diff --git a/sources b/sources index 304c790..02e8a81 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-7.3.tar.xz) = ad6bbe518d79d079f7fe5d1ee9ae7a3f49b28ba75afdb1f0db16675e1e4127be2bc30dd246b00576f29e987c08c41dbff50c8227166ae3955c460ff837a89e2b -SHA512 (squid-7.3.tar.xz.asc) = c6774627e0408d1feed5a00489ca95467f001261b201b82c3ab9c450856fe5ad27e50d43db7a2afe2aaff88930981f783315a1b764cac5619543852e93338273 +SHA512 (squid-6.14.tar.xz) = 5905060ae8d70128516c26cf379ed5b434c02525efe0e17ac56d4e060af7542b4a7a41ac3eca5ba5a00867791aed18ed5ed0e247b18a376e1ae7bc13039782f5 +SHA512 (squid-6.14.tar.xz.asc) = 5cc102787796db1cf4c71e9e21d3462becdd869eb72cd69a5c4ca74f60628a98a5543aabe7a0d0bc74c99a62bae0678d3ae6eab9dfe0e4dfb9c063678005f2e3 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-crash-half-closed.patch b/squid-6.1-crash-half-closed.patch new file mode 100644 index 0000000..901ece2 --- /dev/null +++ b/squid-6.1-crash-half-closed.patch @@ -0,0 +1,158 @@ +diff --git a/src/client_side.cc b/src/client_side.cc +index f488fc4..69586df 100644 +--- a/src/client_side.cc ++++ b/src/client_side.cc +@@ -932,7 +932,7 @@ ConnStateData::kick() + * We are done with the response, and we are either still receiving request + * body (early response!) or have already stopped receiving anything. + * +- * If we are still receiving, then clientParseRequest() below will fail. ++ * If we are still receiving, then parseRequests() below will fail. + * (XXX: but then we will call readNextRequest() which may succeed and + * execute a smuggled request as we are not done with the current request). + * +@@ -952,28 +952,12 @@ ConnStateData::kick() + * Attempt to parse a request from the request buffer. + * If we've been fed a pipelined request it may already + * be in our read buffer. +- * +- \par +- * This needs to fall through - if we're unlucky and parse the _last_ request +- * from our read buffer we may never re-register for another client read. + */ + +- if (clientParseRequests()) { +- debugs(33, 3, clientConnection << ": parsed next request from buffer"); +- } ++ parseRequests(); + +- /** \par +- * Either we need to kick-start another read or, if we have +- * a half-closed connection, kill it after the last request. +- * This saves waiting for half-closed connections to finished being +- * half-closed _AND_ then, sometimes, spending "Timeout" time in +- * the keepalive "Waiting for next request" state. +- */ +- if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) { +- debugs(33, 3, "half-closed client with no pending requests, closing"); +- clientConnection->close(); ++ if (!isOpen()) + return; +- } + + /** \par + * At this point we either have a parsed request (which we've +@@ -1893,16 +1877,11 @@ ConnStateData::receivedFirstByte() + resetReadTimeout(Config.Timeout.request); + } + +-/** +- * Attempt to parse one or more requests from the input buffer. +- * Returns true after completing parsing of at least one request [header]. That +- * includes cases where parsing ended with an error (e.g., a huge request). +- */ +-bool +-ConnStateData::clientParseRequests() ++/// Attempt to parse one or more requests from the input buffer. ++/// May close the connection. ++void ++ConnStateData::parseRequests() + { +- bool parsed_req = false; +- + debugs(33, 5, clientConnection << ": attempting to parse"); + + // Loop while we have read bytes that are not needed for producing the body +@@ -1947,8 +1926,6 @@ ConnStateData::clientParseRequests() + + processParsedRequest(context); + +- parsed_req = true; // XXX: do we really need to parse everything right NOW ? +- + if (context->mayUseConnection()) { + debugs(33, 3, "Not parsing new requests, as this request may need the connection"); + break; +@@ -1961,8 +1938,19 @@ ConnStateData::clientParseRequests() + } + } + +- /* XXX where to 'finish' the parsing pass? */ +- return parsed_req; ++ debugs(33, 7, "buffered leftovers: " << inBuf.length()); ++ ++ if (isOpen() && commIsHalfClosed(clientConnection->fd)) { ++ if (pipeline.empty()) { ++ // we processed what we could parse, and no more data is coming ++ debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection); ++ clientConnection->close(); ++ } else { ++ // we parsed what we could, and no more data is coming ++ debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection); ++ flags.readMore = false; // may already be false ++ } ++ } + } + + void +@@ -1979,18 +1967,7 @@ ConnStateData::afterClientRead() + if (pipeline.empty()) + fd_note(clientConnection->fd, "Reading next request"); + +- if (!clientParseRequests()) { +- if (!isOpen()) +- return; +- // We may get here if the client half-closed after sending a partial +- // request. See doClientRead() and shouldCloseOnEof(). +- // XXX: This partially duplicates ConnStateData::kick(). +- if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) { +- debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing."); +- clientConnection->close(); +- return; +- } +- } ++ parseRequests(); + + if (!isOpen()) + return; +@@ -3775,7 +3752,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic) + startPinnedConnectionMonitoring(); + + if (pipeline.empty()) +- kick(); // in case clientParseRequests() was blocked by a busy pic.connection ++ kick(); // in case parseRequests() was blocked by a busy pic.connection + } + + /// Forward future client requests using the given server connection. +diff --git a/src/client_side.h b/src/client_side.h +index 6027b31..60b99b1 100644 +--- a/src/client_side.h ++++ b/src/client_side.h +@@ -98,7 +98,6 @@ public: + void doneWithControlMsg() override; + + /// Traffic parsing +- bool clientParseRequests(); + void readNextRequest(); + + /// try to make progress on a transaction or read more I/O +@@ -443,6 +442,7 @@ private: + + void checkLogging(); + ++ void parseRequests(); + void clientAfterReadingRequests(); + bool concurrentRequestQueueFilled() const; + +diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc +index 8c160e5..f49d5dc 100644 +--- a/src/tests/stub_client_side.cc ++++ b/src/tests/stub_client_side.cc +@@ -14,7 +14,7 @@ + #include "tests/STUB.h" + + #include "client_side.h" +-bool ConnStateData::clientParseRequests() STUB_RETVAL(false) ++void ConnStateData::parseRequests() STUB + void ConnStateData::readNextRequest() STUB + bool ConnStateData::isOpen() const STUB_RETVAL(false) + void ConnStateData::kick() STUB diff --git a/squid-6.11-ignore-wsp-after-chunk-size.patch b/squid-6.11-ignore-wsp-after-chunk-size.patch new file mode 100644 index 0000000..ea4025f --- /dev/null +++ b/squid-6.11-ignore-wsp-after-chunk-size.patch @@ -0,0 +1,367 @@ +From 8d0ee420a4d91ac7fd97316338f1e28b4b060cbf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Thu, 10 Oct 2024 19:26:27 +0200 +Subject: [PATCH 1/6] Ignore whitespace chars after chunk-size + +Previously (before #1498 change), squid was accepting TE-chunked replies +with whitespaces after chunk-size and missing chunk-ext data. After + +It turned out that replies with such whitespace chars are pretty +common and other webservers which can act as forward proxies (e.g. +nginx, httpd...) are accepting them. + +This change will allow to proxy chunked responses from origin server, +which had whitespaces inbetween chunk-size and CRLF. +--- + src/http/one/TeChunkedParser.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index 9cce10fdc91..04753395e16 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,6 +125,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { ++ tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size + parseChunkExtensions(tok); // a possibly empty chunk-ext list + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + +From 9c8d35f899035fa06021ab3fe6919f892c2f0c6b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Fri, 11 Oct 2024 02:06:31 +0200 +Subject: [PATCH 2/6] Added new argument to Http::One::ParseBws() + +Depending on new wsp_only argument in ParseBws() it will be decided +which set of whitespaces characters will be parsed. If wsp_only is set +to true, only SP and HTAB chars will be parsed. + +Also optimized number of ParseBws calls. +--- + src/http/one/Parser.cc | 4 ++-- + src/http/one/Parser.h | 3 ++- + src/http/one/TeChunkedParser.cc | 13 +++++++++---- + src/http/one/TeChunkedParser.h | 2 +- + 4 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc +index b1908316a0b..01d7e3bc0e8 100644 +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -273,9 +273,9 @@ Http::One::ErrorLevel() + + // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule + void +-Http::One::ParseBws(Parser::Tokenizer &tok) ++Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) + { +- const auto count = tok.skipAll(Parser::WhitespaceCharacters()); ++ const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); + + if (tok.atEnd()) + throw InsufficientInput(); // even if count is positive +diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h +index d9a0ac8c273..08200371cd6 100644 +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -163,8 +163,9 @@ class Parser : public RefCountable + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) ++/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars + /// \throws InsufficientInput when the end of BWS cannot be confirmed +-void ParseBws(Parser::Tokenizer &); ++void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); + + /// the right debugs() level for logging HTTP violation messages + int ErrorLevel(); +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index 04753395e16..41e1e5ddaea 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,8 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { +- tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size +- parseChunkExtensions(tok); // a possibly empty chunk-ext list ++ // A possibly empty chunk-ext list. If no chunk-ext has been found, ++ // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". ++ if (!parseChunkExtensions(tok)) ++ ParseBws(tok, true); ++ + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; +@@ -140,20 +143,22 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + + /// Parses the chunk-ext list (RFC 9112 section 7.1.1: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) +-void ++bool + Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + { ++ bool foundChunkExt = false; + do { + auto tok = callerTok; + + ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size + + if (!tok.skip(';')) +- return; // reached the end of extensions (if any) ++ return foundChunkExt; // reached the end of extensions (if any) + + parseOneChunkExtension(tok); + buf_ = tok.remaining(); // got one extension + callerTok = tok; ++ foundChunkExt = true; + } while (true); + } + +diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h +index 02eacd1bb89..8c5d4bb4cba 100644 +--- a/src/http/one/TeChunkedParser.h ++++ b/src/http/one/TeChunkedParser.h +@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser + private: + bool parseChunkSize(Tokenizer &tok); + bool parseChunkMetadataSuffix(Tokenizer &); +- void parseChunkExtensions(Tokenizer &); ++ bool parseChunkExtensions(Tokenizer &); + void parseOneChunkExtension(Tokenizer &); + bool parseChunkBody(Tokenizer &tok); + bool parseChunkEnd(Tokenizer &tok); + +From 81e67f97f9c386bdd0bb4a5e182395c46adb70ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Fri, 11 Oct 2024 02:44:33 +0200 +Subject: [PATCH 3/6] Fix typo in Parser.h + +--- + src/http/one/Parser.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h +index 08200371cd6..3ef4c5f7752 100644 +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -163,7 +163,7 @@ class Parser : public RefCountable + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) +-/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars ++/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars + /// \throws InsufficientInput when the end of BWS cannot be confirmed + void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); + + +From a0d4fe1794e605f8299a5c118c758a807453f016 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Thu, 10 Oct 2024 22:39:42 -0400 +Subject: [PATCH 4/6] Bug 5449 is a regression of Bug 4492! + +Both bugs deal with "chunk-size SP+ CRLF" use cases. Bug 4492 had _two_ +spaces after chunk-size, which answers one of the PR review questions: +Should we skip just one space? No, we should not. + +The lines moved around in many commits, but I believe this regression +was introduced in commit 951013d0 because that commit