[squid-dev] [PATCH] Fix 'miss_access' and 'cache' checks when no ACL rules matched
Eduard Bagdasaryan
eduard.bagdasaryan at measurement-factory.com
Fri May 5 14:18:16 UTC 2017
Hello,
This patch fixes "miss_access" and "cache" checks when no ACL rules
matched.
The miss_access code allowed transactions to reach origin server when no
"allow" rules matched (and no "deny" rule matched either). This could
happen when a miss_access directive ACL could not make a "match" or
"mismatch" decision (e.g., the admin used a slow ACL or an ACL that
required authentication when the user was not authenticated).
Similarly, the "cache" directive code allowed requests to be served from
the cache (and responses to be stored in the cache) when no "allow" (and
"deny") rules matched. This behavior (established in v5 r14984) does not
contradict "Requests denied by this directive will not be..."
documentation, though.
I believe that both "miss_access" and "cache" directives should behave
like all other directives in similar contexts, i.e., "deny" in such
indeterminate cases because:
* It avoids problems with configurations like:
# broken if badGuys fails to match or mismatch (allows bad guys)
acl_driven_option allow !badGuys
That is what trunk r12176 has partially fixed.
* It makes ACL checking rules consistent with each other, especially if
there is no good reason for making exception for these two cases.
To help avoid similar problems in the future, and to improve code
consistency, I added an API that eliminates the need for direct
comparison with ACCESS_ALLOWED and ACCESS_DENIED.
Thanks,
Eduard.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-277-fix-and-clarify-access-denied-cases-t5.patch
Type: text/x-patch
Size: 127402 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170505/40e466b0/attachment-0001.bin>
More information about the squid-dev
mailing list