-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The attached patch against squid-2.5.STABLE5 adds a new ACL type called
"urlpath_raw_regex". It works in exactly the same way as "urlpath_regex"
except no unescaping of the URI is done first, which makes it possible to
filter specific attacks that escape some characters in the URI without
blocking legitimate requests.
I.e. you can filter URIs containing "%2easp" (the signature of some
attacks) without blocking legitimate requests for ".asp"
- - Steve Hill
Senior Software Developer Email: [EMAIL PROTECTED]
Navaho Technologies Ltd. Tel: +44-870-7034015
... Alcohol and calculus don't mix - Don't drink and derive! ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Public key available at http://linux.navaho.co.uk/pubkey.steve.txt
iD8DBQFA1rMmb26jEkrydY4RAt9pAJ40O6/2GXt1NdFxxURN6PXnmsV2egCcDAJ/
mKOZSgLoy6uL8x7hhbl1Co0=
=CmX/
-----END PGP SIGNATURE-----diff -urN squid-2.5.STABLE5.vanilla/src/acl.c squid-2.5.STABLE5/src/acl.c
--- squid-2.5.STABLE5.vanilla/src/acl.c 2004-02-27 17:36:35.000000000 +0100
+++ squid-2.5.STABLE5/src/acl.c 2004-06-10 14:37:29.922274840 +0200
@@ -128,6 +128,8 @@
return ACL_URLPATH_REGEX;
if (!strcmp(s, "urlpath_regex"))
return ACL_URLPATH_REGEX;
+ if (!strcmp(s, "urlpath_raw_regex"))
+ return ACL_URLPATH_RAW_REGEX;
if (!strcmp(s, "url_regex"))
return ACL_URL_REGEX;
if (!strcmp(s, "port"))
@@ -204,6 +206,8 @@
return "time";
if (type == ACL_URLPATH_REGEX)
return "urlpath_regex";
+ if (type == ACL_URLPATH_RAW_REGEX)
+ return "urlpath_raw_regex";
if (type == ACL_URL_REGEX)
return "url_regex";
if (type == ACL_URL_PORT)
@@ -746,6 +750,7 @@
case ACL_URL_REGEX:
case ACL_URLLOGIN:
case ACL_URLPATH_REGEX:
+ case ACL_URLPATH_RAW_REGEX:
case ACL_BROWSER:
case ACL_REFERER_REGEX:
case ACL_SRC_DOM_REGEX:
@@ -1474,6 +1479,7 @@
case ACL_REP_MIME_TYPE:
case ACL_REQ_MIME_TYPE:
case ACL_URLPATH_REGEX:
+ case ACL_URLPATH_RAW_REGEX:
case ACL_URL_PORT:
case ACL_URL_REGEX:
case ACL_URLLOGIN:
@@ -1574,6 +1580,12 @@
safe_free(esc_buf);
return k;
/* NOTREACHED */
+ case ACL_URLPATH_RAW_REGEX:
+ esc_buf = xstrdup(strBuf(r->urlpath));
+ k = aclMatchRegex(ae->data, esc_buf);
+ safe_free(esc_buf);
+ return k;
+ /* NOTREACHED */
case ACL_URL_REGEX:
esc_buf = xstrdup(urlCanonical(r));
rfc1738_unescape(esc_buf);
@@ -2155,6 +2167,7 @@
case ACL_URL_REGEX:
case ACL_URLLOGIN:
case ACL_URLPATH_REGEX:
+ case ACL_URLPATH_RAW_REGEX:
case ACL_BROWSER:
case ACL_REFERER_REGEX:
case ACL_SRC_DOM_REGEX:
@@ -2570,7 +2583,7 @@
case ACL_PROXY_AUTH_REGEX:
case ACL_URL_REGEX:
case ACL_URLLOGIN:
- case ACL_URLPATH_REGEX:
+ case ACL_URLPATH_RAW_REGEX:
case ACL_BROWSER:
case ACL_REFERER_REGEX:
case ACL_SRC_DOM_REGEX:
diff -urN squid-2.5.STABLE5.vanilla/src/enums.h squid-2.5.STABLE5/src/enums.h
--- squid-2.5.STABLE5.vanilla/src/enums.h 2004-02-04 18:42:28.000000000 +0100
+++ squid-2.5.STABLE5/src/enums.h 2004-06-10 14:35:43.720419976 +0200
@@ -107,6 +107,7 @@
ACL_DST_DOM_REGEX,
ACL_TIME,
ACL_URLPATH_REGEX,
+ ACL_URLPATH_RAW_REGEX,
ACL_URL_REGEX,
ACL_URL_PORT,
ACL_MY_PORT,