stopped consuming +partially parsed chunk-ext sequences. That consumption was wrong, but it +had a positive side effect -- fixing Bug 4492... +--- + src/http/one/TeChunkedParser.cc | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index 41e1e5ddaea..aa4a840fdcf 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,10 +125,10 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { +- // A possibly empty chunk-ext list. If no chunk-ext has been found, +- // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". +- if (!parseChunkExtensions(tok)) +- ParseBws(tok, true); ++ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size ++ ParseBws(tok, true); ++ ++ parseChunkExtensions(tok); + + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); +@@ -150,7 +150,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + do { + auto tok = callerTok; + +- ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size ++ ParseBws(tok); + + if (!tok.skip(';')) + return foundChunkExt; // reached the end of extensions (if any) + +From f837f5ff61301a17008f16ce1fb793c2abf19786 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Thu, 10 Oct 2024 23:06:42 -0400 +Subject: [PATCH 5/6] fixup: Fewer conditionals/ifs and more explicit spelling + +... to draw code reader attention when something unusual is going on. +--- + src/http/one/Parser.cc | 22 ++++++++++++++++++---- + src/http/one/Parser.h | 10 ++++++++-- + src/http/one/TeChunkedParser.cc | 14 ++++++-------- + src/http/one/TeChunkedParser.h | 2 +- + 4 files changed, 33 insertions(+), 15 deletions(-) + +diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc +index 01d7e3bc0e8..d3937e5e96b 100644 +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -271,11 +271,12 @@ Http::One::ErrorLevel() + return Config.onoff.relaxed_header_parser < 0 ? DBG_IMPORTANT : 5; + } + +-// BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule +-void +-Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) ++/// common part of ParseBws() and ParseStrctBws() ++namespace Http::One { ++static void ++ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) + { +- const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); ++ const auto count = tok.skipAll(bwsChars); + + if (tok.atEnd()) + throw InsufficientInput(); // even if count is positive +@@ -290,4 +291,17 @@ Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) + + // success: no more BWS characters expected + } ++} // namespace Http::One ++ ++void ++Http::One::ParseBws(Parser::Tokenizer &tok) ++{ ++ ParseBws_(tok, CharacterSet::WSP); ++} ++ ++void ++Http::One::ParseStrictBws(Parser::Tokenizer &tok) ++{ ++ ParseBws_(tok, Parser::WhitespaceCharacters()); ++} + +diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h +index 3ef4c5f7752..49e399de546 100644 +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -163,9 +163,15 @@ class Parser : public RefCountable + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) +-/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars + /// \throws InsufficientInput when the end of BWS cannot be confirmed +-void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); ++/// \sa WhitespaceCharacters() for the definition of BWS characters ++/// \sa ParseStrictBws() that avoids WhitespaceCharacters() uncertainties ++void ParseBws(Parser::Tokenizer &); ++ ++/// Like ParseBws() but only skips CharacterSet::WSP characters. This variation ++/// must be used if the next element may start with CR or any other character ++/// from RelaxedDelimiterCharacters(). ++void ParseStrictBws(Parser::Tokenizer &); + + /// the right debugs() level for logging HTTP violation messages + int ErrorLevel(); +diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc +index aa4a840fdcf..859471b8c77 100644 +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -125,11 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + // Code becomes much simpler when incremental parsing functions throw on + // bad or insufficient input, like in the code below. TODO: Expand up. + try { +- // Bug 4492: IBM_HTTP_Server sends SP after chunk-size +- ParseBws(tok, true); +- +- parseChunkExtensions(tok); ++ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size. ++ // No ParseBws() here because it may consume CR required further below. ++ ParseStrictBws(tok); + ++ parseChunkExtensions(tok); // a possibly empty chunk-ext list + tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; +@@ -143,22 +143,20 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) + + /// Parses the chunk-ext list (RFC 9112 section 7.1.1: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) +-bool ++void + Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + { +- bool foundChunkExt = false; + do { + auto tok = callerTok; + + ParseBws(tok); + + if (!tok.skip(';')) +- return foundChunkExt; // reached the end of extensions (if any) ++ return; // reached the end of extensions (if any) + + parseOneChunkExtension(tok); + buf_ = tok.remaining(); // got one extension + callerTok = tok; +- foundChunkExt = true; + } while (true); + } + +diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h +index 8c5d4bb4cba..02eacd1bb89 100644 +--- a/src/http/one/TeChunkedParser.h ++++ b/src/http/one/TeChunkedParser.h +@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser + private: + bool parseChunkSize(Tokenizer &tok); + bool parseChunkMetadataSuffix(Tokenizer &); +- bool parseChunkExtensions(Tokenizer &); ++ void parseChunkExtensions(Tokenizer &); + void parseOneChunkExtension(Tokenizer &); + bool parseChunkBody(Tokenizer &tok); + bool parseChunkEnd(Tokenizer &tok); + +From f79936a234e722adb2dd08f31cf6019d81ee712c Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Thu, 10 Oct 2024 23:31:08 -0400 +Subject: [PATCH 6/6] fixup: Deadly typo + +--- + src/http/one/Parser.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc +index d3937e5e96b..7403a9163a2 100644 +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -296,12 +296,12 @@ ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) + void + Http::One::ParseBws(Parser::Tokenizer &tok) + { +- ParseBws_(tok, CharacterSet::WSP); ++ ParseBws_(tok, Parser::WhitespaceCharacters()); + } + + void + Http::One::ParseStrictBws(Parser::Tokenizer &tok) + { +- ParseBws_(tok, Parser::WhitespaceCharacters()); ++ ParseBws_(tok, CharacterSet::WSP); + } + + diff --git a/squid-6.14-CVE-2025-62168.patch b/squid-6.14-CVE-2025-62168.patch new file mode 100644 index 0000000..650918c --- /dev/null +++ b/squid-6.14-CVE-2025-62168.patch @@ -0,0 +1,173 @@ +diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc +index d6be6ae..5c85eb8 100644 +--- a/src/HttpRequest.cc ++++ b/src/HttpRequest.cc +@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e) + + /* packs request-line and headers, appends terminator */ + void +-HttpRequest::pack(Packable * p) const ++HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const + { + assert(p); + /* pack request-line */ +@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const + SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()), + http_ver.major, http_ver.minor); + /* headers */ +- header.packInto(p); +- /* trailer */ ++ header.packInto(p, maskSensitiveInfo); ++ /* indicate the end of the header section */ + p->append("\r\n", 2); + } + +diff --git a/src/HttpRequest.h b/src/HttpRequest.h +index 2256a55..2ada8e5 100644 +--- a/src/HttpRequest.h ++++ b/src/HttpRequest.h +@@ -206,7 +206,7 @@ public: + + void swapOut(StoreEntry * e); + +- void pack(Packable * p) const; ++ void pack(Packable * p, bool maskSensitiveInfo = false) const; + + static void httpRequestPack(void *obj, Packable *p); + +diff --git a/src/cf.data.pre b/src/cf.data.pre +index 20a7338..d1f3317 100644 +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -8941,12 +8941,18 @@ NAME: email_err_data + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.emailErrData +-DEFAULT: on ++DEFAULT: off + DOC_START + If enabled, information about the occurred error will be + included in the mailto links of the ERR pages (if %W is set) + so that the email body contains the data. + Syntax is %w ++ ++ SECURITY WARNING: ++ Request headers and other included facts may contain ++ sensitive information about transaction history, the ++ Squid instance, and its environment which would be ++ unavailable to error