diff -u -r -N squid-4.6/acinclude/os-deps.m4 squid-4.7/acinclude/os-deps.m4 --- squid-4.6/acinclude/os-deps.m4 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/acinclude/os-deps.m4 2019-05-07 01:53:49.000000000 +1200 @@ -164,16 +164,11 @@ dnl sets shell var squid_filedescriptors_num AC_DEFUN([SQUID_CHECK_MAXFD],[ -AC_CHECK_FUNCS(setrlimit) +AC_CHECK_FUNCS(getrlimit setrlimit) AC_MSG_CHECKING(Maximum number of filedescriptors we can open) -dnl damn! FreeBSD pthreads break dup2(). SQUID_STATE_SAVE(maxfd) - case $host in - i386-unknown-freebsd*) - if echo "$LDFLAGS" | grep -q pthread; then - LDFLAGS=`echo $LDFLAGS | sed -e "s/-pthread//"` - fi - esac +dnl FreeBSD pthreads break dup2(). + AS_CASE([$host_os],[freebsd],[ LDFLAGS=`echo $LDFLAGS | sed -e "s/-pthread//"` ]) AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include #include @@ -191,7 +186,7 @@ */ i = NOFILE; #else -#if HAVE_SETRLIMIT +#if HAVE_GETRLIMIT && HAVE_SETRLIMIT struct rlimit rl; #if defined(RLIMIT_NOFILE) if (getrlimit(RLIMIT_NOFILE, &rl) < 0) { @@ -236,19 +231,33 @@ fprintf (fp, "%d\n", i & ~0x3F); return 0; } - ]])],[squid_filedescriptors_num=`cat conftestval`],[squid_filedescriptors_num=256],[squid_filedescriptors_num=256]) + ]])],[squid_filedescriptors_limit=`cat conftestval`],[],[]) dnl Microsoft MSVCRT.DLL supports 2048 maximum FDs - case "$host_os" in - mingw|mingw32) - squid_filedescriptors_num="2048" - ;; - esac - AC_MSG_RESULT($squid_filedescriptors_num) + AS_CASE(["$host_os"],[mingw|mingw32],[squid_filedescriptors_limit="2048"]) + AC_MSG_RESULT($squid_filedescriptors_limit) + AS_IF([ test "x$squid_filedescriptors_num" = "x" ],[ + AS_IF([ test "x$squid_filedescriptors_limit" != "x" ],[ + squid_filedescriptors_num=$squid_filedescriptors_limit + ],[ + AC_MSG_NOTICE([Unable to detect filedescriptor limits. Assuming 256 is okay.]) + squid_filedescriptors_num=256 + ]) + ]) SQUID_STATE_ROLLBACK(maxfd) -if test `expr $squid_filedescriptors_num % 64` != 0; then - AC_MSG_WARN([$squid_filedescriptors_num is not an multiple of 64. This may cause issues on certain platforms.]) -fi +AC_MSG_NOTICE([Default number of filedescriptors: $squid_filedescriptors_num]) + +AS_IF([ test `expr $squid_filedescriptors_num % 64` != 0 ],[ + AC_MSG_WARN([$squid_filedescriptors_num is not an multiple of 64. This may cause issues on certain platforms.]) +]) + +AS_IF([ test "$squid_filedescriptors_num" -lt 512 ],[ + AC_MSG_WARN([$squid_filedescriptors_num may not be enough filedescriptors if your]) + AC_MSG_WARN([cache will be very busy. Please see the FAQ page]) + AC_MSG_WARN([http://wiki.squid-cache.org/SquidFaq/TroubleShooting]) + AC_MSG_WARN([on how to increase your filedescriptor limit]) +]) +AC_DEFINE_UNQUOTED(SQUID_MAXFD,$squid_filedescriptors_num,[Maximum number of open filedescriptors]) ]) diff -u -r -N squid-4.6/aclocal.m4 squid-4.7/aclocal.m4 --- squid-4.6/aclocal.m4 2019-02-19 16:04:34.000000000 +1300 +++ squid-4.7/aclocal.m4 2019-05-07 01:56:50.000000000 +1200 @@ -4718,6 +4718,12 @@ _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) diff -u -r -N squid-4.6/cfgaux/ltmain.sh squid-4.7/cfgaux/ltmain.sh --- squid-4.6/cfgaux/ltmain.sh 2019-02-19 16:04:35.000000000 +1300 +++ squid-4.7/cfgaux/ltmain.sh 2019-05-07 01:56:51.000000000 +1200 @@ -31,7 +31,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.6 Debian-2.4.6-9" +VERSION="2.4.6 Debian-2.4.6-10" package_revision=2.4.6 @@ -2141,7 +2141,7 @@ compiler: $LTCC compiler flags: $LTCFLAGS linker: $LD (gnu? $with_gnu_ld) - version: $progname $scriptversion Debian-2.4.6-9 + version: $progname $scriptversion Debian-2.4.6-10 automake: `($AUTOMAKE --version) 2>/dev/null |$SED 1q` autoconf: `($AUTOCONF --version) 2>/dev/null |$SED 1q` diff -u -r -N squid-4.6/ChangeLog squid-4.7/ChangeLog --- squid-4.6/ChangeLog 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/ChangeLog 2019-05-07 01:53:49.000000000 +1200 @@ -1,3 +1,14 @@ +Changes to squid-4.7 (06 May 2019): + + - Bug 4942: --with-filedescriptors does not do anything + - Bug 4928: Cannot convert non-IPv4 to IPv4 + - Bug 4823: assertion failed: "lowestOffset () <= target_offset" + - Bug 4796: comm.cc !isOpen(conn->fd) assertion when rotating logs + - Fix squidclient authentication to origin servers + - Fix stack-based buffer-overflow when parsing SNMP messages + - Add support for buffer-size= to UDP logging + - TLS: When using OpenSSL, trust intermediate CAs from trusted store + Changes to squid-4.6 (19 Feb 2019): - Bug 4915: Detect IPv6 loopback binding errors diff -u -r -N squid-4.6/configure squid-4.7/configure --- squid-4.6/configure 2019-02-19 16:04:42.000000000 +1300 +++ squid-4.7/configure 2019-05-07 01:56:57.000000000 +1200 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.6. +# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.7. # # Report bugs to . # @@ -595,8 +595,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='4.6' -PACKAGE_STRING='Squid Web Proxy 4.6' +PACKAGE_VERSION='4.7' +PACKAGE_STRING='Squid Web Proxy 4.7' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1651,7 +1651,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 4.6 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 4.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1722,7 +1722,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 4.6:";; + short | recursive ) echo "Configuration of Squid Web Proxy 4.7:";; esac cat <<\_ACEOF @@ -2155,7 +2155,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 4.6 +Squid Web Proxy configure 4.7 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3259,7 +3259,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 4.6, which was +It was created by Squid Web Proxy $as_me 4.7, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4126,7 +4126,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='4.6' + VERSION='4.7' cat >>confdefs.h <<_ACEOF @@ -12105,6 +12105,12 @@ lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fPIC' + lt_prog_compiler_static='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) @@ -26173,7 +26179,7 @@ ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH +for as_dir in $krb5confpath do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. @@ -29662,7 +29668,7 @@ ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH +for as_dir in $krb5confpath do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. @@ -40430,12 +40436,13 @@ -for ac_func in setrlimit +for ac_func in getrlimit setrlimit do : - ac_fn_cxx_check_func "$LINENO" "setrlimit" "ac_cv_func_setrlimit" -if test "x$ac_cv_func_setrlimit" = xyes; then : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_cxx_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF -#define HAVE_SETRLIMIT 1 +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi @@ -40459,14 +40466,17 @@ eval "${squid_util_var_tosave2}=\"${squid_util_var_tosave}\"" done - case $host in - i386-unknown-freebsd*) - if echo "$LDFLAGS" | grep -q pthread; then - LDFLAGS=`echo $LDFLAGS | sed -e "s/-pthread//"` - fi - esac + case $host_os in #( + freebsd) : + LDFLAGS=`echo $LDFLAGS | sed -e "s/-pthread//"` ;; #( + *) : + ;; +esac