diff -u -r -N squid-4.0.6/ChangeLog squid-4.0.7/ChangeLog --- squid-4.0.6/ChangeLog 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/ChangeLog 2016-02-24 06:47:50.000000000 +1300 @@ -1,3 +1,13 @@ +Changes to squid-4.0.7 (23 Feb 2016): + + - Regression Fix: external_acl parameters separated by %20 instead of space + - Bug 4432: assertion failed: store.cc:1919: "isEmpty()" + - Bug 4111: leave_suid() does not properly handle error codes returned by setuid + - Fix propagation of response status line parsing error details + - Fix memory leak when the cache of sslcrtvalidator_program is disabled via ttl=0 + - ... and some code SourceLayout project cleaning + - ... and all fixes from squid 3.5.15 + Changes to squid-4.0.6 (16 Feb 2016): - Regression Bug 4436: Fix DEFAULT_SSL_CRTD @@ -110,6 +120,14 @@ - ... and many documentation changes - ... and much code cleanup and polishing +Changes to squid-3.5.15 (23 Feb 2016): + + - Bug 3870: assertion failed: String.cc: 'len_ + len <65536' in ESI::CustomParser + - Fix multiple assertion on String overflows + - Fix unit test errors on MacOS + - Better handling of huge response headers. Fewer incorrect "Bug #3279" messages. + - Log noise reduction for eCAP + Changes to squid-3.5.14 (16 Feb 2016): - Bug 4437: Fix Segfault on Certain SSL Handshake Errors diff -u -r -N squid-4.0.6/configure squid-4.0.7/configure --- squid-4.0.6/configure 2016-02-16 04:57:09.000000000 +1300 +++ squid-4.0.7/configure 2016-02-24 06:49:58.000000000 +1300 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.0.6. +# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.0.7. # # Report bugs to . # @@ -595,8 +595,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='4.0.6' -PACKAGE_STRING='Squid Web Proxy 4.0.6' +PACKAGE_VERSION='4.0.7' +PACKAGE_STRING='Squid Web Proxy 4.0.7' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1650,7 +1650,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 4.0.6 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 4.0.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1721,7 +1721,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 4.0.6:";; + short | recursive ) echo "Configuration of Squid Web Proxy 4.0.7:";; esac cat <<\_ACEOF @@ -2148,7 +2148,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 4.0.6 +Squid Web Proxy configure 4.0.7 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3252,7 +3252,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 4.0.6, which was +It was created by Squid Web Proxy $as_me 4.0.7, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4119,7 +4119,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='4.0.6' + VERSION='4.0.7' cat >>confdefs.h <<_ACEOF @@ -42470,7 +42470,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 4.0.6, which was +This file was extended by Squid Web Proxy $as_me 4.0.7, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -42536,7 +42536,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 4.0.6 +Squid Web Proxy config.status 4.0.7 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -u -r -N squid-4.0.6/configure.ac squid-4.0.7/configure.ac --- squid-4.0.6/configure.ac 2016-02-16 04:57:08.000000000 +1300 +++ squid-4.0.7/configure.ac 2016-02-24 06:49:58.000000000 +1300 @@ -5,7 +5,7 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_INIT([Squid Web Proxy],[4.0.6],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[4.0.7],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) diff -u -r -N squid-4.0.6/doc/release-notes/release-4.html squid-4.0.7/doc/release-notes/release-4.html --- squid-4.0.6/doc/release-notes/release-4.html 2016-02-16 05:55:04.000000000 +1300 +++ squid-4.0.7/doc/release-notes/release-4.html 2016-02-24 07:38:32.000000000 +1300 @@ -2,10 +2,10 @@ - Squid 4.0.6 release notes + Squid 4.0.7 release notes -

Squid 4.0.6 release notes

+

Squid 4.0.7 release notes

Squid Developers

@@ -60,7 +60,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-4.0.6 for testing.

+

The Squid Team are pleased to announce the release of Squid-4.0.7 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.

diff -u -r -N squid-4.0.6/include/version.h squid-4.0.7/include/version.h --- squid-4.0.6/include/version.h 2016-02-16 04:57:09.000000000 +1300 +++ squid-4.0.7/include/version.h 2016-02-24 06:49:58.000000000 +1300 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1455551674 +#define SQUID_RELEASE_TIME 1456249662 #endif /* diff -u -r -N squid-4.0.6/RELEASENOTES.html squid-4.0.7/RELEASENOTES.html --- squid-4.0.6/RELEASENOTES.html 2016-02-16 05:55:04.000000000 +1300 +++ squid-4.0.7/RELEASENOTES.html 2016-02-24 07:38:32.000000000 +1300 @@ -2,10 +2,10 @@ - Squid 4.0.6 release notes + Squid 4.0.7 release notes -

Squid 4.0.6 release notes

+

Squid 4.0.7 release notes

Squid Developers

@@ -60,7 +60,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-4.0.6 for testing.