recipients otherwise. + DOC_END + + NAME: deny_info +diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc +index 6818d76..860edfc 100644 +--- a/src/client_side_reply.cc ++++ b/src/client_side_reply.cc +@@ -94,7 +94,7 @@ clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) : + void + clientReplyContext::setReplyToError( + err_type err, Http::StatusCode status, char const *uri, +- const ConnStateData *conn, HttpRequest *failedrequest, const char *unparsedrequest, ++ const ConnStateData *conn, HttpRequest *failedrequest, const char *, + #if USE_AUTH + Auth::UserRequest::Pointer auth_user_request + #else +@@ -104,9 +104,6 @@ clientReplyContext::setReplyToError( + { + auto errstate = clientBuildError(err, status, uri, conn, failedrequest, http->al); + +- if (unparsedrequest) +- errstate->request_hdrs = xstrdup(unparsedrequest); +- + #if USE_AUTH + errstate->auth_user_request = auth_user_request; + #endif +@@ -995,11 +992,14 @@ clientReplyContext::traceReply() + triggerInitialStoreRead(); + http->storeEntry()->releaseRequest(); + http->storeEntry()->buffer(); ++ MemBuf content; ++ content.init(); ++ http->request->pack(&content, true /* hide authorization data */); + const HttpReplyPointer rep(new HttpReply); +- rep->setHeaders(Http::scOkay, nullptr, "text/plain", http->request->prefixLen(), 0, squid_curtime); ++ rep->setHeaders(Http::scOkay, nullptr, "message/http", content.contentSize(), 0, squid_curtime); ++ rep->body.set(SBuf(content.buf, content.size)); + http->storeEntry()->replaceHttpReply(rep); +- http->request->swapOut(http->storeEntry()); +- http->storeEntry()->complete(); ++ http->storeEntry()->completeSuccessfully("traceReply() stored the entire response"); + } + + #define SENDING_BODY 0 +diff --git a/src/errorpage.cc b/src/errorpage.cc +index 0b7e5b8..31566dc 100644 +--- a/src/errorpage.cc ++++ b/src/errorpage.cc +@@ -792,7 +792,6 @@ ErrorState::~ErrorState() + { + safe_free(redirect_url); + safe_free(url); +- safe_free(request_hdrs); + wordlistDestroy(&ftp.server_msg); + safe_free(ftp.request); + safe_free(ftp.reply); +@@ -850,7 +849,10 @@ ErrorState::Dump(MemBuf * mb) + SQUIDSBUFPRINT(request->url.path()), + AnyP::ProtocolType_str[request->http_ver.protocol], + request->http_ver.major, request->http_ver.minor); +- request->header.packInto(&str); ++ MemBuf r; ++ r.init(); ++ request->pack(&r, true /* hide authorization data */); ++ str.append(r.content(), r.contentSize()); + } + + str.append("\r\n", 2); +@@ -1112,18 +1114,10 @@ ErrorState::compileLegacyCode(Build &build) + p = "[no request]"; + break; + } +- if (request) { +- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n", +- SQUIDSBUFPRINT(request->method.image()), +- SQUIDSBUFPRINT(request->url.path()), +- AnyP::ProtocolType_str[request->http_ver.protocol], +- request->http_ver.major, request->http_ver.minor); +- request->header.packInto(&mb, true); //hide authorization data +- } else if (request_hdrs) { +- p = request_hdrs; +- } else { ++ else if (request) ++ request->pack(&mb, true /* hide authorization data */); ++ else + p = "[no request]"; +- } + break; + + case 's': +diff --git a/src/errorpage.h b/src/errorpage.h +index 8d23857..0dc10d7 100644 +--- a/src/errorpage.h ++++ b/src/errorpage.h +@@ -194,7 +194,6 @@ public: + MemBuf *listing = nullptr; + } ftp; + +- char *request_hdrs = nullptr; + char *err_msg = nullptr; /* Preformatted error message from the cache */ + + AccessLogEntryPointer ale; ///< transaction details (or nil) +diff --git a/src/tests/stub_HttpRequest.cc b/src/tests/stub_HttpRequest.cc +index 495597d..48a0f1c 100644 +--- a/src/tests/stub_HttpRequest.cc ++++ b/src/tests/stub_HttpRequest.cc +@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod &, int64_t &) const STUB + bool HttpRequest::bodyNibbled() const STUB_RETVAL(false) + int HttpRequest::prefixLen() const STUB_RETVAL(0) + void HttpRequest::swapOut(StoreEntry *) STUB +-void HttpRequest::pack(Packable *) const STUB ++void HttpRequest::pack(Packable *, bool) const STUB + void HttpRequest::httpRequestPack(void *, Packable *) STUB + HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) + HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) diff --git a/squid.spec b/squid.spec index 84d079b..e567f33 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,7 @@ %define __perl_requires %{SOURCE98} -%define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 7.3 +Version: 6.14 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -10,8 +9,8 @@ Epoch: 7 License: GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND LicenseRef-Fedora-Public-Domain AND Beerware) URL: http://www.squid-cache.org -Source0: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz -Source1: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz.asc +Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz +Source1: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc Source2: http://www.squid-cache.org/pgp.asc Source3: squid.logrotate Source4: squid.sysconfig @@ -26,7 +25,7 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -# Patch101: squid-7.1-.....patch +# Patch101: patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -37,6 +36,13 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1442 +Patch205: squid-6.1-crash-half-closed.patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1914 +Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch + +# Security patches +Patch500: squid-6.14-CVE-2025-62168.patch # cache_swap.sh Requires: bash gawk @@ -114,8 +120,8 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-eui \ --enable-follow-x-forwarded-for \ --enable-auth \ - --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \ - --enable-auth-ntlm="fake" \ + --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM" \ + --enable-auth-ntlm="SMB_LM,fake" \ --enable-auth-digest="file,LDAP" \ --enable-auth-negotiate="kerberos" \ --enable-external-acl-helpers="LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group" \ @@ -151,9 +157,9 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-translation # workaround to build squid v5 -#mkdir -p src/icmp/tests -#mkdir -p tools/squidclient/tests -#mkdir -p tools/tests +mkdir -p src/icmp/tests +mkdir -p tools/squidclient/tests +mkdir -p tools/tests %make_build @@ -224,6 +230,7 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %config(noreplace) %attr(644,root,root) %{_sysconfdir}/httpd/conf.d/squid.conf %config(noreplace) %attr(640,root,squid) %{_sysconfdir}/squid/squid.conf +%config(noreplace) %attr(644,root,squid) %{_sysconfdir}/squid/cachemgr.conf %config(noreplace) %{_sysconfdir}/squid/mime.conf %config(noreplace) %{_sysconfdir}/squid/errorpage.css %config(noreplace) %{_sysconfdir}/sysconfig/squid @@ -231,6 +238,7 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %config %{_sysconfdir}/squid/squid.conf.default %config %{_sysconfdir}/squid/mime.conf.default %config %{_sysconfdir}/squid/errorpage.css.default +%config %{_sysconfdir}/squid/cachemgr.conf.default %config(noreplace) %{_sysconfdir}/pam.d/squid %config(noreplace) %{_sysconfdir}/logrotate.d/squid @@ -239,7 +247,10 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %{_prefix}/lib/NetworkManager %{_datadir}/squid/icons %{_sbindir}/squid +%{_bindir}/squidclient +%{_bindir}/purge %{_mandir}/man8/* +%{_mandir}/man1/* %{_libdir}/squid/* %{_datadir}/snmp/mibs/SQUID-MIB.txt %{_sysusersdir}/squid.conf @@ -306,30 +317,9 @@ fi %changelog -* Wed Oct 29 2025 Luboš Uhliarik - 7:7.3-1 -- new version 7.3 - -* Fri Oct 17 2025 Luboš Uhliarik - 7:7.2-1 -- new version 7.2 - -* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-3 -- Support provider keys that require NULL digest - -* Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 -- new version 7.1 -- removed squidclient -- removed purge -- removed cachemgr.cgi -- removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers - -* Fri Jul 25 2025 Fedora Release Engineering - 7:6.14-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Mon Jul 21 2025 Luboš Uhliarik - 7:6.14-1 +* Sat Oct 18 2025 Luboš Uhliarik - 7:6.14-1 - new version 6.14 - -* Wed Mar 12 2025 Luboš Uhliarik - 7:6.13-2 -- Do not blame cache_peer for 4xx CONNECT responses +- Resolves: CVE-2025-62168 - Information disclosure in Squid * Tue Feb 04 2025 Luboš Uhliarik - 7:6.13-1 - new version 6.13