if test "$cross_compiling" = yes; then : - squid_filedescriptors_num=256 + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot run test program while cross compiling +See \`config.log' for more details" "$LINENO" 5; } else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -40487,7 +40497,7 @@ */ i = NOFILE; #else -#if HAVE_SETRLIMIT +#if HAVE_GETRLIMIT && HAVE_SETRLIMIT struct rlimit rl; #if defined(RLIMIT_NOFILE) if (getrlimit(RLIMIT_NOFILE, &rl) < 0) { @@ -40535,21 +40545,35 @@ _ACEOF if ac_fn_cxx_try_run "$LINENO"; then : - squid_filedescriptors_num=`cat conftestval` -else - squid_filedescriptors_num=256 + squid_filedescriptors_limit=`cat conftestval` fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi - case "$host_os" in - mingw|mingw32) - squid_filedescriptors_num="2048" - ;; - esac - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $squid_filedescriptors_num" >&5 -$as_echo "$squid_filedescriptors_num" >&6; } + case "$host_os" in #( + mingw|mingw32) : + squid_filedescriptors_limit="2048" ;; #( + *) : + ;; +esac + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $squid_filedescriptors_limit" >&5 +$as_echo "$squid_filedescriptors_limit" >&6; } + if test "x$squid_filedescriptors_num" = "x" ; then : + + if test "x$squid_filedescriptors_limit" != "x" ; then : + + squid_filedescriptors_num=$squid_filedescriptors_limit + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: Unable to detect filedescriptor limits. Assuming 256 is okay." >&5 +$as_echo "$as_me: Unable to detect filedescriptor limits. Assuming 256 is okay." >&6;} + squid_filedescriptors_num=256 + +fi + +fi # rollback state, key is maxfd CFLAGS="${maxfd_CFLAGS}" @@ -40580,24 +40604,27 @@ -if test `expr $squid_filedescriptors_num % 64` != 0; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $squid_filedescriptors_num is not an multiple of 64. This may cause issues on certain platforms." >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: Default number of filedescriptors: $squid_filedescriptors_num" >&5 +$as_echo "$as_me: Default number of filedescriptors: $squid_filedescriptors_num" >&6;} + +if test `expr $squid_filedescriptors_num % 64` != 0 ; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $squid_filedescriptors_num is not an multiple of 64. This may cause issues on certain platforms." >&5 $as_echo "$as_me: WARNING: $squid_filedescriptors_num is not an multiple of 64. This may cause issues on certain platforms." >&2;} -fi -if test "x$squid_filedescriptors_num" != "x"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: Default number of fieldescriptors: $squid_filedescriptors_num" >&5 -$as_echo "$as_me: Default number of fieldescriptors: $squid_filedescriptors_num" >&6;} fi -if test "$squid_filedescriptors_num" -lt 512 ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $squid_filedescriptors_num may not be enough filedescriptors if your" >&5 + +if test "$squid_filedescriptors_num" -lt 512 ; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $squid_filedescriptors_num may not be enough filedescriptors if your" >&5 $as_echo "$as_me: WARNING: $squid_filedescriptors_num may not be enough filedescriptors if your" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache will be very busy. Please see the FAQ page" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache will be very busy. Please see the FAQ page" >&5 $as_echo "$as_me: WARNING: cache will be very busy. Please see the FAQ page" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: http://wiki.squid-cache.org/SquidFaq/TroubleShooting" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: http://wiki.squid-cache.org/SquidFaq/TroubleShooting" >&5 $as_echo "$as_me: WARNING: http://wiki.squid-cache.org/SquidFaq/TroubleShooting" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: on how to increase your filedescriptor limit" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: on how to increase your filedescriptor limit" >&5 $as_echo "$as_me: WARNING: on how to increase your filedescriptor limit" >&2;} + fi cat >>confdefs.h <<_ACEOF @@ -40606,6 +40633,7 @@ + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable IPv6" >&5 $as_echo_n "checking whether to enable IPv6... " >&6; } # Check whether --enable-ipv6 was given. @@ -41128,7 +41156,6 @@ getdtablesize \ getpagesize \ getpass \ - getrlimit \ getrusage \ getspnam \ gettimeofday \ @@ -44188,7 +44215,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 4.6, which was +This file was extended by Squid Web Proxy $as_me 4.7, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -44254,7 +44281,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 4.6 +Squid Web Proxy config.status 4.7 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -u -r -N squid-4.6/configure.ac squid-4.7/configure.ac --- squid-4.6/configure.ac 2019-02-19 16:04:42.000000000 +1300 +++ squid-4.7/configure.ac 2019-05-07 01:56:57.000000000 +1200 @@ -5,7 +5,7 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_INIT([Squid Web Proxy],[4.6],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[4.7],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) @@ -1442,7 +1442,7 @@ ]) if test "x$squid_pc_krb5_name" = "x" -a "$cross_compiling" = "no"; then # Look for krb5-config (unless cross-compiling) - AC_PATH_PROG(krb5_config,krb5-config,no) + AC_PATH_PROG(krb5_config,krb5-config,no,$krb5confpath) if test "x$ac_cv_path_krb5_config" != "xno" ; then krb5confpath="`dirname $ac_cv_path_krb5_config`" ac_heimdal="`$ac_cv_path_krb5_config --version 2>/dev/null | grep -c -i heimdal`" @@ -1675,7 +1675,7 @@ fi if test "x$squid_pc_krb5_name" = "x" -a "$cross_compiling" = "no"; then # Look for krb5-config (unless cross-compiling) - AC_PATH_PROG(krb5_config,krb5-config,no) + AC_PATH_PROG(krb5_config,krb5-config,no,$krb5confpath) if test "x$ac_cv_path_krb5_config" != "xno" ; then krb5confpath="`dirname $ac_cv_path_krb5_config`" ac_heimdal="`$ac_cv_path_krb5_config --version 2>/dev/null | grep -c -i heimdal`" @@ -3192,16 +3192,6 @@ SQUID_CHECK_DEFAULT_FD_SETSIZE SQUID_CHECK_MAXFD -if test "x$squid_filedescriptors_num" != "x"; then - AC_MSG_NOTICE([Default number of fieldescriptors: $squid_filedescriptors_num]) -fi -if test "$squid_filedescriptors_num" -lt 512 ; then - AC_MSG_WARN([$squid_filedescriptors_num may not be enough filedescriptors if your]) - AC_MSG_WARN([cache will be very busy. Please see the FAQ page]) - AC_MSG_WARN([http://wiki.squid-cache.org/SquidFaq/TroubleShooting]) - AC_MSG_WARN([on how to increase your filedescriptor limit]) -fi -AC_DEFINE_UNQUOTED(SQUID_MAXFD, $squid_filedescriptors_num,[Maximum number of open filedescriptors]) dnl Enable IPv6 support @@ -3346,7 +3336,6 @@ getdtablesize \ getpagesize \ getpass \ - getrlimit \ getrusage \ getspnam \ gettimeofday \ diff -u -r -N squid-4.6/doc/release-notes/release-4.html squid-4.7/doc/release-notes/release-4.html --- squid-4.6/doc/release-notes/release-4.html 2019-02-19 16:13:57.000000000 +1300 +++ squid-4.7/doc/release-notes/release-4.html 2019-05-07 02:07:31.000000000 +1200 @@ -2,10 +2,10 @@ - Squid 4.6 release notes + Squid 4.7 release notes -

