-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The attached patch adds a new ACL type called "urlpath_raw_regex". It
works in exactly the same way as "urlpath_regex" except no unescaping of
the URI is done first, which makes it possible to filter specific attacks
that escape some characters in the URI without blocking legitimate
requests.
I.e. you can filter URIs containing "%2easp" (the signature of some
attacks) without blocking legitimate requests for ".asp"
The patch was originally written for squid 2.5 and recoded for 3.0 - it
compiles ok but unfortunately I currently have no facilities to test squid
3.0 here ATM.
- - - Steve Hill
Senior Software Developer Email: [EMAIL PROTECTED]
Navaho Technologies Ltd. Tel: +44-870-7034015
... Alcohol and calculus don't mix - Don't drink and derive! ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Public key available at http://linux.navaho.co.uk/pubkey.steve.txt
iD8DBQFA2YD8b26jEkrydY4RAqMCAJ4vtg0Qhhyf6KJkQVZwPqX1M/L3xACgnlxR
1YJ3b0t9ZE3bwQYRa25g24o=
=j8c8
-----END PGP SIGNATURE-----diff -urN squid-3.0-PRE3-20040623.vanilla/src/ACLUrlPathRaw.cc
squid-3.0-PRE3-20040623/src/ACLUrlPathRaw.cc
--- squid-3.0-PRE3-20040623.vanilla/src/ACLUrlPathRaw.cc 1970-01-01
01:00:00.000000000 +0100
+++ squid-3.0-PRE3-20040623/src/ACLUrlPathRaw.cc 2004-06-23 11:29:07.965813291
+0100
@@ -0,0 +1,59 @@
+/*
+ * $Id$
+ *
+ * AUTHOR: Steve Hill (Blatently ripped off ACLUrlPath)
+ *
+ * SQUID Web Proxy Cache http://www.squid-cache.org/
+ * ----------------------------------------------------------
+ *
+ * Squid is the result of efforts by numerous individuals from
+ * the Internet community; see the CONTRIBUTORS file for full
+ * details. Many organizations have provided support for Squid's
+ * development; see the SPONSORS file for full details. Squid is
+ * Copyrighted (C) 2001 by the Regents of the University of
+ * California; see the COPYRIGHT file for full details. Squid
+ * incorporates software developed and/or copyrighted by other
+ * sources; see the CREDITS file for full details.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
+ *
+ */
+
+#include "squid.h"
+#include "ACLUrlPathRaw.h"
+#include "ACLChecklist.h"
+#include "ACLRegexData.h"
+#include "HttpRequest.h"
+
+ACL::Prototype ACLUrlPathRaw::LegacyRegistryProtoype(&ACLUrlPathRaw::RegistryEntry_,
"pattern");
+ACL::Prototype ACLUrlPathRaw::RegistryProtoype(&ACLUrlPathRaw::RegistryEntry_,
"urlpath_raw_regex");
+ACLStrategised<char const *> ACLUrlPathRaw::RegistryEntry_(new ACLRegexData,
ACLUrlPathRawStrategy::Instance(), "urlpath_raw_regex");
+
+int
+ACLUrlPathRawStrategy::match (ACLData<char const *> * &data, ACLChecklist *checklist)
+{
+ char *esc_buf = xstrdup(checklist->request->urlpath.buf());
+ int result = data->match(esc_buf);
+ safe_free(esc_buf);
+ return result;
+}
+
+ACLUrlPathRawStrategy *
