[PATCH] MINOR: acl: Warn when an ACL is named 'or' or '||'

Wed, 05 Feb 2020 12:02:11 -0800 

Willy,

after a user seeked support in IRC and me seeing the error message they were 
facing I just *had to*
try something :-)

<*redacted*> Can anyone tell me if there a way to do multi variable in this 
rspirep line? Seems
             to be a syntax problem with the AND path_subdomain.
             rspirep ^Location:\ (.*) Location:\ /subdomainXYZ/\1 if 
hdr_location AND path_subdomain
[...]
<TimWolla> Also the 'AND' is implicit. Just leave it out.
<TimWolla> That will probably solve your syntax issue.
<*redacted*> Ahhh thanks, it seems that removing the AND was enough to get it 
working
<*redacted*> was admittedly confused when I saw the error 'no such ACL: AND'
<TimWolla> *redacted*, don't make me try out stupid things. Quick poll (answer 
without trying it out!).
           Will this add a 'Foo' header to the response or not?
<TimWolla> acl t always_true
<TimWolla> acl or always_false
<TimWolla> http-response set-header Foo Bar if t or t
<*redacted*> maybe.. no?
<*redacted2*> you're supposed to use || and or for OR, so I'd guess cfgparse 
should fail here, does it not ?
<TimWolla> It does not. I'm just preparing a patch.
<*redacted2*> :-)
<*redacted3*> TimWolla: famoous last words
<*redacted3*> me is unfair

Apply with `git am --scissors` to automatically cut the commit message.

-- >8 --
Subject: [PATCH] MINOR: acl: Warn when an ACL is named 'or' or '||'

Consider a configuration like this:

> acl t always_true
> acl or always_false
>
> http-response set-header Foo Bar if t or t

The 'or' within the condition will be treated as a logical disjunction
and the header will be set, despite the ACL 'or' being falsy.

May be backported to older branches, it should not break anything
and might improve the users' lifes.
---
 src/cfgparse-listen.c |  7 ++++++-
 src/fcgi-app.c        | 10 +++++++++-
 src/flt_spoe.c        |  6 ++++++
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c
index 3f16a2517..7220b50ec 100644
--- a/src/cfgparse-listen.c
+++ b/src/cfgparse-listen.c
@@ -806,7 +806,12 @@ int cfg_parse_listen(const char *file, int linenum, char 
**args, int kwm)
                        err_code |= ERR_ALERT | ERR_FATAL;
                        goto out;
                }
-
+               if (strcasecmp(args[1], "or") == 0 || strcasecmp(args[1], "||") 
== 0) {
+                       ha_warning("parsing [%s:%d] : acl name '%s' will never 
match. 'or' and '||' are used to express a "
+                                  "logical disjunction within a condition.\n",
+                                  file, linenum, args[1]);
+                       err_code |= ERR_WARN;
+               }
                if (parse_acl((const char **)args + 1, &curproxy->acl, &errmsg, 
&curproxy->conf.args, file, linenum) == NULL) {
                        ha_alert("parsing [%s:%d] : error detected while 
parsing ACL '%s' : %s.\n",
                                 file, linenum, args[1], errmsg);
diff --git a/src/fcgi-app.c b/src/fcgi-app.c
index f7108c376..873fc0f13 100644
--- a/src/fcgi-app.c
+++ b/src/fcgi-app.c
@@ -885,11 +885,19 @@ static int cfg_parse_fcgi_app(const char *file, int 
linenum, char **args, int kw
                        ha_alert("parsing [%s:%d] : character '%c' is not 
permitted in acl name '%s'.\n",
                                 file, linenum, *err, args[1]);
                        err_code |= ERR_ALERT | ERR_FATAL;
+                       goto out;
+               }
+               if (strcasecmp(args[1], "or") == 0 || strcasecmp(args[1], "||") 
== 0) {
+                       ha_warning("parsing [%s:%d] : acl name '%s' will never 
match. 'or' and '||' are used to express a "
+                                  "logical disjunction within a condition.\n",
+                                  file, linenum, args[1]);
+                       err_code |= ERR_WARN;
                }
-               else if (parse_acl((const char **)args+1, &curapp->acls, 
&errmsg, &curapp->conf.args, file, linenum) == NULL) {
+               if (parse_acl((const char **)args+1, &curapp->acls, &errmsg, 
&curapp->conf.args, file, linenum) == NULL) {
                        ha_alert("parsing [%s:%d] : error detected while 
parsing ACL '%s' : %s.\n",
                                 file, linenum, args[1], errmsg);
                        err_code |= ERR_ALERT | ERR_FATAL;
+                       goto out;
                }
        }
        else if (!strcmp(args[0], "set-param")) {
diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index e3328cc01..3951e6527 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -3991,6 +3991,12 @@ cfg_parse_spoe_message(const char *file, int linenum, 
char **args, int kwm)
                        err_code |= ERR_ALERT | ERR_FATAL;
                        goto out;
                }
+               if (strcasecmp(args[1], "or") == 0 || strcasecmp(args[1], "||") 
== 0) {
+                       ha_warning("parsing [%s:%d] : acl name '%s' will never 
match. 'or' and '||' are used to express a "
+                                  "logical disjunction within a condition.\n",
+                                  file, linenum, args[1]);
+                       err_code |= ERR_WARN;
+               }
                if (parse_acl((const char **)args + 1, &curmsg->acls, &errmsg, 
&curproxy->conf.args, file, linenum) == NULL) {
                        ha_alert("parsing [%s:%d] : error detected while 
parsing ACL '%s' : %s.\n",
                                 file, linenum, args[1], errmsg);
-- 
2.25.0

Reply via email to