Squid 4.6 release notes

+

Squid 4.7 release notes

Squid Developers

@@ -63,7 +63,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-4.6 for testing.

+

The Squid Team are pleased to announce the release of Squid-4.7 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.

@@ -366,6 +366,9 @@

New option rotate= to control the number of log file rotations to make when -k rotate command is received. Default is to obey the logfile_rotate directive.

+

Extend buffer-size= support to UDP logging. Prior to Squid-4.7 +log entries would be buffered up to 1400 bytes before sending to UDP logger. +This option may now set smaller buffers, but not larger than 1400 bytes.

acl

New -m flag for note ACL to match substrings.

diff -u -r -N squid-4.6/include/version.h squid-4.7/include/version.h --- squid-4.6/include/version.h 2019-02-19 16:04:42.000000000 +1300 +++ squid-4.7/include/version.h 2019-05-07 01:56:57.000000000 +1200 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1550545471 +#define SQUID_RELEASE_TIME 1557151008 #endif /* diff -u -r -N squid-4.6/lib/snmplib/snmp_msg.c squid-4.7/lib/snmplib/snmp_msg.c --- squid-4.6/lib/snmplib/snmp_msg.c 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/lib/snmplib/snmp_msg.c 2019-05-07 01:53:49.000000000 +1200 @@ -272,12 +272,16 @@ snmplib_debug(4, "snmp_msg_Decode:Error decoding SNMP Message Header (Version)!\n"); ASN_PARSE_ERROR(NULL); } + int terminatorPos = *CommLenP - 1; bufp = asn_parse_string(bufp, PacketLenP, &type, Community, CommLenP); if (bufp == NULL) { snmplib_debug(4, "snmp_msg_Decode:Error decoding SNMP Message Header (Community)!\n"); ASN_PARSE_ERROR(NULL); } - Community[*CommLenP] = '\0'; + if (*CommLenP < terminatorPos) { + terminatorPos = *CommLenP; + } + Community[terminatorPos] = '\0'; if ((*Version != SNMP_VERSION_1) && (*Version != SNMP_VERSION_2)) { diff -u -r -N squid-4.6/lib/snmplib/snmp_vars.c squid-4.7/lib/snmplib/snmp_vars.c --- squid-4.6/lib/snmplib/snmp_vars.c 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/lib/snmplib/snmp_vars.c 2019-05-07 01:53:49.000000000 +1200 @@ -511,9 +511,14 @@ snmp_set_api_error(SNMPERR_OS_ERR); PARSE_ERROR; } + int terminatorPos = Var->val_len - 1; bufp = asn_parse_string(DataPtr, &ThisVarLen, &Var->type, Var->val.string, &Var->val_len); + if (Var->val_len < terminatorPos) { + terminatorPos = Var->val_len; + } + Var->val.string[terminatorPos] = '\0'; #if DEBUG_VARS_DECODE printf("VARS: Decoded string '%s' (length %d) (%d bytes left)\n", (Var->val.string), Var->val_len, ThisVarLen); diff -u -r -N squid-4.6/libltdl/configure squid-4.7/libltdl/configure --- squid-4.6/libltdl/configure 2019-02-19 16:05:24.000000000 +1300 +++ squid-4.7/libltdl/configure 2019-05-07 01:57:50.000000000 +1200 @@ -8774,6 +8774,12 @@ lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fPIC' + lt_prog_compiler_static='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) diff -u -r -N squid-4.6/libltdl/m4/libtool.m4 squid-4.7/libltdl/m4/libtool.m4 --- squid-4.6/libltdl/m4/libtool.m4 2019-02-19 16:04:35.000000000 +1300 +++ squid-4.7/libltdl/m4/libtool.m4 2019-05-07 01:56:51.000000000 +1200 @@ -4704,6 +4704,12 @@ _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) diff -u -r -N squid-4.6/RELEASENOTES.html squid-4.7/RELEASENOTES.html --- squid-4.6/RELEASENOTES.html 2019-02-19 16:13:57.000000000 +1300 +++ squid-4.7/RELEASENOTES.html 2019-05-07 02:07:31.000000000 +1200 @@ -2,10 +2,10 @@ - Squid 4.6 release notes + Squid 4.7 release notes -