+ACLUrlPathRawStrategy::Instance()
+{
+ return &Instance_;
+}
+
+ACLUrlPathRawStrategy ACLUrlPathRawStrategy::Instance_;
diff -urN squid-3.0-PRE3-20040623.vanilla/src/ACLUrlPathRaw.h
squid-3.0-PRE3-20040623/src/ACLUrlPathRaw.h
--- squid-3.0-PRE3-20040623.vanilla/src/ACLUrlPathRaw.h 1970-01-01 01:00:00.000000000
+0100
+++ squid-3.0-PRE3-20040623/src/ACLUrlPathRaw.h 2004-06-23 11:29:37.072743238 +0100
@@ -0,0 +1,70 @@
+
+/*
+ * $Id$
+ *
+ *
+ * SQUID Web Proxy Cache http://www.squid-cache.org/
+ * ----------------------------------------------------------
+ *
+ * Squid is the result of efforts by numerous individuals from
+ * the Internet community; see the CONTRIBUTORS file for full
+ * details. Many organizations have provided support for Squid's
+ * development; see the SPONSORS file for full details. Squid is
+ * Copyrighted (C) 2001 by the Regents of the University of
+ * California; see the COPYRIGHT file for full details. Squid
+ * incorporates software developed and/or copyrighted by other
+ * sources; see the CREDITS file for full details.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
+ *
+ */
+
+#ifndef SQUID_ACLURLPATHRAW_H
+#define SQUID_ACLURLPATHRAW_H
+#include "ACL.h"
+#include "ACLData.h"
+#include "ACLStrategy.h"
+#include "ACLStrategised.h"
+
+class ACLUrlPathRawStrategy : public ACLStrategy<char const *>
+{
+
+public:
+ virtual int match (ACLData<char const *> * &, ACLChecklist *);
+ virtual bool requiresRequest() const {return true;}
+
+ static ACLUrlPathRawStrategy *Instance();
+ /* Not implemented to prevent copies of the instance. */
+ /* Not private to prevent brain dead g+++ warnings about
+ * private constructors with no friends */
+ ACLUrlPathRawStrategy(ACLUrlPathRawStrategy const &);
+
+private:
+ static ACLUrlPathRawStrategy Instance_;
+ ACLUrlPathRawStrategy(){}
+
+ ACLUrlPathRawStrategy&operator=(ACLUrlPathRawStrategy const &);
+};
+
+class ACLUrlPathRaw
+{
+
+public:
+ static ACL::Prototype RegistryProtoype;
+ static ACL::Prototype LegacyRegistryProtoype;
+ static ACLStrategised<char const *> RegistryEntry_;
+};
+
+#endif /* SQUID_ACLURLPATHRAW_H */
diff -urN squid-3.0-PRE3-20040623.vanilla/src/cf.data.pre
squid-3.0-PRE3-20040623/src/cf.data.pre
--- squid-3.0-PRE3-20040623.vanilla/src/cf.data.pre 2004-04-30 21:41:09.000000000
+0100
+++ squid-3.0-PRE3-20040623/src/cf.data.pre 2004-06-23 11:34:40.090440141 +0100
@@ -2388,6 +2388,7 @@
h1:m1 must be less than h2:m2
acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
+ acl aclname urlpath_raw_regex [-i] %2egif$ ... # regex matching on raw (i.e.
not unescaped) URL path
acl aclname port 80 70 21 ...
acl aclname port 0-1024 ... # ranges allowed
acl aclname myport 3128 ... # (local socket TCP port)
diff -urN squid-3.0-PRE3-20040623.vanilla/src/Makefile.am
squid-3.0-PRE3-20040623/src/Makefile.am
--- squid-3.0-PRE3-20040623.vanilla/src/Makefile.am 2003-10-20 12:23:38.000000000
