On 14/09/2012 10:16 a.m., Alex Rousskov wrote:
Hello,
As you know, most old squid.conf options cannot handle spaces in
parameter values as they do not support quoted strings or other ways of
escaping the space separator. A few new options, support quoted strings,
but many old ones do not. This is not going to be pretty because there
is no backward compatible way to introduce quoted strings (or
equivalent) that would work for every option. This email focuses on ACLs.
A good specific example is user_cert and ca_cert ACLs that are supposed
to match on various certificate attributes. In many, if not most, cases,
attributes like Organization Name and Common Name contain spaces. For
example:
O: Google Inc
O: Thawte Consulting (Pty) Ltd.
CN: Thawte SGC CA
All of the above cannot be matched using user_cert and ca_cert ACLs.
I see a few reasonable ways to address this (see below for a list). They
all revolve around introducing support for "quoted strings" in ACL
values[1]. For loading files, they could all use file:"/path/name.ext"
syntax.
Each approach differs in how it addresses backward compatibility:
0) Screw backward compatibility and just start interpreting "quoted
strings" in ACL values as such. We can minimize breakage by detecting
unusual patterns such as quotes"in"the"middle and
"/quotes/without/any/spaces", treating them as the old parser would
(with a warning). We can also refuse to honor more than one value per
ACL when a value is quoted. Very few old configurations will be broken
by this, but I bet there will be some!
# this will work OK
acl badOne1 user_cert CN "Bad Guy"
# this will also work as before, with a warning
acl badOnes user_cert CN "/var/share/bad.guys"
# this will be silently broken
acl badOnes user_cert CN "/var/share/my bad guys list"
# new file loading syntax required here:
acl badOnes user_cert CN file:"/var/share/my bad guys list"
I vote for this, with a few more changes that will reduce the breakages.
IMO, the above final line should be invalid. "" should delimit one item,
be that a value with spaces or a whole file: URI with spaces. ie:
acl badOnes user_cert CN "file:/var/share/my bad guys list"
This can be done in stages to remove problems.
0a) add file: schema support and upgrade-warn on all "" entries. (3.3?)
stat() on the quoted entry can be used to verify it is a file and
assume a value if not. Don't bother with pattern checks we won't get
those reliable enough. stat() can do it.
0b) drop default assumption that "" is a file entirely (3.x?)
Amos
