debian/0000755000000000000000000000000012221720147007164 5ustar debian/patches/0000755000000000000000000000000012221717674010626 5ustar debian/patches/01-extregex0000644000000000000000000000263712215322111012607 0ustar Author: Alexander Zangerl Subject: make all regexps extended ones --- a/pattern_list.c +++ b/pattern_list.c @@ -54,7 +54,6 @@ add_to_patterns(char *pattern, pattern_i regex_t compiled; pattern_item rpattern; int abort_type = 0; - int parenthesis; int stored; /* The regex_flags that we use are: @@ -62,9 +61,9 @@ add_to_patterns(char *pattern, pattern_i REG_NOSUB REG_ICASE; */ - int regex_flags = REG_NOSUB; + int regex_flags = REG_EXTENDED; - rpattern.type = NORMAL; + rpattern.type = EXTENDED; rpattern.case_sensitive = 1; #ifdef USE_ACCEL stored = sscanf(pattern, "%s %s %s %s", type, first, second, accel); @@ -91,24 +90,6 @@ add_to_patterns(char *pattern, pattern_i rpattern.case_sensitive = 0; } - if(!abort_type) { - parenthesis = count_parenthesis (first); - if (parenthesis < 0) { - /* The function returned an invalid result, - indicating an invalid string */ - log (ERROR, "count_parenthesis() returned " - "left count did not match right count for line: [%s]\n", - pattern); - echo_mode = 1; - return; - } - else if (parenthesis > 0) { - regex_flags |= REG_EXTENDED; - rpattern.type = EXTENDED; - regex_flags ^= REG_NOSUB; - } - } - if(regcomp(&compiled, first, regex_flags)) { log(ERROR, "Invalid regex [%s] in pattern file\n", first); echo_mode = 1; debian/patches/05-squid30000644000000000000000000000357412215322071012176 0ustar Author: Alexander Zangerl Subject: add support for squid 3 --- a/rewrite.c +++ b/rewrite.c @@ -94,6 +94,18 @@ parse_buff(char *buff, char **url, char end[2] = token; *ident = new_token; + /* az Tue Nov 11 09:12:04 2008 + message format changed between 2.5 and 2.6, and again + between 2 and 3...*sigh* + + squid 2.6: URL client_ip "/" fqdn user + method urlgroup [ kvpairs] + squid 3: same but without the urlgroup column. + + no space after method: no urlgroup + space but no = after method: 2.6, urlgroup + space but = after method: 3, no urlgroup. + */ /* this might be the last token, check for a space or a newline */ if (!( new_token = strchr(++token,' '))) @@ -104,23 +116,25 @@ parse_buff(char *buff, char **url, char end[3] = new_token; *method = token; - /* this will be the last token, stop at a space or newline - to avoid spaces in urlgroup. maybe be too rare to - waste a test on */ + /* here goes urlgroup or optional k=v pairs */ if (!( token = strchr(++new_token,' '))) - token = strchr(new_token,'\n'); - if (token) { /* urlgroup */ - c++; - *token = '\0'; - end[4] = token; - /* squid sends "-" as indicator for no urlgroup */ - if (strcmp(new_token,"-")) - *urlgroup = new_token; - + token = strchr(new_token,'\n'); + if (token) /* urlgroup or k/v pairs*/ + { + c++; + *token = '\0'; + end[4] = token; + /* squid 2.6+ sends "-" as indicator for no urlgroup, + squid 3 has no urlgroups. + note: this can't ever work with an urlgroup that has + equal signs in it... + */ + if (strcmp(new_token,"-") && !strchr(new_token,'=')) + *urlgroup = new_token; + } + } } - - } } } debian/patches/04-urlgroup0000644000000000000000000003221612215322076012644 0ustar Author: Alexander Zangerl Subject: #487980 add support for urlgroups (squid 2.6) --- a/etc/redirect.rules +++ b/etc/redirect.rules @@ -4,11 +4,13 @@ # Syntax: # -# regex|regexi pattern replacement +# regex[i] pattern replacement +# regex[i]ug urlgroup pattern replacement # # or # # abort .filename_extension +# abortug urlgroup .filename_extension # jesred uses a linear list of redirect rules and terminates on first match, # so the order of rules is important! @@ -31,12 +33,23 @@ # regex RE [RURL] # regexi RE [RURL] +# regexug URLGROUP RE [RURL] +# regexiug URLGROUP RE [RURL] # # regex ... indicates, that the following RE is case-sensitive # regexi ... indicates, that the following RE is case-insensitive # RE ... is the regular expression, which has to match the passed URL to get # rewritten with the following RURL (see regex(7)). # RURL ... if RE matches the passed URL, jesred returns RURL +# URLGROUP ... URLGROUP must also match for jesred to return RURL + +# To indicate that a client-side redirect should be performed with +# the new URL prefixing the RURL with "301:" (moved permanently) +# or 302: (moved temporarily). + +# RURL can also include a "urlgroup" that can subsequently be matched +# in cache_peer_access and similar ACL driven rules. An urlgroup is +# returned by prefixing the RURL with "!urlgroup!". 2.6STABLE19 # If RURL is omitted, all URLs which match RE are NOT rewritten. # So the following two rules prevent jesred from rewriting matched URLs, but --- a/main.c +++ b/main.c @@ -75,7 +75,7 @@ int main(int argc, char **argv) /* int first_run = 1; */ char buff[BUFSIZE]; char redirect_url[BUFSIZE]; - char *url, *src_addr, *ident, *method; + char *url, *src_addr, *ident, *method, *urlgroup; int finished = 0; int buff_status = 0; ip_acl *ip_list = NULL; @@ -118,7 +118,7 @@ int main(int argc, char **argv) } /* separate the four fields from the single input line of stdin */ buff_status = parse_buff(buff, &url, &src_addr, &ident, &method, - ip_list, pattern_list); + &urlgroup, ip_list, pattern_list); /* error during parsing the passed line from squid - no rewrite */ if(buff_status) { puts(""); @@ -133,7 +133,7 @@ int main(int argc, char **argv) continue; } /* find a rule for rewriting the URL */ - val = pattern_compare(url, redirect_url, pattern_list); + val = pattern_compare(url, urlgroup, redirect_url, pattern_list); if( val < 1 ) { /* no rule found = 0, or ABORT rule -N */ puts(""); --- a/pattern_list.c +++ b/pattern_list.c @@ -1,5 +1,5 @@ /* - * $Id: pattern_list.c,v 1.2 1998/07/25 02:32:45 elkner Exp $ + * $Id: pattern_list.c,v 1.7 2008/04/21 01:51:17 nrickerby Exp nrickerby $ * * Author: Squirm derived http://www.senet.com.au/squirm/ * Project: Jesred http://ivs.cs.uni-magdeburg.de/~elkner/webtools/jesred/ @@ -53,17 +53,23 @@ char * get_accel(char *, int *, int); void add_to_patterns(char *pattern, pattern_item **plist) { - char first[BUFSIZE]; - char second[BUFSIZE]; - char type[BUFSIZE]; + char * rgxurl = ""; + char * repurl = ""; #ifdef USE_ACCEL - char accel[BUFSIZE]; + char * accel = ""; #endif + char * urlgroup = NULL; regex_t compiled; pattern_item rpattern; int abort_type = 0; int stored; + char type[BUFSIZE]; + char arg1[BUFSIZE]; + char arg2[BUFSIZE]; + char arg3[BUFSIZE]; + char arg4[BUFSIZE]; + /* The regex_flags that we use are: REG_EXTENDED REG_NOSUB @@ -73,11 +79,9 @@ add_to_patterns(char *pattern, pattern_i rpattern.type = EXTENDED; rpattern.case_sensitive = 