+

The Squid Team are pleased to announce the release of Squid-4.0.7 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.

diff -u -r -N squid-4.0.6/src/acl/external/delayer/ext_delayer_acl.8 squid-4.0.7/src/acl/external/delayer/ext_delayer_acl.8 --- squid-4.0.6/src/acl/external/delayer/ext_delayer_acl.8 2016-02-16 05:56:02.000000000 +1300 +++ squid-4.0.7/src/acl/external/delayer/ext_delayer_acl.8 2016-02-24 07:39:12.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 8" -.TH EXT_DELAYER_ACL 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/acl/external/SQL_session/ext_sql_session_acl.8 squid-4.0.7/src/acl/external/SQL_session/ext_sql_session_acl.8 --- squid-4.0.6/src/acl/external/SQL_session/ext_sql_session_acl.8 2016-02-16 05:56:13.000000000 +1300 +++ squid-4.0.7/src/acl/external/SQL_session/ext_sql_session_acl.8 2016-02-24 07:39:20.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 8" -.TH EXT_SQL_SESSION_ACL 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 squid-4.0.7/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-4.0.6/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2016-02-16 05:56:17.000000000 +1300 +++ squid-4.0.7/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2016-02-24 07:39:24.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 8" -.TH EXT_WBINFO_GROUP_ACL 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/adaptation/ecap/Host.cc squid-4.0.7/src/adaptation/ecap/Host.cc --- squid-4.0.6/src/adaptation/ecap/Host.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/adaptation/ecap/Host.cc 2016-02-24 06:47:50.000000000 +1300 @@ -137,7 +137,7 @@ return DBG_DATA; // is it a good idea to ignore other flags? if (lv.application()) - return DBG_IMPORTANT; // is it a good idea to ignore other flags? + return lv.normal() ? DBG_IMPORTANT : 2; return 2 + 2*lv.debugging() + 3*lv.operation() + 2*lv.xaction(); } diff -u -r -N squid-4.0.6/src/auth/basic/DB/basic_db_auth.8 squid-4.0.7/src/auth/basic/DB/basic_db_auth.8 --- squid-4.0.6/src/auth/basic/DB/basic_db_auth.8 2016-02-16 05:56:49.000000000 +1300 +++ squid-4.0.7/src/auth/basic/DB/basic_db_auth.8 2016-02-24 07:39:46.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 8" -.TH BASIC_DB_AUTH 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/auth/basic/POP3/basic_pop3_auth.8 squid-4.0.7/src/auth/basic/POP3/basic_pop3_auth.8 --- squid-4.0.6/src/auth/basic/POP3/basic_pop3_auth.8 2016-02-16 05:56:59.000000000 +1300 +++ squid-4.0.7/src/auth/basic/POP3/basic_pop3_auth.8 2016-02-24 07:39:53.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 8" -.TH BASIC_POP3_AUTH 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/cf.data.pre squid-4.0.7/src/cf.data.pre --- squid-4.0.6/src/cf.data.pre 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/cf.data.pre 2016-02-24 06:47:50.000000000 +1300 @@ -712,7 +712,7 @@ This option defines external acl classes using a helper program to look up the status - external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] + external_acl_type name [options] FORMAT /path/to/helper [helper arguments] Options: @@ -774,13 +774,18 @@ %ACL The name of the ACL being tested. - %DATA The ACL arguments. If a logformat encoding modifier - is used it will encode the whole set of arguments - as a single token. - - If not used; then any arguments are automatically - added at the end of the line sent to the helper - as separately URL-encoded fields. + %DATA The ACL arguments separated by spaces (an + "argument string"). + + By default, Squid applies URL-encoding to each ACL + argument inside the argument string. If an explicit + encoding modifier is used (e.g., %#DATA), then Squid + encodes the whole argument string as a single token + (e.g., with %#DATA, spaces between arguments become + %20). + + If you do not specify a DATA macro inside FORMAT, + Squid automatically appends %DATA to your FORMAT. If SSL is enabled, the following formating codes become available: diff -u -r -N squid-4.0.6/src/clients/Client.cc squid-4.0.7/src/clients/Client.cc --- squid-4.0.6/src/clients/Client.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/clients/Client.cc 2016-02-24 06:47:50.000000000 +1300 @@ -49,6 +49,7 @@ startedAdaptation(false), #endif receivedWholeRequestBody(false), + doneWithFwd(nullptr), theVirginReply(NULL), theFinalReply(NULL) { @@ -74,8 +75,6 @@ HTTPMSGUNLOCK(theVirginReply); HTTPMSGUNLOCK(theFinalReply); - fwd = NULL; // refcounted - if (responseBodyBuffer != NULL) { delete responseBodyBuffer; responseBodyBuffer = NULL; @@ -93,6 +92,14 @@ cleanAdaptation(); #endif + if (!doneWithServer()) + closeServer(); + + if (!doneWithFwd) { + doneWithFwd = "swanSong()"; + fwd->handleUnregisteredServerEnd(); + } + BodyConsumer::swanSong(); #if USE_ADAPTATION Initiator::swanSong(); @@ -218,6 +225,7 @@ { debugs(11,5, HERE << "completing forwarding for " << fwd); assert(fwd != NULL); + doneWithFwd = "completeForwarding()"; fwd->complete(); } diff -u -r -N squid-4.0.6/src/clients/Client.h squid-4.0.7/src/clients/Client.h --- squid-4.0.6/src/clients/Client.h 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/clients/Client.h 2016-02-24 06:47:50.000000000 +1300 @@ -179,6 +179,10 @@ #endif bool receivedWholeRequestBody; ///< handleRequestBodyProductionEnded called + /// whether we should not be talking to FwdState; XXX: clear fwd instead + /// points to a string literal which is used only for debugging + const char *doneWithFwd; + private: void sendBodyIsTooLargeError(); void maybePurgeOthers(); diff -u -r -N squid-4.0.6/src/clients/FtpClient.cc squid-4.0.7/src/clients/FtpClient.cc --- squid-4.0.6/src/clients/FtpClient.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/clients/FtpClient.cc 2016-02-24 06:47:50.000000000 +1300 @@ -841,6 +841,7 @@ { debugs(9, 4, status()); ctrl.clear(); + doneWithFwd = "ctrlClosed()"; // assume FwdState is monitoring too mustStop("Ftp::Client::ctrlClosed"); } @@ -993,24 +994,12 @@ scheduleReadControlReply(1); } -/** - * Quickly abort the transaction - * - \todo destruction should be sufficient as the destructor should cleanup, - * including canceling close handlers - */ void Ftp::Client::abortAll(const char *reason) { debugs(9, 3, "aborting transaction for " << reason << "; FD " << (ctrl.conn!=NULL?ctrl.conn->fd:-1) << ", Data FD " << (data.conn!=NULL?data.conn->fd:-1) << ", this " << this); - if (Comm::IsConnOpen(ctrl.conn)) { - ctrl.conn->close(); - return; - } - - fwd->handleUnregisteredServerEnd(); - mustStop("Ftp::Client::abortTransaction"); + mustStop(reason); } /** diff -u -r -N squid-4.0.6/src/esi/CustomParser.cc squid-4.0.7/src/esi/CustomParser.cc --- squid-4.0.6/src/esi/CustomParser.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/esi/CustomParser.cc 2016-02-24 06:47:50.000000000 +1300 @@ -89,9 +89,11 @@ } size_t openESITags (0); - //erring on the safe side. Probably rawBuf would be ok too - char const *currentPos = content.termedBuf(); - size_t remainingCount = content.size(); + // TODO: convert to Tokenizer parse + // erring on the safe side for now. Probably rawContent would be ok too + // note that operations below do *X='\0' ... altering the 'const' buffer content. + char const *currentPos = content.c_str(); + SBuf::size_type remainingCount = content.length(); char const *tag = NULL; while ((tag = findTag(currentPos, remainingCount))) { diff -u -r -N squid-4.0.6/src/esi/CustomParser.h squid-4.0.7/src/esi/CustomParser.h --- squid-4.0.6/src/esi/CustomParser.h 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/esi/CustomParser.h 2016-02-24 06:47:50.000000000 +1300 @@ -14,7 +14,7 @@ /* inherits from */ #include "esi/Parser.h" -/* for String variables */ +#include "SBuf.h" #include "SquidString.h" /** @@ -46,7 +46,7 @@ ESIParserClient *theClient; String error; /* cheap n dirty - buffer it all */ - String content; + SBuf content; /* TODO: make a class of this type code */ ESITAG_t lastTag; }; diff -u -r -N squid-4.0.6/src/external_acl.cc squid-4.0.7/src/external_acl.cc --- squid-4.0.6/src/external_acl.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/external_acl.cc 2016-02-24 06:47:50.000000000 +1300 @@ -326,7 +326,7 @@ if (!data_used) { *fmt = new Format::Token; (*fmt)->type = Format::LFT_EXT_ACL_DATA; - (*fmt)->quote = Format::LOG_QUOTE_URL; + (*fmt)->quote = Format::LOG_QUOTE_NONE; } /* helper */ diff -u -r -N squid-4.0.6/src/http/one/ResponseParser.cc squid-4.0.7/src/http/one/ResponseParser.cc --- squid-4.0.6/src/http/one/ResponseParser.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/http/one/ResponseParser.cc 2016-02-24 06:47:50.000000000 +1300 @@ -231,7 +231,7 @@ // syntax errors already if (retcode < 0) { parsingStage_ = HTTP_PARSE_DONE; - statusCode_ = Http::scInvalidHeader; + parseStatusCode = Http::scInvalidHeader; return false; } } diff -u -r -N squid-4.0.6/src/http/url_rewriters/LFS/url_lfs_rewrite.8 squid-4.0.7/src/http/url_rewriters/LFS/url_lfs_rewrite.8 --- squid-4.0.6/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2016-02-16 05:57:30.000000000 +1300 +++ squid-4.0.7/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2016-02-24 07:40:16.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "URL_LFS_REWRITE 8" -.TH URL_LFS_REWRITE 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH URL_LFS_REWRITE 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/http.cc squid-4.0.7/src/http.cc --- squid-4.0.6/src/http.