ep); #endif - if (!strcmp(ep, u->pass)) + if (ep && strcmp(ep, u->pass) == 0) return 1; else return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/cfgparse.c new/haproxy-1.5.4/src/cfgparse.c --- old/haproxy-1.5.3/src/cfgparse.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/cfgparse.c 2014-09-02 13:54:16.000000000 +0200 @@ -10,6 +10,16 @@ * */ +#ifdef CONFIG_HAP_CRYPT +/* This is to have crypt() defined on Linux */ +#define _GNU_SOURCE + +#ifdef NEED_CRYPT_H +/* some platforms such as Solaris need this */ +#include <crypt.h> +#endif +#endif /* CONFIG_HAP_CRYPT */ + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -5689,7 +5699,14 @@ while (*args[cur_arg]) { if (!strcmp(args[cur_arg], "password")) { -#ifndef CONFIG_HAP_CRYPT +#ifdef CONFIG_HAP_CRYPT + if (!crypt("", args[cur_arg + 1])) { + Alert("parsing [%s:%d]: the encrypted password used for user '%s' is not supported by crypt(3).\n", + file, linenum, newuser->user); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } +#else Warning("parsing [%s:%d]: no crypt(3) support compiled, encrypted passwords will not work.\n", file, linenum); err_code |= ERR_ALERT; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/connection.c new/haproxy-1.5.4/src/connection.c --- old/haproxy-1.5.3/src/connection.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/connection.c 2014-09-02 13:54:16.000000000 +0200 @@ -678,9 +678,11 @@ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value); ssl_tlv_len += tlv_len; } - if (ssl_sock_get_cert_used(remote)) { - tlv->client |= PP2_CLIENT_CERT; + if (ssl_sock_get_cert_used_sess(remote)) { + tlv->client |= PP2_CLIENT_CERT_SESS; tlv->verify = htonl(ssl_sock_get_verify_result(remote)); + if (ssl_sock_get_cert_used_conn(remote)) + tlv->client |= PP2_CLIENT_CERT_CONN; } if (srv->pp_opts & SRV_PP_V2_SSL_CN) { cn_trash = get_trash_chunk(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/haproxy-systemd-wrapper.c new/haproxy-1.5.4/src/haproxy-systemd-wrapper.c --- old/haproxy-1.5.3/src/haproxy-systemd-wrapper.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/haproxy-systemd-wrapper.c 2014-09-02 13:54:16.000000000 +0200 @@ -130,11 +130,8 @@ static void init(int argc, char **argv) { while (argc > 1) { - if (**argv == '-') { - char *flag = *argv + 1; - --argc; ++argv; - if (*flag == 'p') - pid_file = *argv; + if ((*argv)[0] == '-' && (*argv)[1] == 'p') { + pid_file = *(argv + 1); } --argc; ++argv; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/pattern.c new/haproxy-1.5.4/src/pattern.c --- old/haproxy-1.5.3/src/pattern.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/pattern.c 2014-09-02 13:54:16.000000000 +0200 @@ -178,19 +178,15 @@ * * These functions are exported and may be used by any other component. * - * The following functions are used for parsing pattern matching - * input value. The <text> contain the string to be parsed. <pattern> - * must be a preallocated pattern. The pat_parse_* functions fill this - * structure with the parsed value. <usage> can be PAT_U_COMPILE or - * PAT_U_LOOKUP. If the value PAT_U_COMPILE is used memory is allocated - * for filling the pattern. If the value PAT_U_LOOKUP is set, the parser - * use "trash" or return pointers to the input strings. In both cases, - * the caller must use the value PAT_U_LOOKUP with caution. <err> is - * filled with an error message built with memprintf() function. - * - * In succes case, the pat_parse_* function return 1. If the function - * fail, it returns 0 and <err> is filled. + * The following functions are used for