This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 86c12d4994e39560a7e4a55d0af61b2ef0cc5374 Author: Chris McFarlen <[email protected]> AuthorDate: Tue Mar 4 13:53:20 2025 -0600 Fix intercept plugin ignoring ACL (#12076) (cherry picked from commit 9d9bd53b4a4b788ddb9a36e0abed4b7efe822c10) Co-authored-by: Chris McFarlen <[email protected]> (cherry picked from commit 2f028c83cf356c1501666e3d4cf4ef3f50aa77e8) --- src/proxy/http/HttpTransact.cc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/proxy/http/HttpTransact.cc b/src/proxy/http/HttpTransact.cc index 6b4e079ba7..4baad02542 100644 --- a/src/proxy/http/HttpTransact.cc +++ b/src/proxy/http/HttpTransact.cc @@ -1205,6 +1205,15 @@ done: obj_describe(s->hdr_info.client_request.m_http, true); } + // If the client failed ACLs, send error response + // This extra condition was added to separate it from the logic below that might allow + // requests that use some types of plugins as that code was allowing requests that didn't + // pass ACL checks. ACL mismatches are also not counted as invalid client requests + if (!s->client_connection_allowed) { + TxnDbg(dbg_ctl_http_trans, "END HttpTransact::EndRemapRequest: connection not allowed"); + TRANSACT_RETURN(SM_ACTION_SEND_ERROR_CACHE_NOOP, nullptr); + } + /* if s->reverse_proxy == false, we can assume remapping failed in some way -however-