Squid 4.6 release notes

+

Squid 4.7 release notes

Squid Developers

@@ -63,7 +63,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-4.6 for testing.

+

The Squid Team are pleased to announce the release of Squid-4.7 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.

@@ -366,6 +366,9 @@

New option rotate= to control the number of log file rotations to make when -k rotate command is received. Default is to obey the logfile_rotate directive.

+

Extend buffer-size= support to UDP logging. Prior to Squid-4.7 +log entries would be buffered up to 1400 bytes before sending to UDP logger. +This option may now set smaller buffers, but not larger than 1400 bytes.

acl

New -m flag for note ACL to match substrings.

diff -u -r -N squid-4.6/src/acl/external/delayer/ext_delayer_acl.8 squid-4.7/src/acl/external/delayer/ext_delayer_acl.8 --- squid-4.6/src/acl/external/delayer/ext_delayer_acl.8 2019-02-19 16:14:01.000000000 +1300 +++ squid-4.7/src/acl/external/delayer/ext_delayer_acl.8 2019-05-07 02:07:33.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 8" -.TH EXT_DELAYER_ACL 8 "2019-02-19" "perl v5.28.1" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.6/src/acl/external/SQL_session/ext_sql_session_acl.8 squid-4.7/src/acl/external/SQL_session/ext_sql_session_acl.8 --- squid-4.6/src/acl/external/SQL_session/ext_sql_session_acl.8 2019-02-19 16:14:01.000000000 +1300 +++ squid-4.7/src/acl/external/SQL_session/ext_sql_session_acl.8 2019-05-07 02:07:34.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 8" -.TH EXT_SQL_SESSION_ACL 8 "2019-02-19" "perl v5.28.1" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.6/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 squid-4.7/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-4.6/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2019-02-19 16:14:01.000000000 +1300 +++ squid-4.7/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2019-05-07 02:07:34.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 8" -.TH EXT_WBINFO_GROUP_ACL 8 "2019-02-19" "perl v5.28.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.6/src/auth/basic/DB/basic_db_auth.8 squid-4.7/src/auth/basic/DB/basic_db_auth.8 --- squid-4.6/src/auth/basic/DB/basic_db_auth.8 2019-02-19 16:14:03.000000000 +1300 +++ squid-4.7/src/auth/basic/DB/basic_db_auth.8 2019-05-07 02:07:34.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 8" -.TH BASIC_DB_AUTH 8 "2019-02-19" "perl v5.28.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.6/src/auth/basic/POP3/basic_pop3_auth.8 squid-4.7/src/auth/basic/POP3/basic_pop3_auth.8 --- squid-4.6/src/auth/basic/POP3/basic_pop3_auth.8 2019-02-19 16:14:03.000000000 +1300 +++ squid-4.7/src/auth/basic/POP3/basic_pop3_auth.8 2019-05-07 02:07:34.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 8" -.TH BASIC_POP3_AUTH 8 "2019-02-19" "perl v5.28.1" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.6/src/comm/TcpAcceptor.cc squid-4.7/src/comm/TcpAcceptor.cc --- squid-4.6/src/comm/TcpAcceptor.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/comm/TcpAcceptor.cc 2019-05-07 01:53:49.000000000 +1200 @@ -282,16 +282,7 @@ ConnectionPointer newConnDetails = new Connection(); const Comm::Flag flag = oldAccept(newConnDetails); - /* Check for errors */ - if (!newConnDetails->isOpen()) { - - if (flag == Comm::NOMESSAGE) { - /* register interest again */ - debugs(5, 5, HERE << "try later: " << conn << " handler Subscription: " << theCallSub); - SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0); - return; - } - + if (flag == Comm::COMM_ERROR) { // A non-recoverable error; notify the caller */ debugs(5, 5, HERE << "non-recoverable error:" << status() << " handler Subscription: " << theCallSub); if (intendedForUserConnections()) @@ -301,12 +292,16 @@ return; } - newConnDetails->nfmark = Ip::Qos::getNfmarkFromConnection(newConnDetails, Ip::Qos::dirAccepted); + if (flag == Comm::NOMESSAGE) { + /* register interest again */ + debugs(5, 5, "try later: " << conn << " handler Subscription: " << theCallSub); + } else { + debugs(5, 5, "Listener: " << conn << + " accepted new connection " << newConnDetails << + " handler Subscription: " << theCallSub); + notify(flag, newConnDetails); + } - debugs(5, 5, HERE << "Listener: " << conn << - " accepted new connection " << newConnDetails << - " handler Subscription: " << theCallSub); - notify(flag, newConnDetails); SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0); } @@ -346,8 +341,8 @@ * * \retval Comm::OK success. details parameter filled. * \retval Comm::NOMESSAGE attempted accept() but nothing useful came in. - * \retval Comm::COMM_ERROR an outright failure occurred. * Or this client has too many connections already. + * \retval Comm::COMM_ERROR an outright failure occurred. */ Comm::Flag Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details) @@ -382,15 +377,6 @@ details->fd = sock; details->remote = *gai; - if ( Config.client_ip_max_connections >= 0) { - if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) { - debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections."); - Ip::Address::FreeAddr(gai); - PROF_stop(comm_accept); - return Comm::COMM_ERROR; - } - } - // lookup the local-end details of this new connection Ip::Address::InitAddr(gai); details->local.setEmpty(); @@ -404,6 +390,34 @@ details->local = *gai; Ip::Address::FreeAddr(gai); + // Perform NAT or TPROXY