[squid-dev] [PATCH] Fix ext_session_acl to handle - when no argument is passed
Amos Jeffries
squid3 at treenet.co.nz
Wed Mar 22 12:44:55 UTC 2017
On 22/03/2017 11:04 p.m., Trever L. Adams wrote:
> Amos,
>
> Sure. I am using squid-4.0.17-1.fc25.x86_64. If you follow the
> directions in http://wiki.squid-cache.org/ConfigExamples/Portal/Splash,
> they do not work. This is because Squid is sending the following for query:
> "# IP -" (I am using %SRC not %LOGIN, the example shows this, other uses
> and examples use %LOGIN, which doesn't apply in my case.). The plugin
> does not work because for this to work it would expect "# IP - LOGIN"
> for the login. My patch addresses this by ignoring anything after the "
> " if it doesn't match expected data.
>
> I have done this by testing my directly calling ext_session_acl and strace.
>
> The down side of the patch is it may break installations where people
> are working around this by adding the - before the LOGIN in the acl
> lines in their configuration.
>
> I believe my patch applies to all versions of the tree on github
> provided that the location is appropriate (the code doesn't seem to have
> changed).
Ah. This is a side effect of the change to using logformat tokens. The
%DATA field is always present now.
We cannot simply ignore any value in the lastdetail field since when the
helper is in passive mode it might be part of the session ID.
At best we need the helper to check for the exact string " -" and drop
that if it occurs. That should be safe enough with both modes because an
empty last parameter will be a unique match in both anyway - it might as
well be missing as " -" string. The DB entry will be different from what
one might expect, but have a consistent value for passsive mode.
>
> If you can point me to the appropriate repository, I can redo the patch
> if desired.
No need. With the above change I'm re-writing the fix entirely.
Are you able to test the below patch works for you?
it passes my basic tests.
Cheers
Amos
=== modified file 'src/acl/external/session/ext_session_acl.cc'
--- src/acl/external/session/ext_session_acl.cc 2017-01-01 00:12:22 +0000
+++ src/acl/external/session/ext_session_acl.cc 2017-03-22 12:41:55 +0000
@@ -193,41 +193,47 @@
int action = 0;
const char *channel_id = strtok(request, " ");
char *detail = strtok(NULL, "\n");
if (detail == NULL) {
// Only 1 paramater supplied. We are expecting at least 2
(including the channel ID)
fprintf(stderr, "FATAL: %s is concurrent and requires the
concurrency option to be specified.\n", program_name);
shutdown_db();
exit(1);
}
char *lastdetail = strrchr(detail, ' ');
size_t detail_len = strlen(detail);
if (lastdetail) {
if (strcmp(lastdetail, " LOGIN") == 0) {
action = 1;
detail_len = (size_t)(lastdetail-detail);
*lastdetail = '\0';
} else if (strcmp(lastdetail, " LOGOUT") == 0) {
action = -1;
detail_len = (size_t)(lastdetail-detail);
*lastdetail = '\0';
+ } else if (!default_action && strcmp(lastdetail, " -") == 0) {
+ // no action; LOGIN/LOGOUT not supplied
+ // but truncate the '-' %DATA value given by Squid-4
and later
+ detail_len = (size_t)(lastdetail-detail);
+ *lastdetail = '\0';
}
+ // else do nothing
}
if (action == -1) {
session_logout(detail, detail_len);
printf("%s OK message=\"Bye\"\n", channel_id);
} else if (action == 1) {
session_login(detail, detail_len);
printf("%s OK message=\"Welcome\"\n", channel_id);
} else if (session_active(detail, detail_len)) {
if (fixed_timeout == 0) {
session_login(detail, detail_len);
}
printf("%s OK\n", channel_id);
} else if (default_action == 1) {
session_login(detail, detail_len);
printf("%s ERR message=\"Welcome\"\n", channel_id);
} else {
printf("%s ERR message=\"No session available\"\n",
channel_id);
}
}
shutdown_db();
More information about the squid-dev
mailing list