[squid-users] Squid regex grammar

Yuri yvoinov at gmail.com
Fri Oct 27 15:06:01 UTC 2017



27.10.2017 20:55, Alex Rousskov пишет:
> On 10/27/2017 08:32 AM, Amos Jeffries wrote:
>> On 28/10/17 02:59, Yuri wrote:
>>> the regular expression is simply silently ignored and it is extremely
>>> difficult to detect.
>> That sounds like a library problem. If Squid receives a regex error code
>> from the library when compiling any regex from your squid.conf it logs
>> the relevant error to cache.log.
> When a regular expression is using extended features, the basic regular
> expression compiler often (or even always?!) does not fail because it
> views the extended features as ordinary plain characters. Thus, Squid
> cannot tell that something went wrong.
>
> I cannot give a Squid-based example quickly, but here is a related
> illustration using grep (which is not exactly the same as what happens
> inside Squid, but I suspect it is similar enough for the illustration
> purposes in this context):
>
>> $ echo "foobar" | grep --basic-regexp    'foo|bar'
>> $ echo "foobar" | grep --extended-regexp 'foo|bar'
>> foobar
> As you can see, the basic compiler is silent about the "|" character
> that it does not support. Here is a similar example where a malformed
> extended regular expression is silently accepted by the basic compiler:
>
>
>> $ echo "foobar" | grep --basic-regexp 'foo(bar'
>> $ echo "foobar" | grep --extended-regexp 'foo(bar'
>> grep: Unmatched ( or \(
>
> In theory, Squid itself could detect special characters unsupported by
> the current regex library but doing so correctly without breaking many
> existing working configurations may be impossible. On the other hand,
> this validation could become an optional feature that admins can control.
>
> The best strategy for a Squid admin working with complex regex ACLs may
> be to add external test cases that validate ACL matching expectations,
> but doing so requires significant amount of work and discipline.

That's what I'm talking about. Just when it comes to hundreds and
thousands of regular expressions - this approach seems not too
acceptable. Therefore, I would like to see that the grammars used are
clearly documented. Squid with a simple configuration check often does
not show anything (if there are no obvious errors - i.e. incomplete
regex or similar) and, in a productive configuration, it is extremely
difficult to detect a non-working access control list parts. The
websites are also thousands.

Therefore, I would like either a clear documentation or some tool for
checking whether the regular expression is correct from the point of
view of the current library used by Squid or not. The existing
opportunities seem completely unsatisfactory.
>
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
**************************
* C++: Bug to the future *
**************************

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x3E3743A7.asc
Type: application/pgp-keys
Size: 2887 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171027/b9bacfb2/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171027/b9bacfb2/attachment.sig>


More information about the squid-users mailing list