operations to retrieve the real client/dest IP addresses + if (conn->flags&(COMM_TRANSPARENT|COMM_INTERCEPTION) && !Ip::Interceptor.Lookup(details, conn)) { + debugs(50, DBG_IMPORTANT, "ERROR: NAT/TPROXY lookup failed to locate original IPs on " << details); + // Failed. + PROF_stop(comm_accept); + return Comm::COMM_ERROR; + } + +#if USE_SQUID_EUI + if (Eui::TheConfig.euiLookup) { + if (details->remote.isIPv4()) { + details->remoteEui48.lookup(details->remote); + } else if (details->remote.isIPv6()) { + details->remoteEui64.lookup(details->remote); + } + } +#endif + + details->nfmark = Ip::Qos::getNfmarkFromConnection(details, Ip::Qos::dirAccepted); + + if (Config.client_ip_max_connections >= 0) { + if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) { + debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections."); + PROF_stop(comm_accept); + return Comm::NOMESSAGE; + } + } + /* fdstat update */ // XXX : these are not all HTTP requests. use a note about type and ip:port details-> // so we end up with a uniform "(HTTP|FTP-data|HTTPS|...) remote-ip:remote-port" @@ -425,24 +439,6 @@ /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */ F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet? - // Perform NAT or TPROXY operations to retrieve the real client/dest IP addresses - if (conn->flags&(COMM_TRANSPARENT|COMM_INTERCEPTION) && !Ip::Interceptor.Lookup(details, conn)) { - debugs(50, DBG_IMPORTANT, "ERROR: NAT/TPROXY lookup failed to locate original IPs on " << details); - // Failed. - PROF_stop(comm_accept); - return Comm::COMM_ERROR; - } - -#if USE_SQUID_EUI - if (Eui::TheConfig.euiLookup) { - if (details->remote.isIPv4()) { - details->remoteEui48.lookup(details->remote); - } else if (details->remote.isIPv6()) { - details->remoteEui64.lookup(details->remote); - } - } -#endif - PROF_stop(comm_accept); return Comm::OK; } diff -u -r -N squid-4.6/src/enums.h squid-4.7/src/enums.h --- squid-4.6/src/enums.h 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/enums.h 2019-05-07 01:53:49.000000000 +1200 @@ -57,7 +57,11 @@ SWAPOUT_WRITING, /// StoreEntry is associated with a complete (i.e., fully swapped out) disk store entry. /// Guarantees the disk store entry existence. - SWAPOUT_DONE + SWAPOUT_DONE, + /// StoreEntry is associated with an unusable disk store entry. + /// Swapout attempt has failed. The entry should be marked for eventual deletion. + /// Guarantees the disk store entry existence. + SWAPOUT_FAILED } swap_status_t; typedef enum { diff -u -r -N squid-4.6/src/fs/ufs/UFSSwapDir.cc squid-4.7/src/fs/ufs/UFSSwapDir.cc --- squid-4.6/src/fs/ufs/UFSSwapDir.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/fs/ufs/UFSSwapDir.cc 2019-05-07 01:53:49.000000000 +1200 @@ -1181,6 +1181,8 @@ if (!e.hasDisk()) return; // see evictIfFound() + // Since these fields grow only after swap out ends successfully, + // do not decrement them for e.swappingOut() and e.swapoutFailed(). if (e.swappedOut()) { cur_size -= fs.blksize * sizeInBlocks(e.swap_file_sz); --n_disk_objects; @@ -1270,7 +1272,7 @@ Fs::Ufs::UFSSwapDir::finalizeSwapoutFailure(StoreEntry &entry) { debugs(47, 5, entry); - // rely on the expected subsequent StoreEntry::release(), evictCached(), or + // rely on the expected eventual StoreEntry::release(), evictCached(), or // a similar call to call unlink(), detachFromDisk(), etc. for the entry. } diff -u -r -N squid-4.6/src/http/url_rewriters/LFS/url_lfs_rewrite.8 squid-4.7/src/http/url_rewriters/LFS/url_lfs_rewrite.8 --- squid-4.6/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2019-02-19 16:14:05.000000000 +1300 +++ squid-4.7/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2019-05-07 02:07:35.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "URL_LFS_REWRITE 8" -.TH URL_LFS_REWRITE 8 "2019-02-19" "perl v5.28.1" "User Contributed Perl Documentation" +.TH URL_LFS_REWRITE 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.6/src/log/DB/log_db_daemon.8 squid-4.7/src/log/DB/log_db_daemon.8 --- squid-4.6/src/log/DB/log_db_daemon.8 2019-02-19 16:14:05.000000000 +1300 +++ squid-4.7/src/log/DB/log_db_daemon.8 2019-05-07 02:07:35.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 8" -.TH LOG_DB_DAEMON 8 "2019-02-19" "perl v5.28.1" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.6/src/log/ModUdp.cc squid-4.7/src/log/ModUdp.cc --- squid-4.6/src/log/ModUdp.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/log/ModUdp.cc 2019-05-07 01:53:49.000000000 +1200 @@ -205,7 +205,8 @@ * applications like netcat have a small default receive buffer and will * truncate! */ - bufsz = 1400; + if (bufsz > 1400) + bufsz = 1400; if (bufsz > 0) { ll->buf = static_cast(xmalloc(bufsz)); ll->bufsz = bufsz; diff -u -r -N squid-4.6/src/main.cc squid-4.7/src/main.cc --- squid-4.6/src/main.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/main.cc 2019-05-07 01:53:49.000000000 +1200 @@ -1152,7 +1152,9 @@ _db_init(Debug::cache_log, Debug::debugOptions); - fd_open(fileno(debug_log), FD_LOG, Debug::cache_log); + // Do not register cache.log descriptor with Comm (for now). + // See https://bugs.squid-cache.org/show_bug.cgi?id=4796 + // fd_open(fileno(debug_log), FD_LOG, Debug::cache_log); debugs(1, DBG_CRITICAL, "Starting Squid Cache version " << version_string << " for " << CONFIG_HOST_TYPE << "..."); debugs(1, DBG_CRITICAL, "Service Name: " << service_name); diff -u -r -N squid-4.6/src/security/cert_validators/fake/security_fake_certverify.8 squid-4.7/src/security/cert_validators/fake/security_fake_certverify.8 --- squid-4.6/src/security/cert_validators/fake/security_fake_certverify.8 2019-02-19 16:14:06.000000000 +1300 +++ squid-4.7/src/security/cert_validators/fake/security_fake_certverify.8 2019-05-07 02:07:36.