TS-1981 Url remap method filtering is broken with invalid method.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/3e818112 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/3e818112 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/3e818112 Branch: refs/heads/5.0.x Commit: 3e818112374b5ea4e2d92fb2292bc16a7fdc01ae Parents: e8b88af Author: Thach Tran <[email protected]> Authored: Fri May 30 11:15:16 2014 -0600 Committer: Leif Hedstrom <[email protected]> Committed: Fri May 30 11:16:21 2014 -0600 ---------------------------------------------------------------------- CHANGES | 3 ++ proxy/http/remap/UrlRewrite.cc | 60 ++++++++++++++++++------------------- 2 files changed, 32 insertions(+), 31 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/3e818112/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index 49cfaf4..cfca250 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 5.0.0 + *) [TS-1981] Url remap method filtering is broken with invalid method. + Author: Thach Tran <[email protected]> + *) [TS-2792] Large request header causes unexpected remap. Author: Masakazu Kitajo <[email protected]> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/3e818112/proxy/http/remap/UrlRewrite.cc ---------------------------------------------------------------------- diff --git a/proxy/http/remap/UrlRewrite.cc b/proxy/http/remap/UrlRewrite.cc index 7a7bb73..ab61b3b 100644 --- a/proxy/http/remap/UrlRewrite.cc +++ b/proxy/http/remap/UrlRewrite.cc @@ -427,43 +427,41 @@ UrlRewrite::PerformACLFiltering(HttpTransact::State *s, url_mapping *map) if (map->filter) { int i, res, method; i = (method = s->hdr_info.client_request.method_get_wksidx()) - HTTP_WKSIDX_CONNECT; - if (likely(i >= 0 && i < ACL_FILTER_MAX_METHODS)) { - bool client_enabled_flag = true; - ink_release_assert(ats_is_ip(&s->client_info.addr)); - for (acl_filter_rule * rp = map->filter; rp; rp = rp->next) { - bool match = true; - if (rp->method_valid) { - if (rp->method_idx[i] != method) - match = false; + bool client_enabled_flag = true; + ink_release_assert(ats_is_ip(&s->client_info.addr)); + for (acl_filter_rule * rp = map->filter; rp && client_enabled_flag; rp = rp->next) { // stop as soon as a filter denies + bool match = true; + if (rp->method_valid) { + if (likely(i >= 0 && i < ACL_FILTER_MAX_METHODS)) { + match = rp->method_idx[i] == method; } - if (match && rp->src_ip_valid) { - match = false; - for (int j = 0; j < rp->src_ip_cnt && !match; j++) { - res = rp->src_ip_array[j].contains(s->client_info.addr) ? 1 : 0; - if (rp->src_ip_array[j].invert) { - if (res != 1) - match = true; - } else { - if (res == 1) - match = true; - } - } + else { + match = false; } - if (match && client_enabled_flag) { //make sure that a previous filter did not DENY - Debug("url_rewrite", "matched ACL filter rule, %s request", rp->allow_flag ? "allowing" : "denying"); - client_enabled_flag = rp->allow_flag ? true : false; - } else { - if (!client_enabled_flag) { - Debug("url_rewrite", "Previous ACL filter rule denied request, continuing to deny it"); + } + if (match && rp->src_ip_valid) { + match = false; + for (int j = 0; j < rp->src_ip_cnt && !match; j++) { + res = rp->src_ip_array[j].contains(s->client_info.addr) ? 1 : 0; + if (rp->src_ip_array[j].invert) { + if (res != 1) + match = true; } else { - Debug("url_rewrite", "did NOT match ACL filter rule, %s request", rp->allow_flag ? "denying" : "allowing"); - client_enabled_flag = rp->allow_flag ? false : true; + if (res == 1) + match = true; } } + } + if (match) { + Debug("url_rewrite", "matched ACL filter rule, %s request", rp->allow_flag ? "allowing" : "denying"); + client_enabled_flag = rp->allow_flag ? true : false; + } else { + Debug("url_rewrite", "did NOT match ACL filter rule, %s request", rp->allow_flag ? "denying" : "allowing"); + client_enabled_flag = rp->allow_flag ? false : true; + } - } /* end of for(rp = map->filter;rp;rp = rp->next) */ - s->client_connection_enabled = client_enabled_flag; - } + } /* end of for(rp = map->filter;rp;rp = rp->next) */ + s->client_connection_enabled = client_enabled_flag; } }