+0100
+++ squid-3.0-PRE3-20040623/src/Makefile.am 2004-06-23 11:30:08.532345526 +0100
@@ -286,6 +286,8 @@
ACLUrl.h \
ACLUrlPath.cc \
ACLUrlPath.h \
+ ACLUrlPathRaw.cc \
+ ACLUrlPathRaw.h \
ACLUrlPort.cc \
ACLUrlPort.h \
ACLUserData.cc \
diff -urN squid-3.0-PRE3-20040623.vanilla/src/Makefile.in
squid-3.0-PRE3-20040623/src/Makefile.in
--- squid-3.0-PRE3-20040623.vanilla/src/Makefile.in 2003-10-21 01:13:59.000000000
+0100
+++ squid-3.0-PRE3-20040623/src/Makefile.in 2004-06-23 11:37:20.313120420 +0100
@@ -457,6 +457,8 @@
ACLUrl.h \
ACLUrlPath.cc \
ACLUrlPath.h \
+ ACLUrlPathRaw.cc \
+ ACLUrlPathRaw.h \
ACLUrlPort.cc \
ACLUrlPort.h \
ACLUserData.cc \
@@ -1011,6 +1013,7 @@
ACLStrategy.h ACLStringData.cc ACLStringData.h ACLTime.cc \
ACLTime.h ACLTimeData.cc ACLTimeData.h ACLUrl.cc ACLUrl.h \
ACLUrlPath.cc ACLUrlPath.h ACLUrlPort.cc ACLUrlPort.h \
+ ACLUrlPathRaw.cc ACLUrlPathRaw.h \
ACLUserData.cc ACLUserData.h asn.cc authenticate.cc \
authenticate.h cache_cf.cc CacheDigest.cc cache_manager.cc \
carp.cc cbdata.cc client_db.cc client_side.cc client_side.h \
@@ -1080,6 +1083,7 @@
ACLSourceDomain.$(OBJEXT) ACLSourceIP.$(OBJEXT) \
ACLStrategised.$(OBJEXT) ACLStringData.$(OBJEXT) \
ACLTime.$(OBJEXT) ACLTimeData.$(OBJEXT) ACLUrl.$(OBJEXT) \
+ ACLUrlPathRaw.$(OBJEXT) \
ACLUrlPath.$(OBJEXT) ACLUrlPort.$(OBJEXT) ACLUserData.$(OBJEXT)
am__objects_4 = delay_pools.$(OBJEXT) DelayId.$(OBJEXT) \
DelayBucket.$(OBJEXT) DelayConfig.$(OBJEXT) DelayPool.$(OBJEXT) \
@@ -1197,6 +1201,7 @@
ACLStringData.cc ACLStringData.h ACLTime.cc ACLTime.h \
ACLTimeData.cc ACLTimeData.h ACLUrl.cc ACLUrl.h ACLUrlPath.cc \
ACLUrlPath.h ACLUrlPort.cc ACLUrlPort.h ACLUserData.cc \
+ ACLUrlPathRaw.cc ACLUrlPathRaw.h \
ACLUserData.h asn.cc authenticate.cc cache_cf.cc CacheDigest.cc \
cache_manager.cc carp.cc cbdata.cc client_db.cc client_side.cc \
client_side_reply.cc client_side_request.cc \
@@ -1324,6 +1329,7 @@
@AMDEP_TRUE@ ./$(DEPDIR)/ACLStringData.Po ./$(DEPDIR)/ACLTime.Po \
@AMDEP_TRUE@ ./$(DEPDIR)/ACLTimeData.Po ./$(DEPDIR)/ACLUrl.Po \
@AMDEP_TRUE@ ./$(DEPDIR)/ACLUrlPath.Po ./$(DEPDIR)/ACLUrlPort.Po \
[EMAIL PROTECTED]@ ./$(DEPDIR)/ACLUrlPathRaw.Po \
@AMDEP_TRUE@ ./$(DEPDIR)/ACLUserData.Po \
@AMDEP_TRUE@ ./$(DEPDIR)/CacheDigest.Po \
@AMDEP_TRUE@ ./$(DEPDIR)/DelayBucket.Po \
@@ -1653,6 +1659,7 @@
@AMDEP_TRUE@@am__include@ @[EMAIL PROTECTED]/$(DEPDIR)/[EMAIL PROTECTED]@
@AMDEP_TRUE@@am__include@ @[EMAIL PROTECTED]/$(DEPDIR)/[EMAIL PROTECTED]@
@AMDEP_TRUE@@am__include@ @[EMAIL PROTECTED]/$(DEPDIR)/[EMAIL PROTECTED]@
[EMAIL PROTECTED]@@am__include@ @[EMAIL PROTECTED]/$(DEPDIR)/[EMAIL PROTECTED]@
@AMDEP_TRUE@@am__include@ @[EMAIL PROTECTED]/$(DEPDIR)/[EMAIL PROTECTED]@
@AMDEP_TRUE@@am__include@ @[EMAIL PROTECTED]/$(DEPDIR)/[EMAIL PROTECTED]@
@AMDEP_TRUE@@am__include@ @[EMAIL PROTECTED]/$(DEPDIR)/[EMAIL PROTECTED]@