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/http.cc 2016-02-24 06:47:50.000000000 +1300 @@ -153,6 +153,7 @@ HttpStateData::httpStateConnClosed(const CommCloseCbParams ¶ms) { debugs(11, 5, "httpStateFree: FD " << params.fd << ", httpState=" << params.data); + doneWithFwd = "httpStateConnClosed()"; // assume FwdState is monitoring too mustStop("HttpStateData::httpStateConnClosed"); } @@ -726,13 +727,12 @@ if (!parsedOk) { // unrecoverable parsing error + // TODO: Use Raw! XXX: inBuf no longer has the [beginning of the] malformed header. debugs(11, 3, "Non-HTTP-compliant header:\n---------\n" << inBuf << "\n----------"); flags.headers_parsed = true; HttpReply *newrep = new HttpReply; - newrep->sline.set(Http::ProtocolVersion(), hp->messageStatus()); - HttpReply *vrep = setVirginReply(newrep); - entry->replaceHttpReply(vrep); - // XXX: close the server connection ? + newrep->sline.set(Http::ProtocolVersion(), hp->parseStatusCode); + setVirginReply(newrep); ctx_exit(ctx); return; } @@ -1826,7 +1826,8 @@ String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR); - if (strFwd.size() > 65536/2) { + // if we cannot double strFwd size, then it grew past 50% of the limit + if (!strFwd.canGrowBy(strFwd.size())) { // There is probably a forwarding loop with Via detection disabled. // If we do nothing, String will assert on overflow soon. // TODO: Terminate all transactions with huge XFF? @@ -2463,21 +2464,11 @@ Client::sentRequestBody(io); } -// Quickly abort the transaction -// TODO: destruction should be sufficient as the destructor should cleanup, -// including canceling close handlers void HttpStateData::abortAll(const char *reason) { debugs(11,5, HERE << "aborting transaction for " << reason << "; " << serverConnection << ", this " << this); - - if (Comm::IsConnOpen(serverConnection)) { - serverConnection->close(); - return; - } - - fwd->handleUnregisteredServerEnd(); - mustStop("HttpStateData::abortAll"); + mustStop(reason); } diff -u -r -N squid-4.0.6/src/log/DB/log_db_daemon.8 squid-4.0.7/src/log/DB/log_db_daemon.8 --- squid-4.0.6/src/log/DB/log_db_daemon.8 2016-02-16 05:57:40.000000000 +1300 +++ squid-4.0.7/src/log/DB/log_db_daemon.8 2016-02-24 07:40:23.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 8" -.TH LOG_DB_DAEMON 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/main.cc squid-4.0.7/src/main.cc --- squid-4.0.6/src/main.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/main.cc 2016-02-24 06:47:50.000000000 +1300 @@ -1152,9 +1152,6 @@ #endif #if USE_OPENSSL - if (!configured_once) - Ssl::initialize_session_cache(); - if (Ssl::CertValidationHelper::GetInstance()) Ssl::CertValidationHelper::GetInstance()->Init(); #endif diff -u -r -N squid-4.0.6/src/security/cert_validators/fake/security_fake_certverify.8 squid-4.0.7/src/security/cert_validators/fake/security_fake_certverify.8 --- squid-4.0.6/src/security/cert_validators/fake/security_fake_certverify.8 2016-02-16 05:57:59.000000000 +1300 +++ squid-4.0.7/src/security/cert_validators/fake/security_fake_certverify.8 2016-02-24 07:40:35.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "SECURITY_FAKE_CERTVERIFY 8" -.TH SECURITY_FAKE_CERTVERIFY 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH SECURITY_FAKE_CERTVERIFY 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/security/Makefile.am squid-4.0.7/src/security/Makefile.am --- squid-4.0.6/src/security/Makefile.am 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/security/Makefile.am 2016-02-24 06:47:50.000000000 +1300 @@ -25,4 +25,5 @@ PeerOptions.h \ ServerOptions.cc \ ServerOptions.h \ + Session.cc \ Session.h diff -u -r -N squid-4.0.6/src/security/Makefile.in squid-4.0.7/src/security/Makefile.in --- squid-4.0.6/src/security/Makefile.in 2016-02-16 04:56:50.000000000 +1300 +++ squid-4.0.7/src/security/Makefile.in 2016-02-24 06:49:42.000000000 +1300 @@ -164,7 +164,7 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) libsecurity_la_LIBADD = am_libsecurity_la_OBJECTS = EncryptorAnswer.lo NegotiationHistory.lo \ - PeerOptions.lo ServerOptions.lo + PeerOptions.lo ServerOptions.lo Session.lo libsecurity_la_OBJECTS = $(am_libsecurity_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -754,6 +754,7 @@ PeerOptions.h \ ServerOptions.cc \ ServerOptions.h \ + Session.cc \ Session.h all: all-recursive @@ -824,6 +825,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/NegotiationHistory.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/PeerOptions.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ServerOptions.