On Wed, 23 Jun 2004, Steve Hill wrote:
> The attached patch adds a new ACL type called "urlpath_raw_regex". It
> works in exactly the same way as "urlpath_regex" except no unescaping of
> the URI is done first, which makes it possible to filter specific attacks
> that escape some characters in the URI without blocking legitimate
> requests.
Many thanks for your patch.
The acl added looks quite useful even if I am not sure if it should be
done as a separate ACL or simply as a flag to the existing acl.
On a further note a similar (but different) problem also exists for the
dstdomain and dstdomain_regex acl where one may want per acl to
enable/disable the reverse lookup of IP addresses to match the domain.
Note: I have taken the liberty to attach your previous Squid-2.5 patch for
the archives.
Regards
Henrik
diff -urN squid-2.5.STABLE5.vanilla/src/acl.c squid-2.5.STABLE5/src/acl.c
--- squid-2.5.STABLE5.vanilla/src/acl.c 2004-02-27 17:36:35.000000000 +0100
+++ squid-2.5.STABLE5/src/acl.c 2004-06-22 10:23:34.839051573 +0200
@@ -128,6 +128,8 @@
return ACL_URLPATH_REGEX;
if (!strcmp(s, "urlpath_regex"))
return ACL_URLPATH_REGEX;
+ if (!strcmp(s, "urlpath_raw_regex"))
+ return ACL_URLPATH_RAW_REGEX;
if (!strcmp(s, "url_regex"))
return ACL_URL_REGEX;
if (!strcmp(s, "port"))
@@ -204,6 +206,8 @@
return "time";
if (type == ACL_URLPATH_REGEX)
return "urlpath_regex";
+ if (type == ACL_URLPATH_RAW_REGEX)
+ return "urlpath_raw_regex";
if (type == ACL_URL_REGEX)
return "url_regex";
if (type == ACL_URL_PORT)
@@ -746,6 +750,7 @@
case ACL_URL_REGEX:
case ACL_URLLOGIN:
case ACL_URLPATH_REGEX:
+ case ACL_URLPATH_RAW_REGEX:
case ACL_BROWSER:
case ACL_REFERER_REGEX:
case ACL_SRC_DOM_REGEX:
@@ -1474,6 +1479,7 @@
case ACL_REP_MIME_TYPE:
case ACL_REQ_MIME_TYPE:
case ACL_URLPATH_REGEX:
+ case ACL_URLPATH_RAW_REGEX:
case ACL_URL_PORT:
case ACL_URL_REGEX:
case ACL_URLLOGIN:
@@ -1574,6 +1580,12 @@
safe_free(esc_buf);
return k;
/* NOTREACHED */
+ case ACL_URLPATH_RAW_REGEX:
+ esc_buf = xstrdup(strBuf(r->urlpath));
+ k = aclMatchRegex(ae->data, esc_buf);
+ safe_free(esc_buf);
+ return k;
+ /* NOTREACHED */
case ACL_URL_REGEX:
esc_buf = xstrdup(urlCanonical(r));
rfc1738_unescape(esc_buf);
@@ -2155,6 +2167,7 @@
case ACL_URL_REGEX:
case ACL_URLLOGIN:
case ACL_URLPATH_REGEX:
+ case ACL_URLPATH_RAW_REGEX:
case ACL_BROWSER:
case ACL_REFERER_REGEX:
case ACL_SRC_DOM_REGEX:
@@ -2570,7 +2583,7 @@
case ACL_PROXY_AUTH_REGEX:
case ACL_URL_REGEX:
case ACL_URLLOGIN:
- case ACL_URLPATH_REGEX:
+ case ACL_URLPATH_RAW_REGEX:
case ACL_BROWSER:
case ACL_REFERER_REGEX:
case ACL_SRC_DOM_REGEX:
diff -urN squid-2.5.STABLE5.vanilla/src/cf.data.pre squid-2.5.STABLE5/src/cf.data.pre
--- squid-2.5.STABLE5.vanilla/src/cf.data.pre 2004-02-10 22:01:21.000000000 +0100
+++ squid-2.5.STABLE5/src/cf.data.pre 2004-06-22 10:36:53.516068180 +0200
@@ -2004,6 +2004,7 @@
h1:m1 must be less than h2:m2
acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
+ acl aclname urlpath_raw_regex [-i] %2egif$ ... # regex matching on raw (i.e.
not unescaped) URL path
acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login
field
acl aclname port 80 70 21 ...
acl aclname port 0-1024 ... # ranges allowed
diff -urN squid-2.5.STABLE5.vanilla/src/enums.h squid-2.5.STABLE5/src/enums.h
--- squid-2.5.STABLE5.vanilla/src/enums.h 2004-02-04 18:42:28.000000000 +0100
+++ squid-2.5.STABLE5/src/enums.h 2004-06-22 10:23:34.840051427 +0200
@@ -107,6 +107,7 @@
ACL_DST_DOM_REGEX,
ACL_TIME,
ACL_URLPATH_REGEX,
+ ACL_URLPATH_RAW_REGEX,
ACL_URL_REGEX,
ACL_URL_PORT,
ACL_MY_PORT,