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "SECURITY_FAKE_CERTVERIFY 8" -.TH SECURITY_FAKE_CERTVERIFY 8 "2019-02-19" "perl v5.28.1" "User Contributed Perl Documentation" +.TH SECURITY_FAKE_CERTVERIFY 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.6/src/security/PeerOptions.cc squid-4.7/src/security/PeerOptions.cc --- squid-4.6/src/security/PeerOptions.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/security/PeerOptions.cc 2019-05-07 01:53:49.000000000 +1200 @@ -287,6 +287,7 @@ updateContextNpn(t); updateContextCa(t); updateContextCrl(t); + updateContextTrust(t); } return t; @@ -703,6 +704,23 @@ } void +Security::PeerOptions::updateContextTrust(Security::ContextPointer &ctx) +{ +#if USE_OPENSSL +#if defined(X509_V_FLAG_PARTIAL_CHAIN) + const auto st = SSL_CTX_get_cert_store(ctx.get()); + assert(st); + if (X509_STORE_set_flags(st, X509_V_FLAG_PARTIAL_CHAIN) != 1) { + debugs(83, DBG_IMPORTANT, "ERROR: Failed to enable trust in intermediate CA certificates: " << + Security::ErrorString(ERR_get_error())); + } +#endif +#elif USE_GNUTLS + // Modern GnuTLS versions trust intermediate CA certificates by default. +#endif /* TLS library */ +} + +void Security::PeerOptions::updateSessionOptions(Security::SessionPointer &s) { #if USE_OPENSSL diff -u -r -N squid-4.6/src/security/PeerOptions.h squid-4.7/src/security/PeerOptions.h --- squid-4.6/src/security/PeerOptions.h 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/security/PeerOptions.h 2019-05-07 01:53:49.000000000 +1200 @@ -56,6 +56,9 @@ /// setup the CRL details for the given context void updateContextCrl(Security::ContextPointer &); + /// decide which CAs to trust + void updateContextTrust(Security::ContextPointer &); + /// setup any library-specific options that can be set for the given session void updateSessionOptions(Security::SessionPointer &); diff -u -r -N squid-4.6/src/security/ServerOptions.cc squid-4.7/src/security/ServerOptions.cc --- squid-4.6/src/security/ServerOptions.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/security/ServerOptions.cc 2019-05-07 01:53:49.000000000 +1200 @@ -439,6 +439,7 @@ } updateContextCrl(ctx); + updateContextTrust(ctx); } else { debugs(83, 9, "Not requiring any client certificates"); diff -u -r -N squid-4.6/src/store/id_rewriters/file/storeid_file_rewrite.8 squid-4.7/src/store/id_rewriters/file/storeid_file_rewrite.8 --- squid-4.6/src/store/id_rewriters/file/storeid_file_rewrite.8 2019-02-19 16:14:02.000000000 +1300 +++ squid-4.7/src/store/id_rewriters/file/storeid_file_rewrite.8 2019-05-07 02:07:34.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "STOREID_FILE_REWRITE 8" -.TH STOREID_FILE_REWRITE 8 "2019-02-19" "perl v5.28.1" "User Contributed Perl Documentation" +.TH STOREID_FILE_REWRITE 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.6/src/store.cc squid-4.7/src/store.cc --- squid-4.6/src/store.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/store.cc 2019-05-07 01:53:49.000000000 +1200 @@ -83,7 +83,8 @@ const char *swapStatusStr[] = { "SWAPOUT_NONE", "SWAPOUT_WRITING", - "SWAPOUT_DONE" + "SWAPOUT_DONE", + "SWAPOUT_FAILED" }; /* @@ -257,6 +258,8 @@ // XXX: Type names mislead. STORE_DISK_CLIENT actually means that we should // open swapin file, aggressively trim memory, and ignore read-ahead gap. // It does not mean we will read from disk exclusively (or at all!). +// STORE_MEM_CLIENT covers all other cases, including in-memory entries, +// newly created entries, and entries not backed by disk or memory cache. // XXX: May create STORE_DISK_CLIENT with no disk caching configured. // XXX: Collapsed clients cannot predict their type. store_client_t @@ -279,6 +282,9 @@ return STORE_MEM_CLIENT; } + if (swapoutFailed()) + return STORE_MEM_CLIENT; + if (store_status == STORE_OK) { /* the object has completed. */ @@ -2044,13 +2050,23 @@ void StoreEntry::checkDisk() const { - const bool ok = (swap_dirn < 0) == (swap_filen < 0) && - (swap_dirn < 0) == (swap_status == SWAPOUT_NONE) && - (swap_dirn < 0 || swap_dirn < Config.cacheSwap.n_configured); - - if (!ok) { - debugs(88, DBG_IMPORTANT, "ERROR: inconsistent disk entry state " << *this); - throw std::runtime_error("inconsistent disk entry state "); + try { + if (swap_dirn < 0) { + Must(swap_filen < 0); + Must(swap_status == SWAPOUT_NONE); + } else { + Must(swap_filen >= 0); + Must(swap_dirn < Config.cacheSwap.n_configured); + if (swapoutFailed()) { + Must(EBIT_TEST(flags, RELEASE_REQUEST)); + } else { + Must(swappingOut() || swappedOut()); + } + } + } catch (...) { + debugs(88, DBG_IMPORTANT, "ERROR: inconsistent disk entry state " << + *this << "; problem: " << CurrentException); + throw; } } diff -u -r -N squid-4.6/src/store_client.cc squid-4.7/src/store_client.cc --- squid-4.6/src/store_client.