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/Session.Plo@am__quote@ .cc.o: @am__fastdepCXX_TRUE@ $(AM_V_CXX)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ diff -u -r -N squid-4.0.6/src/security/Session.cc squid-4.0.7/src/security/Session.cc --- squid-4.0.6/src/security/Session.cc 1970-01-01 12:00:00.000000000 +1200 +++ squid-4.0.7/src/security/Session.cc 2016-02-24 06:47:50.000000000 +1300 @@ -0,0 +1,105 @@ +/* + * Copyright (C) 1996-2016 The Squid Software Foundation and contributors + * + * Squid software is distributed under GPLv2+ license and includes + * contributions from numerous individuals and organizations. + * Please see the COPYING and CONTRIBUTORS files for details. + */ + +#include "squid.h" +#include "anyp/PortCfg.h" +#include "base/RunnersRegistry.h" +#include "ipc/MemMap.h" +#include "security/Session.h" +#include "SquidConfig.h" + +#define SSL_SESSION_ID_SIZE 32 +#define SSL_SESSION_MAX_SIZE 10*1024 + +static bool +isTlsServer() +{ + for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) { + if (s->secure.encryptTransport) + return true; + if (s->flags.tunnelSslBumping) + return true; + } + + return false; +} + +void +initializeSessionCache() +{ +#if USE_OPENSSL + // Check if the MemMap keys and data are enough big to hold + // session ids and session data + assert(SSL_SESSION_ID_SIZE >= MEMMAP_SLOT_KEY_SIZE); + assert(SSL_SESSION_MAX_SIZE >= MEMMAP_SLOT_DATA_SIZE); + + int configuredItems = ::Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot); + if (IamWorkerProcess() && configuredItems) + Ssl::SessionCache = new Ipc::MemMap(Ssl::SessionCacheName); + else { + Ssl::SessionCache = nullptr; + return; + } + + for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) { + if (s->secure.staticContext.get()) + Ssl::SetSessionCallbacks(s->secure.staticContext.get()); + } +#endif +} + +/// initializes shared memory segments used by MemStore +class SharedSessionCacheRr: public Ipc::Mem::RegisteredRunner +{ +public: + /* RegisteredRunner API */ + SharedSessionCacheRr(): owner(nullptr) {} + virtual void useConfig(); + virtual ~SharedSessionCacheRr(); + +protected: + virtual void create(); + +private: + Ipc::MemMap::Owner *owner; +}; + +RunnerRegistrationEntry(SharedSessionCacheRr); + +void +SharedSessionCacheRr::useConfig() +{ +#if USE_OPENSSL // while Ssl:: bits in use + if (Ssl::SessionCache || !isTlsServer()) //no need to configure ssl session cache. + return; + + Ipc::Mem::RegisteredRunner::useConfig(); + initializeSessionCache(); +#endif +} + +void +SharedSessionCacheRr::create() +{ + if (!isTlsServer()) //no need to configure ssl session cache. + return; + +#if USE_OPENSSL // while Ssl:: bits in use + if (int items = Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot)) + owner = Ipc::MemMap::Init(Ssl::SessionCacheName, items); +#endif +} + +SharedSessionCacheRr::~SharedSessionCacheRr() +{ + // XXX: Enable after testing to reduce at-exit memory "leaks". + // delete Ssl::SessionCache; + + delete owner; +} + diff -u -r -N squid-4.0.6/src/SquidString.h squid-4.0.7/src/SquidString.h --- squid-4.0.6/src/SquidString.h 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/SquidString.h 2016-02-24 06:47:50.000000000 +1300 @@ -80,6 +80,13 @@ _SQUID_INLINE_ int caseCmp(char const *, size_type count) const; _SQUID_INLINE_ int caseCmp(String const &) const; + /// Whether creating a totalLen-character string is safe (i.e., unlikely to assert). + /// Optional extras can be used for overflow-safe length addition. + /// Implementation has to add 1 because many String allocation methods do. + static bool CanGrowTo(size_type totalLen, const size_type extras = 0) { return SafeAdd(totalLen, extras) && SafeAdd(totalLen, 1); } + /// whether appending growthLen characters is safe (i.e., unlikely to assert) + bool canGrowBy(const size_type growthLen) const { return CanGrowTo(size(), growthLen); } + String substr(size_type from, size_type to) const; _SQUID_INLINE_ void cut(size_type newLength); @@ -95,10 +102,14 @@ _SQUID_INLINE_ bool nilCmp(bool, bool, int &) const; /* never reference these directly! */ - size_type size_; /* buffer size; 64K limit */ + size_type size_; /* buffer size; limited by SizeMax_ */ size_type len_; /* current length */ + static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers + /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_ + static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; } + char *buf_; _SQUID_INLINE_ void set(char const *loc, char const ch); diff -u -r -N squid-4.0.6/src/ssl/helper.cc squid-4.0.7/src/ssl/helper.cc --- squid-4.0.6/src/ssl/helper.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/ssl/helper.cc 2016-02-24 06:47:50.000000000 +1300 @@ -231,7 +231,8 @@ if (Ssl::CertValidationHelper::HelperCache && (validationResponse->resultCode == ::Helper::Okay || validationResponse->resultCode == ::Helper::Error)) { Ssl::CertValidationResponse::Pointer *item = new Ssl::CertValidationResponse::Pointer(validationResponse); - Ssl::CertValidationHelper::HelperCache->add(crtdvdData->query.c_str(), item); + if (!Ssl::CertValidationHelper::HelperCache->add(crtdvdData->query.c_str(), item)) + delete item; } SSL_free(crtdvdData->ssl); diff -u -r -N squid-4.0.6/src/ssl/support.cc squid-4.0.7/src/ssl/support.cc --- squid-4.0.6/src/ssl/support.