Leong Tiang Wah writes:
> I got a somehow related question. I notice by adding a trailing dot at the
> end of hostname of URL can actually bypass the following ACLs. The DNS
> lookup does return a valid IP address since it is a fully-qualified domain
> name.
>
> case 1 : http://www.playboy.com.
> case 2 : http://www.playboy.com./~sex
>
> Case 1
> ######
> acl Block_Site1 domain www.playboy.com
> http_access deny Block_Site1
>
> Case 2
> ######
> acl Block_Site2 url_regex www.playboy.com/~sex
> http_access deny Block_Site2
>
>
> I guess Squid should 'chop off' the trailing dot before comparing it with
> the ACLs.
there is a quickhack for this: (and the upper/lower case problem),
but think twice before installing this patch, because your neighbors/parents
may not convert hostnames to canonical, and you will see misses on all URLs
having mixed/upper case hostnames even if they were hits!
*** squid-1.0.0/src/url.c.orig Tue Sep 3 19:11:10 1996
--- squid-1.0.0/src/url.c Tue Sep 3 20:24:43 1996
***************
*** 248,258 ****
{
static char urlbuf[MAX_URL + 1];
static char portbuf[32];
if (buf == NULL)
buf = urlbuf;
switch (request->method) {
case METHOD_CONNECT:
! sprintf(buf, "%s:%d", request->host, request->port);
break;
default:
portbuf[0] = '\0';
--- 248,274 ----
{
static char urlbuf[MAX_URL + 1];
static char portbuf[32];
+
+ /* make host name canonical to keep host-based Acl's working - bne */
+ static char hostbuf[SQUIDHOSTNAMELEN+1];
+ register char *inp,*outp;
+ /* first make the hostname UPPER case */
+ for(inp=request->host,outp=hostbuf;*inp;inp++,outp++)
+ {
+ *outp=tolower(*inp);
+ }
+ /* finally eat trailing dots */
+ outp--;
+ while(*outp == '.')
+ outp--;
+ outp++;
+ *outp='\0';
+
if (buf == NULL)
buf = urlbuf;
switch (request->method) {
case METHOD_CONNECT:
! sprintf(buf, "%s:%d", hostbuf, request->port);
break;
default:
portbuf[0] = '\0';
***************
*** 262,268 ****
ProtocolStr[request->protocol],
request->login,
*request->login ? "@" : "",
! request->host,
portbuf,
request->urlpath);
break;
--- 278,284 ----
ProtocolStr[request->protocol],
request->login,
*request->login ? "@" : "",
! hostbuf,
portbuf,
request->urlpath);
break;
--------
and a perl script to update your logs:
(first kill RunCache and squid, run this script, install the patched squid and
restart RunCache)
open(LOG,"/usr/local/squid/cache/log");
open(NEWLOG,">/usr/local/squid/cache/new-log");
while(<LOG>)
{
chop;
($file,$url,$n1,$n2,$n3)=($_ =~ m/^(\S+) (.*) (\d+) (\d+) (\d+)$/);
$surl=&url_norm($url);
printf NEWLOG "%s %s %d %d %d\n",$file,$surl,$n1,$n2,$n3;
}
close LOG;
close NEWLOG;
rename "/usr/local/squid/cache/new-log", "/usr/local/squid/cache/log";
sub url_norm
{
local($url)=$_[0];
($method,$hostport,$path) = ($url =~ m!([^:]+)://([^/]+)(/[^#]*)!);
$url="\L$method://\L$hostport"."$path";
}
Andrew. (Endre Balint Nagy) <bne@CareNet.hu>
P.S: another improvement towards standard conformance:
(excerpt from rfc1945)
The canonical form for "http" URLs is obtained by converting any
UPALPHA characters in host to their LOALPHA equivalent (hostnames are
case-insensitive), eliding the [ ":" port ] if the port is 80, and
replacing an empty abs_path with "/".
Received on Tue Sep 03 1996 - 11:53:14 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:32:56 MST