parsing pattern matching input value. + * The <text> contain the string to be parsed. <pattern> must be a preallocated + * pattern. The pat_parse_* functions fill this structure with the parsed value. + * <err> is filled with an error message built with memprintf() function. It is + * allowed to use a trash as a temporary storage for the returned pattern, as + * the next call after these functions will be pat_idx_*. * + * In success case, the pat_parse_* function returns 1. If the function + * fails, it returns 0 and <err> is filled. */ /* ignore the current line */ @@ -223,17 +219,7 @@ /* Parse a regex. It is allocated. */ int pat_parse_reg(const char *text, struct pattern *pattern, int mflags, char **err) { - struct chunk *trash; - - trash = get_trash_chunk(); - if (trash->size < sizeof(*pattern->ptr.reg)) { - memprintf(err, "no space avalaible in the buffer. expect %d, provides %d", - (int)sizeof(*pattern->ptr.reg), trash->size); - return 0; - } - pattern->ptr.str = (char *)text; - return 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/proto_http.c new/haproxy-1.5.4/src/proto_http.c --- old/haproxy-1.5.3/src/proto_http.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/proto_http.c 2014-09-02 13:54:16.000000000 +0200 @@ -4117,8 +4117,9 @@ done: /* done with this analyser, continue with next ones that the calling * points will have set, if any. */ - req->analysers &= ~an_bit; req->analyse_exp = TICK_ETERNITY; + done_without_exp: /* done with this analyser, but dont reset the analyse_exp. */ + req->analysers &= ~an_bit; return 1; tarpit: @@ -4144,7 +4145,7 @@ s->be->be_counters.denied_req++; if (s->listener->counters) s->listener->counters->denied_req++; - goto done; + goto done_without_exp; deny: /* this request was blocked (denied) */ txn->flags |= TX_CLDENY; @@ -4885,8 +4886,8 @@ s->req->cons->conn_retries = 0; /* used for logging too */ s->req->cons->exp = TICK_ETERNITY; s->req->cons->flags &= SI_FL_DONT_WAKE; /* we're in the context of process_session */ - s->req->flags &= ~(CF_SHUTW|CF_SHUTW_NOW|CF_AUTO_CONNECT|CF_WRITE_ERROR|CF_STREAMER|CF_STREAMER_FAST|CF_NEVER_WAIT|CF_WAKE_CONNECT); - s->rep->flags &= ~(CF_SHUTR|CF_SHUTR_NOW|CF_READ_ATTACHED|CF_READ_ERROR|CF_READ_NOEXP|CF_STREAMER|CF_STREAMER_FAST|CF_WRITE_PARTIAL|CF_NEVER_WAIT); + s->req->flags &= ~(CF_SHUTW|CF_SHUTW_NOW|CF_AUTO_CONNECT|CF_WRITE_ERROR|CF_STREAMER|CF_STREAMER_FAST|CF_NEVER_WAIT|CF_WAKE_CONNECT|CF_WROTE_DATA); + s->rep->flags &= ~(CF_SHUTR|CF_SHUTR_NOW|CF_READ_ATTACHED|CF_READ_ERROR|CF_READ_NOEXP|CF_STREAMER|CF_STREAMER_FAST|CF_WRITE_PARTIAL|CF_NEVER_WAIT|CF_WROTE_DATA); s->flags &= ~(SN_DIRECT|SN_ASSIGNED|SN_ADDR_SET|SN_BE_ASSIGNED|SN_FORCE_PRST|SN_IGNORE_PRST); s->flags &= ~(SN_CURR_SESS|SN_REDIRECTABLE|SN_SRV_REUSED); @@ -5429,7 +5430,7 @@ * such as last chunk of data or trailers. */ b_adv(req->buf, msg->next); - if (unlikely(!(s->rep->flags & CF_READ_ATTACHED))) + if (unlikely(!(s->req->flags & CF_WROTE_DATA))) msg->sov -= msg->next; msg->next = 0; @@ -5481,7 +5482,7 @@ missing_data: /* we may have some pending data starting at req->buf->p */ b_adv(req->buf, msg->next); - if (unlikely(!(s->rep->flags & CF_READ_ATTACHED))) + if (unlikely(!(s->req->flags & CF_WROTE_DATA))) msg->sov -= msg->next + MIN(msg->chunk_len, req->buf->i); msg->next = 0; @@ -9281,8 +9282,8 @@ cur_arg = 1; if (!*args[cur_arg] || !*args[cur_arg+1] || !*args[cur_arg+2] || - (*args[cur_arg+3] && strcmp(args[cur_arg+2], "if") != 0 && strcmp(args[cur_arg+2], "unless") != 0)) { - Alert("parsing [%s:%d]: 'http-request %s' expects exactly 3 arguments.