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/store_client.cc 2019-05-07 01:53:49.000000000 +1200 @@ -162,7 +162,7 @@ if (getType() == STORE_DISK_CLIENT) { /* assert we'll be able to get the data we want */ /* maybe we should open swapin_sio here */ - assert(entry->hasDisk() || entry->swappingOut()); + assert(entry->hasDisk() && !entry->swapoutFailed()); } } @@ -662,7 +662,8 @@ dlinkDelete(&sc->node, &mem->clients); -- mem->nclients; - if (e->store_status == STORE_OK && !e->swappedOut()) + const auto swapoutFinished = e->swappedOut() || e->swapoutFailed(); + if (e->store_status == STORE_OK && !swapoutFinished) e->swapOut(); if (sc->swapin_sio != NULL) { diff -u -r -N squid-4.6/src/Store.h squid-4.7/src/Store.h --- squid-4.6/src/Store.h 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/Store.h 2019-05-07 01:53:49.000000000 +1200 @@ -119,6 +119,8 @@ bool swappingOut() const { return swap_status == SWAPOUT_WRITING; } /// whether the entire entry is now on disk (possibly marked for deletion) bool swappedOut() const { return swap_status == SWAPOUT_DONE; } + /// whether we failed to write this entry to disk + bool swapoutFailed() const { return swap_status == SWAPOUT_FAILED; } void swapOutFileClose(int how); const char *url() const; /// Satisfies cachability requirements shared among disk and RAM caches. diff -u -r -N squid-4.6/src/store_swapin.cc squid-4.7/src/store_swapin.cc --- squid-4.6/src/store_swapin.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/store_swapin.cc 2019-05-07 01:53:49.000000000 +1200 @@ -38,6 +38,11 @@ return; } + if (e->swapoutFailed()) { + debugs(20, DBG_IMPORTANT, "BUG: Attempt to swap in a failed-to-store entry " << *e << ". Salvaged."); + return; + } + assert(e->mem_obj != NULL); sc->swapin_sio = storeOpen(e, storeSwapInFileNotify, storeSwapInFileClosed, sc); } diff -u -r -N squid-4.6/src/store_swapout.cc squid-4.7/src/store_swapout.cc --- squid-4.6/src/store_swapout.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/store_swapout.cc 2019-05-07 01:53:49.000000000 +1200 @@ -88,19 +88,9 @@ /// XXX: unused, see a related StoreIOState::file_callback static void -storeSwapOutFileNotify(void *data, int errflag, StoreIOState::Pointer self) +storeSwapOutFileNotify(void *, int, StoreIOState::Pointer) { - StoreEntry *e; - static_cast(data)->unwrap(&e); - - MemObject *mem = e->mem_obj; - assert(e->swappingOut()); - assert(mem); - assert(mem->swapout.sio == self); - assert(errflag == 0); - assert(!e->hasDisk()); // if this fails, call SwapDir::disconnect(e) - e->swap_filen = mem->swapout.sio->swap_filen; - e->swap_dirn = mem->swapout.sio->swap_dirn; + assert(false); } static bool @@ -304,8 +294,11 @@ storeConfigure(); } + // mark the locked entry for deletion + // TODO: Keep the memory entry (if any) + e->releaseRequest(); + e->swap_status = SWAPOUT_FAILED; e->disk().finalizeSwapoutFailure(*e); - e->releaseRequest(); // TODO: Keep the memory entry (if any) } else { /* swapping complete */ debugs(20, 3, "storeSwapOutFileClosed: SwapOut complete: '" << e->url() << "' to " << diff -u -r -N squid-4.6/src/tests/stub_debug.cc squid-4.7/src/tests/stub_debug.cc --- squid-4.6/src/tests/stub_debug.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/tests/stub_debug.cc 2019-05-07 01:53:49.000000000 +1200 @@ -103,7 +103,8 @@ Debug::Context::Context(const int aSection, const int aLevel): level(aLevel), sectionLevel(Levels[aSection]), - upper(Current) + upper(Current), + forceAlert(false) { buf.setf(std::ios::fixed); buf.precision(2); diff -u -r -N squid-4.6/src/tests/stub_libsecurity.cc squid-4.7/src/tests/stub_libsecurity.cc --- squid-4.6/src/tests/stub_libsecurity.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/src/tests/stub_libsecurity.cc 2019-05-07 01:53:49.000000000 +1200 @@ -86,6 +86,7 @@ Security::ContextPointer Security::PeerOptions::createBlankContext() const STUB_RETVAL(Security::ContextPointer()) void Security::PeerOptions::updateContextCa(Security::ContextPointer &) STUB void Security::PeerOptions::updateContextCrl(Security::ContextPointer &) STUB +void Security::PeerOptions::updateContextTrust(Security::ContextPointer &) STUB void Security::PeerOptions::updateSessionOptions(Security::SessionPointer &) STUB void Security::PeerOptions::dumpCfg(Packable*, char const*) const STUB void Security::PeerOptions::parseOptions() STUB diff -u -r -N squid-4.6/test-suite/stub_debug.cc squid-4.7/test-suite/stub_debug.cc --- squid-4.6/test-suite/stub_debug.cc 2019-02-19 16:14:06.000000000 +1300 +++ squid-4.7/test-suite/stub_debug.cc 2019-05-07 02:07:36.000000000 +1200 @@ -103,7 +103,8 @@ Debug::Context::Context(const int aSection, const int aLevel): level(aLevel), sectionLevel(Levels[aSection]), - upper(Current) + upper(Current), + forceAlert(false) { buf.setf(std::ios::fixed); buf.precision(2); diff -u -r -N squid-4.6/tools/helper-mux/helper-mux.8 squid-4.7/tools/helper-mux/helper-mux.8 --- squid-4.6/tools/helper-mux/helper-mux.8 2019-02-19 16:14:06.000000000 +1300 +++ squid-4.7/tools/helper-mux/helper-mux.8 2019-05-07 02:07:36.000000000 +1200 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "HELPER-MUX 8" -.TH HELPER-MUX 8 "2019-02-19" "perl v5.28.1" "User Contributed Perl Documentation" +.TH HELPER-MUX 8 "2019-05-06" "perl v5.28.