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/ssl/support.cc 2016-02-24 06:47:50.000000000 +1300 @@ -33,9 +33,8 @@ #include -static void setSessionCallbacks(Security::ContextPtr ctx); -Ipc::MemMap *SslSessionCache = NULL; -const char *SslSessionCacheName = "ssl_session_cache"; +Ipc::MemMap *Ssl::SessionCache = NULL; +const char *Ssl::SessionCacheName = "ssl_session_cache"; static Ssl::CertsIndexedList SquidUntrustedCerts; @@ -552,7 +551,7 @@ if (port.secure.parsedFlags & SSL_FLAG_DONT_VERIFY_DOMAIN) SSL_CTX_set_ex_data(sslContext, ssl_ctx_ex_index_dont_verify_domain, (void *) -1); - setSessionCallbacks(sslContext); + Ssl::SetSessionCallbacks(sslContext); return true; } @@ -1368,7 +1367,7 @@ static int store_session_cb(SSL *ssl, SSL_SESSION *session) { - if (!SslSessionCache) + if (!Ssl::SessionCache) return 0; debugs(83, 5, "Request to store SSL Session "); @@ -1384,7 +1383,7 @@ memset(key, 0, sizeof(key)); memcpy(key, id, idlen); int pos; - Ipc::MemMap::Slot *slotW = SslSessionCache->openForWriting((const cache_key*)key, pos); + Ipc::MemMap::Slot *slotW = Ssl::SessionCache->openForWriting((const cache_key*)key, pos); if (slotW) { int lenRequired = i2d_SSL_SESSION(session, NULL); if (lenRequired < MEMMAP_SLOT_DATA_SIZE) { @@ -1392,7 +1391,7 @@ lenRequired = i2d_SSL_SESSION(session, &p); slotW->set(key, NULL, lenRequired, squid_curtime + Config.SSL.session_ttl); } - SslSessionCache->closeForWriting(pos); + Ssl::SessionCache->closeForWriting(pos); debugs(83, 5, "wrote an ssl session entry of size " << lenRequired << " at pos " << pos); } return 0; @@ -1401,27 +1400,27 @@ static void remove_session_cb(SSL_CTX *, SSL_SESSION *sessionID) { - if (!SslSessionCache) + if (!Ssl::SessionCache) return ; debugs(83, 5, "Request to remove corrupted or not valid SSL Session "); int pos; - Ipc::MemMap::Slot const *slot = SslSessionCache->openForReading((const cache_key*)sessionID, pos); + Ipc::MemMap::Slot const *slot = Ssl::SessionCache->openForReading((const cache_key*)sessionID, pos); if (slot == NULL) return; - SslSessionCache->closeForReading(pos); + Ssl::SessionCache->closeForReading(pos); // TODO: // What if we are not able to remove the session? // Maybe schedule a job to remove it later? // For now we just have an invalid entry in cache until will be expired // The openSSL will reject it when we try to use it - SslSessionCache->free(pos); + Ssl::SessionCache->free(pos); } static SSL_SESSION * get_session_cb(SSL *, unsigned char *sessionID, int len, int *copy) { - if (!SslSessionCache) + if (!Ssl::SessionCache) return NULL; SSL_SESSION *session = NULL; @@ -1431,7 +1430,7 @@ len << p[0] << ":" << p[1]); int pos; - Ipc::MemMap::Slot const *slot = SslSessionCache->openForReading((const cache_key*)sessionID, pos); + Ipc::MemMap::Slot const *slot = Ssl::SessionCache->openForReading((const cache_key*)sessionID, pos); if (slot != NULL) { if (slot->expire > squid_curtime) { const unsigned char *ptr = slot->p; @@ -1439,7 +1438,7 @@ debugs(83, 5, "Session retrieved from cache at pos " << pos); } else debugs(83, 5, "Session in cache expired"); - SslSessionCache->closeForReading(pos); + Ssl::SessionCache->closeForReading(pos); } if (!session) @@ -1453,10 +1452,10 @@ return session; } -static void -setSessionCallbacks(Security::ContextPtr ctx) +void +Ssl::SetSessionCallbacks(Security::ContextPtr ctx) { - if (SslSessionCache) { + if (Ssl::SessionCache) { SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL); SSL_CTX_sess_set_new_cb(ctx, store_session_cb); SSL_CTX_sess_set_remove_cb(ctx, remove_session_cb); @@ -1464,94 +1463,5 @@ } } -static bool -isSslServer() -{ - for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) { - if (s->secure.encryptTransport) - return true; - if (s->flags.tunnelSslBumping) - return true; - } - - return false; -} - -#define SSL_SESSION_ID_SIZE 32 -#define SSL_SESSION_MAX_SIZE 10*1024 - -void -Ssl::initialize_session_cache() -{ - - if (!isSslServer()) //no need to configure ssl session cache. - return; - - // Check if the MemMap keys and data are enough big to hold - // session ids and session data - assert(SSL_SESSION_ID_SIZE >= MEMMAP_SLOT_KEY_SIZE); - assert(SSL_SESSION_MAX_SIZE >= MEMMAP_SLOT_DATA_SIZE); - - int configuredItems = ::Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot); - if (IamWorkerProcess() && configuredItems) - SslSessionCache = new Ipc::MemMap(SslSessionCacheName); - else { - SslSessionCache = NULL; - return; - } - - for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) { - if (s->secure.staticContext.get()) - setSessionCallbacks(s->secure.staticContext.get()); - } -} - -void -destruct_session_cache() -{ - delete SslSessionCache; -} - -/// initializes shared memory segments used by MemStore -class SharedSessionCacheRr: public Ipc::Mem::RegisteredRunner -{ -public: - /* RegisteredRunner API */ - SharedSessionCacheRr(): owner(NULL) {} - virtual void useConfig(); - virtual ~SharedSessionCacheRr(); - -protected: - virtual void create(); - -private: - Ipc::MemMap::Owner *owner; -}; - -RunnerRegistrationEntry(SharedSessionCacheRr); - -void -SharedSessionCacheRr::useConfig() -{ - Ipc::Mem::RegisteredRunner::useConfig(); -} - -void -SharedSessionCacheRr::create() -{ - if (!isSslServer()) //no need to configure ssl session cache. - return; - - int items; - items = Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot); - if (items) - owner = Ipc::MemMap::Init(SslSessionCacheName, items); -} - -SharedSessionCacheRr::~SharedSessionCacheRr() -{ - delete owner; -} - #endif /* USE_OPENSSL */ diff -u -r -N squid-4.0.6/src/ssl/support.h squid-4.0.7/src/ssl/support.h --- squid-4.0.6/src/ssl/support.h 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/ssl/support.h 2016-02-24 06:47:50.000000000 +1300 @@ -56,6 +56,11 @@ class PortCfg; }; +namespace Ipc +{ +class MemMap; +} + namespace Ssl { /// initialize the SSL library global state. @@ -102,6 +107,10 @@ /// Holds a list of certificate SSL errors typedef CbDataList CertErrors; +void SetSessionCallbacks(Security::ContextPtr); +extern Ipc::MemMap *SessionCache; +extern const char *SessionCacheName; + } //namespace Ssl /// \ingroup ServerProtocolSSLAPI @@ -304,17 +313,6 @@ */ bool setClientSNI(SSL *ssl, const char *fqdn); -/** - \ingroup ServerProtocolSSLAPI - * Initializes the shared session cache if configured -*/ -void initialize_session_cache(); - -/** - \ingroup ServerProtocolSSLAPI - * Destroy the shared session cache if configured -*/ -void destruct_session_cache(); } //namespace Ssl #if _SQUID_WINDOWS_ diff -u -r -N squid-4.0.6/src/store/id_rewriters/file/storeid_file_rewrite.8 squid-4.0.7/src/store/id_rewriters/file/storeid_file_rewrite.8 --- squid-4.0.6/src/store/id_rewriters/file/storeid_file_rewrite.8 2016-02-16 05:56:31.000000000 +1300 +++ squid-4.0.7/src/store/id_rewriters/file/storeid_file_rewrite.8 2016-02-24 07:39:33.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "STOREID_FILE_REWRITE 8" -.TH STOREID_FILE_REWRITE 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH STOREID_FILE_REWRITE 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.6/src/store.cc squid-4.0.7/src/store.cc --- squid-4.0.6/src/store.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/store.cc 2016-02-24 06:47:50.000000000 +1300 @@ -119,6 +119,26 @@ Root().stat(*output); } +// XXX: new/delete operators need to be replaced with MEMPROXY_CLASS +// definitions but doing so exposes bug 4370, and maybe 4354 and 4355 +void * +StoreEntry::operator new (size_t bytecount) +{ + assert(bytecount == sizeof (StoreEntry)); + + if (!pool) { + pool = memPoolCreate ("StoreEntry", bytecount); + } + + return pool->alloc(); +} + +void +StoreEntry::operator delete (void *address) +{ + pool->freeOne(address); +} + void StoreEntry::makePublic() { diff -u -r -N squid-4.0.6/src/Store.h squid-4.0.7/src/Store.h --- squid-4.0.6/src/Store.h 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/Store.h 2016-02-24 06:47:50.000000000 +1300 @@ -40,7 +40,6 @@ class StoreEntry : public hash_link, public Packable { - MEMPROXY_CLASS(StoreEntry); public: static DeferredRead::DeferrableRead DeferReader; @@ -174,6 +173,8 @@ return false; }; + void *operator new(size_t byteCount); + void operator delete(void *address); void setReleaseFlag(); #if USE_SQUID_ESI diff -u -r -N squid-4.0.6/src/String.cc squid-4.0.7/src/String.cc --- squid-4.0.6/src/String.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/String.cc 2016-02-24 06:47:50.000000000 +1300 @@ -41,7 +41,7 @@ String::setBuffer(char *aBuf, String::size_type aSize) { assert(undefined()); - assert(aSize < 65536); + assert(aSize <= SizeMax_); buf_ = aBuf; size_ = aSize; } @@ -170,7 +170,7 @@ } else { // Create a temporary string and absorb it later. String snew; - assert(len_ + len < 65536); // otherwise snew.len_ overflows below + assert(canGrowBy(len)); // otherwise snew.len_ may overflow below snew.len_ = len_ + len; snew.allocBuffer(snew.len_ + 1); diff -u -r -N squid-4.0.6/src/StrList.cc squid-4.0.7/src/StrList.cc --- squid-4.0.6/src/StrList.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/StrList.cc 2016-02-24 06:47:50.000000000 +1300 @@ -9,6 +9,7 @@ /* DEBUG: section 66 HTTP Header Tools */ #include "squid.h" +#include "base/TextException.h" #include "SquidString.h" #include "StrList.h" @@ -17,14 +18,17 @@ strListAdd(String * str, const char *item, char del) { assert(str && item); + const auto itemSize = strlen(item); if (str->size()) { char buf[3]; buf[0] = del; buf[1] = ' '; buf[2] = '\0'; + Must(str->canGrowBy(2)); str->append(buf, 2); } - str->append(item, strlen(item)); + Must(str->canGrowBy(itemSize)); + str->append(item, itemSize); } /** returns true iff "m" is a member of the list */ diff -u -r -N squid-4.0.6/src/tests/stub_libsslsquid.cc squid-4.0.7/src/tests/stub_libsslsquid.cc --- squid-4.0.6/src/tests/stub_libsslsquid.