hi Henrik,
it seems nobody has answered the email from
Greg Sheard (Sept. 30th) - may be of interest
for HEAD?
regards,
Clemens
> Hi,
>
> I work for a security company in Yorkshire, England, and many of the
> solutions we provide use Squid for proxying and caching. We've
> previously used squidGuard as a redirector, but are now moving away and
> relying on Squid's built-in features. One of the biggest problems with
> squidGuard is the lack of support for filtering UTF-8 and other
> encodings, apart from the generic US-ASCII. I noticed that Squid also
> lacks this, so I wrote the code.
>
> Key parts of Squid that are of interest to me are:
> * ACLs - especially the regex ones
> * Security features
> * Cache peering
> * Authentication
>
> Attached is a patch to give UTF-8 blocking support. It's come through
> testing here, and I'd welcome any feedback. In summary, it adds the new
> directive uri_utf (like uri_whitespace) with the possible states DENY
> and ALLOW.
>
> Cheers,
>
> Greg Sheard
> Technical Director
> ECSC Ltd.
> www.ecsc.co.uk
>
> #include <legal_disclaimer.h>
>
> "You have enemies? Good. That means you've
> stood up for something, sometime in your life."
> -- Sir Winston Churchill
>
> diff -urN squid-2.5.STABLE1/src/cache_cf.c squid-patched/src/cache_cf.c
> --- squid-2.5.STABLE1/src/cache_cf.c Sat Sep 7 16:13:59 2002
> +++ squid-patched/src/cache_cf.c Mon Sep 30 09:06:17 2002
> @@ -2150,6 +2150,33 @@
> storeAppendPrintf(entry, "%s %s\n", name, s);
> }
>
> +#define free_uri_utf free_int
> +
> +static void
> +parse_uri_utf(int *var)
> +{
> + char *token = strtok(NULL, w_space);
> + if (token == NULL)
> + self_destruct();
> + if (!strcasecmp(token, "deny"))
> + *var = URI_UTF_DENY;
> + else if (!strcasecmp(token, "allow"))
> + *var = URI_UTF_ALLOW;
> + else
> + self_destruct();
> +}
> +
> +static void
> +dump_uri_utf(StoreEntry * entry, const char *name, int var)
> +{
> + char *s;
> + if (var == URI_UTF_ALLOW)
> + s = "allow";
> + else
> + s = "deny";
> + storeAppendPrintf(entry, "%s %s\n", name, s);
> +}
> +
> static void
> free_removalpolicy(RemovalPolicySettings ** settings)
> {
> diff -urN squid-2.5.STABLE1/src/cf.data.pre squid-patched/src/cf.data.pre
> --- squid-2.5.STABLE1/src/cf.data.pre Wed Sep 4 14:35:01 2002
> +++ squid-patched/src/cf.data.pre Mon Sep 30 09:06:17 2002
> @@ -3459,6 +3459,22 @@
> violation.
> DOC_END
>
> +NAME: uri_utf
> +TYPE: uri_utf
> +LOC: Config.uri_utf
> +DEFAULT: deny
> +DOC_START
> + What to do with requests that have UTF8 or other non-ASCII
> + encoded characters in the URI. Options:
> +
> + deny: The request is denied. The user receives an "Invalid
> + Request" message.
> + allow: The request is allowed and the URI is not changed. The
> + encoded characters remain in the URI. Note the
> + encoding is passed to redirector processes if they are
> + in use.
> +DOC_END
> +
> NAME: broken_posts
> TYPE: acl_access
> DEFAULT: none
> diff -urN squid-2.5.STABLE1/src/defines.h squid-patched/src/defines.h
> --- squid-2.5.STABLE1/src/defines.h Thu Aug 8 21:17:39 2002
> +++ squid-patched/src/defines.h Mon Sep 30 09:06:17 2002
> @@ -279,6 +279,9 @@
> #define URI_WHITESPACE_CHOP 3
> #define URI_WHITESPACE_DENY 4
>
> +#define URI_UTF_ALLOW 0
> +#define URI_UTF_DENY 1
> +
> #ifndef _PATH_DEVNULL
> #define _PATH_DEVNULL "/dev/null"
> #endif
> diff -urN squid-2.5.STABLE1/src/protos.h squid-patched/src/protos.h
> --- squid-2.5.STABLE1/src/protos.h Sat Sep 7 16:13:05 2002
> +++ squid-patched/src/protos.h Mon Sep 30 09:06:17 2002
> @@ -1162,6 +1162,7 @@
> extern const char *gb_to_str(const gb_t *);
> extern void gb_flush(gb_t *); /* internal, do not use this */
> extern int stringHasWhitespace(const char *);
> +extern int stringHasUTF(const char *);
> extern int stringHasCntl(const char *);
> extern void linklistPush(link_list **, void *);
> extern void *linklistShift(link_list **);
> diff -urN squid-2.5.STABLE1/src/structs.h squid-patched/src/structs.h
> --- squid-2.5.STABLE1/src/structs.h Sun Sep 8 00:11:23 2002
> +++ squid-patched/src/structs.h Mon Sep 30 09:06:17 2002
> @@ -650,6 +650,7 @@
> } comm_incoming;
> int max_open_disk_fds;
> int uri_whitespace;
> + int uri_utf;
> size_t rangeOffsetLimit;
> #if MULTICAST_MISS_STREAM
> struct {
> diff -urN squid-2.5.STABLE1/src/tools.c squid-patched/src/tools.c
> --- squid-2.5.STABLE1/src/tools.c Sat Sep 7 16:13:05 2002
> +++ squid-patched/src/tools.c Mon Sep 30 09:06:17 2002
> @@ -890,6 +890,22 @@
> return strpbrk(s, w_space) != NULL;
> }
>
> +int
> +stringHasUTF(const char *s)
> +{
> + char *pc = NULL;
> + pc = index(s, '%');
> + while (1) {
> + if (pc == NULL) return 0;
> + pc++;
> + if (*pc >= '8' || *pc < '0') {
> + return 1;
> + }
> + pc = index(pc, '%');
> + }
> + return 0;
> +}
> +
> void
> linklistPush(link_list ** L, void *p)
> {
> diff -urN squid-2.5.STABLE1/src/url.c squid-patched/src/url.c
> --- squid-2.5.STABLE1/src/url.c Thu Sep 12 06:21:00 2002
> +++ squid-patched/src/url.c Mon Sep 30 09:06:17 2002
> @@ -353,6 +353,16 @@
> *q = '\0';
> }
> }
> + if (stringHasUTF(urlpath)) {
> + debug(23, 2) ("urlParse: URI has UTF: {%s}\n", url);
> + switch (Config.uri_utf) {
> + case URI_UTF_ALLOW:
> + break;
> + case URI_UTF_DENY:
> + default:
> + return NULL;
> + }
> + }
> request = requestCreate(method, protocol, urlpath);
> xstrncpy(request->host, host, SQUIDHOSTNAMELEN);
> xstrncpy(request->login, login, MAX_LOGIN_SZ);
>
<< signature.asc >>
-- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signupReceived on Wed Oct 02 2002 - 05:20:38 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:16:51 MST