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.6/tools/squidclient/squidclient.cc squid-4.7/tools/squidclient/squidclient.cc --- squid-4.6/tools/squidclient/squidclient.cc 2019-02-19 15:46:22.000000000 +1300 +++ squid-4.7/tools/squidclient/squidclient.cc 2019-05-07 01:53:49.000000000 +1200 @@ -22,6 +22,7 @@ /** \endcond */ #endif +#include #include #include #include @@ -177,6 +178,56 @@ *d = '\0'; } +/// [Proxy-]Authorization header producer +class Authorization +{ +public: + Authorization(const char *aHeader, const char *aDestination): + header(aHeader), destination(aDestination) {} + + /// finalizes and writes the right HTTP header to the given stream + void commit(std::ostream &os); + + std::string header; ///< HTTP header name to send + std::string destination; ///< used when describing password + const char *user = nullptr; ///< user name to encode and send + const char *password = nullptr; ///< user password to encode and send +}; + +void +Authorization::commit(std::ostream &os) +{ +#if HAVE_GETPASS + if (!password) + password = getpass((destination + " password: ").c_str()); +#endif + if (!password) { + std::cerr << "ERROR: " << destination << " password missing\n"; + exit(EXIT_FAILURE); + } + + struct base64_encode_ctx ctx; + base64_encode_init(&ctx); + const auto bcapacity = base64_encode_len(strlen(user) + 1 + strlen(password)); + const auto buf = new char[bcapacity]; + + size_t bsize = 0; + bsize += base64_encode_update(&ctx, buf, strlen(user), reinterpret_cast(user)); + bsize += base64_encode_update(&ctx, buf+bsize, 1, reinterpret_cast(":")); + bsize += base64_encode_update(&ctx, buf+bsize, strlen(password), reinterpret_cast(password)); + bsize += base64_encode_final(&ctx, buf+bsize); + assert(bsize <= bcapacity); // paranoid and late but better than nothing + + os << header << ": Basic "; + os.write(buf, bsize); + os << "\r\n"; + + delete[] buf; +} + +static Authorization ProxyAuthorization("Proxy-Authorization", "proxy"); +static Authorization OriginAuthorization("Authorization", "origin server"); + int main(int argc, char *argv[]) { @@ -195,10 +246,6 @@ time_t ims = 0; int max_forwards = -1; - const char *proxy_user = NULL; - const char *proxy_password = NULL; - const char *www_user = NULL; - const char *www_password = NULL; const char *host = NULL; const char *version = "1.0"; const char *useragent = NULL; @@ -321,19 +368,19 @@ break; case 'u': - proxy_user = optarg; + ProxyAuthorization.user = optarg; break; case 'w': - proxy_password = optarg; + ProxyAuthorization.password = optarg; break; case 'U': - www_user = optarg; + OriginAuthorization.user = optarg; break; case 'W': - www_password = optarg; + OriginAuthorization.password = optarg; break; case 'n': @@ -380,7 +427,7 @@ char *t = xstrdup(url + 4); const char *at = NULL; if (!strrchr(t, '@')) { // ignore any -w password if @ is explicit already. - at = proxy_password; + at = ProxyAuthorization.password; } // embed the -w proxy password into old-style cachemgr URLs if (at) @@ -461,47 +508,10 @@ if (max_forwards > -1) { msg << "Max-Forwards: " << max_forwards << "\r\n"; } - struct base64_encode_ctx ctx; - base64_encode_init(&ctx); - size_t blen; - if (proxy_user) { - const char *user = proxy_user; - const char *password = proxy_password; -#if HAVE_GETPASS - if (!password) - password = getpass("Proxy password: "); -#endif - if (!password) { - std::cerr << "ERROR: Proxy password missing" << std::endl; - exit(1); - } - char *pwdBuf = new char[base64_encode_len(strlen(user)+1+strlen(password))]; - blen = base64_encode_update(&ctx, pwdBuf, strlen(user), reinterpret_cast(user)); - blen += base64_encode_update(&ctx, pwdBuf+blen, 1, reinterpret_cast(":")); - blen += base64_encode_update(&ctx, pwdBuf+blen, strlen(password), reinterpret_cast(password)); - blen += base64_encode_final(&ctx, pwdBuf+blen); - msg << "Proxy-Authorization: Basic " << pwdBuf << "\r\n"; - delete[] pwdBuf; - } - if (www_user) { - const char *user = www_user; - const char *password = www_password; -#if HAVE_GETPASS - if (!password) - password = getpass("WWW password: "); -#endif - if (!password) { - std::cerr << "ERROR: WWW password missing" << std::endl; - exit(1); - } - char *pwdBuf = new char[base64_encode_len(strlen(user)+1+strlen(password))]; - blen = base64_encode_update(&ctx, pwdBuf, strlen(user), reinterpret_cast(user)); - blen += base64_encode_update(&ctx, pwdBuf+blen, 1, reinterpret_cast(":")); - blen += base64_encode_update(&ctx, pwdBuf+blen, strlen(password), reinterpret_cast(password)); - blen += base64_encode_final(&ctx, pwdBuf+blen); - msg << "Proxy-Authorization: Basic " << pwdBuf << "\r\n"; - delete[] pwdBuf; - } + if (ProxyAuthorization.user) + ProxyAuthorization.commit(msg); + if (OriginAuthorization.user) + OriginAuthorization.commit(msg); #if HAVE_GSSAPI if (www_neg) { if (host) { diff -u -r -N squid-4.6/tools/squidclient/stub_debug.cc squid-4.7/tools/squidclient/stub_debug.cc --- squid-4.6/tools/squidclient/stub_debug.cc 2019-02-19 16:14:07.000000000 +1300 +++ squid-4.7/tools/squidclient/stub_debug.cc 2019-05-07 02:07:36.000000000 +1200 @@ -103,7 +103,8 @@ Debug::Context::Context(const int aSection, const int aLevel): level(aLevel), sectionLevel(Levels[aSection]), - upper(Current) + upper(Current), + forceAlert(false) { buf.setf(std::ios::fixed); buf.precision(2); diff -u -r -N squid-4.6/tools/stub_debug.cc squid-4.7/tools/stub_debug.cc --- squid-4.6/tools/stub_debug.cc 2019-02-19 16:14:06.000000000 +1300 +++ squid-4.7/tools/stub_debug.cc 2019-05-07 02:07:36.000000000 +1200 @@ -103,7 +103,8 @@ Debug::Context::Context(const int aSection, const int aLevel): level(aLevel), sectionLevel(Levels[aSection]), - upper(Current) + upper(Current), + forceAlert(false) { buf.setf(std::ios::fixed); buf.precision(2);