\n", + (*args[cur_arg+3] && strcmp(args[cur_arg+3], "if") != 0 && strcmp(args[cur_arg+3], "unless") != 0)) { + Alert("parsing [%s:%d]: 'http-response %s' expects exactly 3 arguments.\n", file, linenum, args[0]); goto out_err; } @@ -9770,20 +9771,13 @@ static int pat_parse_meth(const char *text, struct pattern *pattern, int mflags, char **err) { int len, meth; - struct chunk *trash; len = strlen(text); meth = find_http_meth(text, len); pattern->val.i = meth; if (meth == HTTP_METH_OTHER) { - trash = get_trash_chunk(); - if (trash->size < len) { - memprintf(err, "no space avalaible in the buffer. expect %d, provides %d", - len, trash->size); - return 0; - } - pattern->ptr.str = trash->str; + pattern->ptr.str = (char *)text; pattern->len = len; } else { @@ -9848,8 +9842,8 @@ continue; icase = expr->mflags & PAT_MF_IGNORE_CASE; - if ((icase && strncasecmp(pattern->ptr.str, smp->data.meth.str.str, smp->data.meth.str.len) != 0) || - (!icase && strncmp(pattern->ptr.str, smp->data.meth.str.str, smp->data.meth.str.len) != 0)) + if ((icase && strncasecmp(pattern->ptr.str, smp->data.meth.str.str, smp->data.meth.str.len) == 0) || + (!icase && strncmp(pattern->ptr.str, smp->data.meth.str.str, smp->data.meth.str.len) == 0)) return pattern; } return NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/proto_tcp.c new/haproxy-1.5.4/src/proto_tcp.c --- old/haproxy-1.5.3/src/proto_tcp.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/proto_tcp.c 2014-09-02 13:54:16.000000000 +0200 @@ -1048,8 +1048,8 @@ t = rule->act_prm.trk_ctr.table.t; key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ | partial, rule->act_prm.trk_ctr.expr, &smp); - if (smp.flags & SMP_F_MAY_CHANGE) - goto missing_data; + if ((smp.flags & SMP_F_MAY_CHANGE) && !(partial & SMP_OPT_FINAL)) + goto missing_data; /* key might appear later */ if (key && (ts = stktable_get_entry(t, key))) { session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/sample.c new/haproxy-1.5.4/src/sample.c --- old/haproxy-1.5.3/src/sample.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/sample.c 2014-09-02 13:54:16.000000000 +0200 @@ -896,6 +896,18 @@ * Note: the fetch functions are required to properly set the return type. The * conversion functions must do so too. However the cast functions do not need * to since they're made to cast mutiple types according to what is required. + * + * The caller may indicate in <opt> if it considers the result final or not. + * The caller needs to check the SMP_F_MAY_CHANGE flag in p->flags to verify + * if the result is stable or not, according to the following table : + * + * return MAY_CHANGE FINAL Meaning for the sample + * NULL 0 * Not present and will never be (eg: header) + * NULL 1 0 Not present yet, could change (eg: POST param) + * NULL 1 1 Not present yet, will not change anymore + * smp 0 * Present and will not change (eg: header) + * smp 1 0 Present, may change (eg: request length) + * smp 1 1 Present, last known value (eg: request length) */ struct sample *sample_process(struct proxy *px, struct session *l4, void *l7, unsigned int opt, @@ -1153,7 +1165,16 @@ * and <opt> does not contain SMP_OPT_FINAL, then the sample is returned as-is * with its SMP_F_MAY_CHANGE flag so that the caller can check it and decide to * take actions (eg: wait longer). If a sample could not be found or could not - * be converted, NULL is returned. + * be converted, NULL is returned. The caller MUST NOT use the sample if the + * SMP_F_MAY_CHANGE flag is present, as it is used only as a hint that there is + * still hope to get it after waiting longer, and is not converted to string. + * The possible output combinations are the following : + * + * return MAY_CHANGE FINAL Meaning for the sample + * NULL * * Not present and will never be (eg: header) + * smp 0 * Final value converted (eg: header) + * smp 1 0 Not present yet, may appear later (eg: header) + * smp 1 1 never happens (either flag is cleared on output) */ struct sample *sample_fetch_string(struct proxy *px, struct session *l4, void *l7, unsigned int opt, struct sample_expr *expr) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/ssl_sock.c new/haproxy-1.5.4/src/ssl_sock.c --- old/haproxy-1.5.3/src/ssl_sock.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/ssl_sock.c 2014-09-02 13:54:16.000000000 +0200 @@ -2720,8 +2720,25 @@ return result; } -/* returns 1 if client passed a certificate, 0 if not */ -int ssl_sock_get_cert_used(struct connection *conn) +/* returns 1 if client passed a certificate for this session, 0 if not */ +int ssl_sock_get_cert_used_sess(struct connection *conn) +{ + X509 *crt = NULL; + + if (!ssl_sock_is_ssl(conn)) + return 0; + + /* SSL_get_peer_certificate, it increase X509 * ref count */ + crt = SSL_get_peer_certificate(conn->xprt_ctx); + if (!crt) + return 0; + + X509_free(crt); + return 1; +} + +/* returns 1 if client passed a certificate for this connection, 0 if not */ +int ssl_sock_get_cert_used_conn(struct connection *conn) { if (!ssl_sock_is_ssl(conn)) return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/stick_table.c new/haproxy-1.5.4/src/stick_table.c --- old/haproxy-1.5.3/src/stick_table.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/stick_table.c 2014-09-02 13:54:16.000000000 +0200 @@ -603,7 +603,16 @@ * no key could be extracted, or a pointer to the converted result stored in * static_table_key in format <table_type>. If <smp> is not NULL, it will be reset * and its flags will be initialized so that the caller gets a copy of the input - * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present). + * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present + * without SMP_OPT_FINAL). The output will be usable like this : + * + * return MAY_CHANGE FINAL Meaning for the sample + * NULL 0 * Not present and will never be (eg: header) + * NULL 1 0 Not present or unstable, could change (eg: req_len) + * NULL 1 1 Not present, will not change anymore + * smp 0 * Present and will not change (eg: header) + * smp 1 0 not possible + * smp 1 1 Present, last known value (eg: request length) */ struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px, struct session *l4, void *l7, unsigned int opt, struct sample_expr *expr, struct sample *smp) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.3/src/stream_interface.c new/haproxy-1.5.4/src/stream_interface.c --- old/haproxy-1.5.3/src/stream_interface.c 2014-07-25 08:56:07.000000000 +0200 +++ new/haproxy-1.5.4/src/stream_interface.c 2014-09-02 13:54:16.000000000 +0200 @@ -658,7 +658,7 @@ if (chn->pipe && conn->xprt->snd_pipe) { ret = conn->xprt->snd_pipe(conn, chn->pipe); if (ret > 0) - chn->flags |= CF_WRITE_PARTIAL; + chn->flags |= CF_WRITE_PARTIAL | CF_WROTE_DATA; if (!chn->pipe->data) { put_pipe(chn->pipe); @@ -702,7 +702,7 @@ ret = conn->xprt->snd_buf(conn, chn->buf, send_flag); if (ret > 0) { - chn->flags |= CF_WRITE_PARTIAL; + chn->flags |= CF_WRITE_PARTIAL | CF_WROTE_DATA; if (!chn->buf->o) { /* Always clear both flags once everything has been sent, they're one-shot */ -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
