-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 21 Jun 2004, Muthukumar wrote:
> One more change is needed in the patch as,
> make that acl to be available on squid.conf with your detailed comments for that.
> If you wish make that change on patch and send it to list with CC to henrick.
Ok, fixed that - the modified patch is attached.
- ---
The attached patch against squid-2.5.STABLE5 adds a new ACL type called
"urlpath_raw_regex". It works in exactly the same way as "urlpath_regex"
except no unescaping of the URI is done first, which makes it possible to
filter specific attacks that escape some characters in the URI without
blocking legitimate requests.
I.e. you can filter URIs containing "%2easp" (the signature of some
attacks) without blocking legitimate requests for ".asp"
- ---
- - Steve Hill
Senior Software Developer Email: [EMAIL PROTECTED]
Navaho Technologies Ltd. Tel: +44-870-7034015
... Alcohol and calculus don't mix - Don't drink and derive! ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Public key available at http://linux.navaho.co.uk/pubkey.steve.txt
iD8DBQFA1/icb26jEkrydY4RAotyAJ0Xn1CV4jAh3TTph95boNN++9ZvGwCgzf+C
LqsYOGLz0piNjjj47b2J4vc=
=c0x9
-----END PGP SIGNATURE-----diff -urN squid-2.5.STABLE5.vanilla/src/acl.c squid-2.5.STABLE5/src/acl.c
--- squid-2.5.STABLE5.vanilla/src/acl.c 2004-02-27 17:36:35.000000000 +0100
+++ squid-2.5.STABLE5/src/acl.c 2004-06-22 10:23:34.839051573 +0200
@@ -128,6 +128,8 @@
return ACL_URLPATH_REGEX;
if (!strcmp(s, "urlpath_regex"))
return ACL_URLPATH_REGEX;
+ if (!strcmp(s, "urlpath_raw_regex"))
+ return ACL_URLPATH_RAW_REGEX;
if (!strcmp(s, "url_regex"))
return ACL_URL_REGEX;
if (!strcmp(s, "port"))
@@ -204,6 +206,8 @@
return "time";
if (type == ACL_URLPATH_REGEX)
return "urlpath_regex";
+ if (type == ACL_URLPATH_RAW_REGEX)
+ return "urlpath_raw_regex";
if (type == ACL_URL_REGEX)
return "url_regex";
if (type == ACL_URL_PORT)
@@ -746,6 +750,7 @@
case ACL_URL_REGEX:
case ACL_URLLOGIN:
case ACL_URLPATH_REGEX:
+ case ACL_URLPATH_RAW_REGEX:
case ACL_BROWSER:
case ACL_REFERER_REGEX:
case ACL_SRC_DOM_REGEX:
@@ -1474,6 +1479,7 @@
case ACL_REP_MIME_TYPE:
case ACL_REQ_MIME_TYPE:
case ACL_URLPATH_REGEX:
+ case ACL_URLPATH_RAW_REGEX:
case ACL_URL_PORT:
case ACL_URL_REGEX:
case ACL_URLLOGIN:
@@ -1574,6 +1580,12 @@
safe_free(esc_buf);
return k;
/* NOTREACHED */
+ case ACL_URLPATH_RAW_REGEX:
+ esc_buf = xstrdup(strBuf(r->urlpath));
+ k = aclMatchRegex(ae->data, esc_buf);
+ safe_free(esc_buf);
+ return k;
+ /* NOTREACHED */
case ACL_URL_REGEX:
esc_buf = xstrdup(urlCanonical(r));
rfc1738_unescape(esc_buf);
@@ -2155,6 +2167,7 @@
case ACL_URL_REGEX:
case ACL_URLLOGIN:
case ACL_URLPATH_REGEX:
+ case ACL_URLPATH_RAW_REGEX:
case ACL_BROWSER:
case ACL_REFERER_REGEX:
case ACL_SRC_DOM_REGEX:
@@ -2570,7 +2583,7 @@
case ACL_PROXY_AUTH_REGEX:
case ACL_URL_REGEX:
case ACL_URLLOGIN:
- case ACL_URLPATH_REGEX:
+ case ACL_URLPATH_RAW_REGEX:
case ACL_BROWSER:
case ACL_REFERER_REGEX:
case ACL_SRC_DOM_REGEX:
diff -urN squid-2.5.STABLE5.vanilla/src/cf.data.pre squid-2.5.STABLE5/src/cf.data.pre
--- squid-2.5.STABLE5.vanilla/src/cf.data.pre 2004-02-10 22:01:21.000000000 +0100
+++ squid-2.5.STABLE5/src/cf.data.pre 2004-06-22 10:36:53.516068180 +0200
@@ -2004,6 +2004,7 @@
h1:m1 must be less than h2:m2
acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
+ acl aclname urlpath_raw_regex [-i] %2egif$ ... # regex matching on raw (i.e.
not unescaped) URL path
acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login
field
acl aclname port 80 70 21 ...
acl aclname port 0-1024 ... # ranges allowed
diff -urN squid-2.5.STABLE5.vanilla/src/enums.h squid-2.5.STABLE5/src/enums.h
--- squid-2.5.STABLE5.vanilla/src/enums.h 2004-02-04 18:42:28.000000000 +0100
+++ squid-2.5.STABLE5/src/enums.h 2004-06-22 10:23:34.840051427 +0200
@@ -107,6 +107,7 @@
ACL_DST_DOM_REGEX,
ACL_TIME,
ACL_URLPATH_REGEX,
+ ACL_URLPATH_RAW_REGEX,
ACL_URL_REGEX,
ACL_URL_PORT,
ACL_MY_PORT,