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/tests/stub_libsslsquid.cc 2016-02-24 06:47:50.000000000 +1300 @@ -82,8 +82,6 @@ bool checkX509ServerValidity(X509 *cert, const char *server) STUB_RETVAL(false) int asn1timeToString(ASN1_TIME *tm, char *buf, int len) STUB_RETVAL(0) bool setClientSNI(SSL *ssl, const char *fqdn) STUB_RETVAL(false) -void initialize_session_cache() STUB -void destruct_session_cache() STUB } //namespace Ssl #endif diff -u -r -N squid-4.0.6/src/tests/stub_store.cc squid-4.0.7/src/tests/stub_store.cc --- squid-4.0.6/src/tests/stub_store.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/tests/stub_store.cc 2016-02-24 06:47:50.000000000 +1300 @@ -76,6 +76,12 @@ void StoreEntry::getPublicByRequestMethod(StoreClient * aClient, HttpRequest * request, const HttpRequestMethod& method) STUB void StoreEntry::getPublicByRequest(StoreClient * aClient, HttpRequest * request) STUB void StoreEntry::getPublic(StoreClient * aClient, const char *uri, const HttpRequestMethod& method) STUB +void *StoreEntry::operator new(size_t byteCount) +{ + STUB + return new StoreEntry(); +} +void StoreEntry::operator delete(void *address) STUB void StoreEntry::setReleaseFlag() STUB //#if USE_SQUID_ESI //ESIElement::Pointer StoreEntry::cachedESITree STUB_RETVAL(NULL) diff -u -r -N squid-4.0.6/src/tests/stub_tools.cc squid-4.0.7/src/tests/stub_tools.cc --- squid-4.0.6/src/tests/stub_tools.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/tests/stub_tools.cc 2016-02-24 06:47:50.000000000 +1300 @@ -15,7 +15,7 @@ int DebugSignal = -1; SBuf service_name(APP_SHORTNAME); -void releaseServerSockets(void) STUB +void releaseServerSockets(void) STUB_NOP char * dead_msg(void) STUB_RETVAL(NULL) void mail_warranty(void) STUB void dumpMallocStats(void) STUB @@ -31,7 +31,7 @@ void sig_child(int sig) STUB const char * getMyHostname(void) STUB_RETVAL(NULL) const char * uniqueHostname(void) STUB_RETVAL(NULL) -void leave_suid(void) STUB +void leave_suid(void) STUB_NOP void enter_suid(void) STUB void no_suid(void) STUB diff -u -r -N squid-4.0.6/src/tests/testRock.cc squid-4.0.7/src/tests/testRock.cc --- squid-4.0.6/src/tests/testRock.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/tests/testRock.cc 2016-02-24 06:47:50.000000000 +1300 @@ -33,7 +33,7 @@ #include #endif -#define TESTDIR "testRock_Store" +#define TESTDIR "tr" CPPUNIT_TEST_SUITE_REGISTRATION( testRock ); diff -u -r -N squid-4.0.6/src/tools.cc squid-4.0.7/src/tools.cc --- squid-4.0.6/src/tools.cc 2016-02-16 04:54:46.000000000 +1300 +++ squid-4.0.7/src/tools.cc 2016-02-24 06:47:50.000000000 +1300 @@ -534,19 +534,22 @@ } #if HAVE_SETRESUID - - if (setresuid(Config2.effectiveUserID, Config2.effectiveUserID, 0) < 0) - debugs(50, DBG_CRITICAL, "ALERT: setresuid: " << xstrerror()); + if (setresuid(Config2.effectiveUserID, Config2.effectiveUserID, 0) < 0) { + const auto xerrno = errno; + fatalf("FATAL: setresuid: %s", xstrerr(xerrno)); + } #elif HAVE_SETEUID - - if (seteuid(Config2.effectiveUserID) < 0) - debugs(50, DBG_CRITICAL, "ALERT: seteuid: " << xstrerror()); + if (seteuid(Config2.effectiveUserID) < 0) { + const auto xerrno = errno; + fatalf("FATAL: seteuid: %s", xstrerr(xerrno)); + } #else - - if (setuid(Config2.effectiveUserID) < 0) - debugs(50, DBG_CRITICAL, "ALERT: setuid: " << xstrerror()); + if (setuid(Config2.effectiveUserID) < 0) { + const auto xerrno = errno; + fatalf("FATAL: setuid: %s", xstrerr(xerrno)); + } #endif @@ -566,8 +569,10 @@ { debugs(21, 3, "enter_suid: PID " << getpid() << " taking root privileges"); #if HAVE_SETRESUID - if (setresuid((uid_t)-1, 0, (uid_t)-1) < 0) - debugs (21, 3, "enter_suid: setresuid failed: " << xstrerror ()); + if (setresuid((uid_t)-1, 0, (uid_t)-1) < 0) { + const auto xerrno = errno; + debugs (21, 3, "enter_suid: setresuid failed: " << xstrerr(xerrno)); + } #else setuid(0); diff -u -r -N squid-4.0.6/test-suite/stub_tools.cc squid-4.0.7/test-suite/stub_tools.cc --- squid-4.0.6/test-suite/stub_tools.cc 2016-02-16 05:58:16.000000000 +1300 +++ squid-4.0.7/test-suite/stub_tools.cc 2016-02-24 07:40:45.000000000 +1300 @@ -15,7 +15,7 @@ int DebugSignal = -1; SBuf service_name(APP_SHORTNAME); -void releaseServerSockets(void) STUB +void releaseServerSockets(void) STUB_NOP char * dead_msg(void) STUB_RETVAL(NULL) void mail_warranty(void) STUB void dumpMallocStats(void) STUB @@ -31,7 +31,7 @@ void sig_child(int sig) STUB const char * getMyHostname(void) STUB_RETVAL(NULL) const char * uniqueHostname(void) STUB_RETVAL(NULL) -void leave_suid(void) STUB +void leave_suid(void) STUB_NOP void enter_suid(void) STUB void no_suid(void) STUB diff -u -r -N squid-4.0.6/tools/helper-mux/helper-mux.8 squid-4.0.7/tools/helper-mux/helper-mux.8 --- squid-4.0.6/tools/helper-mux/helper-mux.8 2016-02-16 05:58:22.000000000 +1300 +++ squid-4.0.7/tools/helper-mux/helper-mux.8 2016-02-24 07:40:49.000000000 +1300 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "HELPER-MUX 8" -.TH HELPER-MUX 8 "2016-02-15" "perl v5.22.1" "User Contributed Perl Documentation" +.TH HELPER-MUX 8 "2016-02-23" "perl v5.22.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l