1; -#ifdef USE_ACCEL - stored = sscanf(pattern, "%s %s %s %s", type, first, second, accel); -#else - stored = sscanf(pattern, "%s %s %s", type, first, second); -#endif + + stored = sscanf(pattern, "%s %s %s %s %s", type, arg1, arg2, arg3, arg4); + if((stored < 2) || (stored > 4)) { mylog(ERROR, "unable to get a pair of patterns in add_to_patterns() " "for [%s]\n", pattern); @@ -85,39 +89,100 @@ add_to_patterns(char *pattern, pattern_i return; } - if(stored == 2) - strcpy(second, ""); - if(strcmp(type, "abort") == 0) { + if ( (strcmp(type, "regexug") == 0) || (strcmp(type, "regexiug") == 0) ) { + switch( stored ) + { + case 3 : urlgroup = arg1; + rgxurl = arg2; + break; + case 4 : urlgroup = arg1; + rgxurl = arg2; + repurl = arg3; + break; +#ifdef USE_ACCEL + case 5 : urlgroup = arg1; + rgxurl = arg2; + repurl = arg3; + accel = arg4; + break; +#endif + default : mylog(ERROR, "unable to parse rule for [%s]\n", pattern); + echo_mode = 1; + break; + } + } + else if ( (strcmp(type, "regex") == 0) || (strcmp(type, "regexi") == 0) ) { + switch( stored ) + { + case 2 : rgxurl = arg1; + strcpy(repurl, ""); + break; + case 3 : rgxurl = arg1; + repurl = arg2; + break; +#ifdef USE_ACCEL + case 4 : rgxurl = arg1; + repurl = arg2; + accel = arg3; + break; +#endif + default : mylog(ERROR, "unable to parse rule for [%s]\n", pattern); + echo_mode = 1; + break; + } + } + else if (strcmp(type, "abortug") == 0) { rpattern.type = ABORT; abort_type = 1; + if ( stored == 3 ) { + urlgroup = arg1; + rgxurl = arg2; + } else { + mylog(ERROR, "unable to parse rule for [%s]\n", pattern); + echo_mode = 1; + } + } + else if (strcmp(type, "abort") == 0) { + rpattern.type = ABORT; + abort_type = 1; + if ( stored == 2 ) { + rgxurl = arg1; + } else { + mylog(ERROR, "unable to parse rule for [%s]\n", pattern); + echo_mode = 1; + } + } + else { + mylog(ERROR, "unable to parse rule for [%s]\n", pattern); + echo_mode = 1; } - if(strcmp(type, "regexi") == 0) { + if((strcmp(type, "regexi") == 0) || (strcmp(type, "regexiug") == 0)) { regex_flags |= REG_ICASE; rpattern.case_sensitive = 0; } - if(regcomp(&compiled, first, regex_flags)) { - mylog(ERROR, "Invalid regex [%s] in pattern file\n", first); + if(regcomp(&compiled, rgxurl, regex_flags)) { + mylog(ERROR, "Invalid regex [%s] in pattern file\n", rgxurl); echo_mode = 1; return; } rpattern.cpattern = compiled; - rpattern.pattern = (char *)malloc(sizeof(char) * (strlen(first) +1)); + rpattern.pattern = (char *)malloc(sizeof(char) * (strlen(rgxurl) +1)); if(rpattern.pattern == NULL) { mylog(ERROR, "unable to allocate memory in add_to_patterns()\n"); echo_mode = 1; return; } - strcpy(rpattern.pattern, first); - rpattern.replacement = (char *)malloc(sizeof(char) * (strlen(second) +1)); + strcpy(rpattern.pattern, rgxurl); + rpattern.replacement = (char *)malloc(sizeof(char) * (strlen(repurl) +1)); if(rpattern.replacement == NULL) { mylog(ERROR, "unable to allocate memory in add_to_patterns()\n"); echo_mode = 1; return; } - strcpy(rpattern.replacement, second); + strcpy(rpattern.replacement, repurl); #ifdef USE_ACCEL /* use accelerator string if it exists */ @@ -136,6 +201,20 @@ add_to_patterns(char *pattern, pattern_i rpattern.accel = NULL; } #endif + + if ( urlgroup ) { + rpattern.urlgroup = (char *)malloc(sizeof(char) * (strlen(urlgroup) +1)); + if(rpattern.urlgroup == NULL) { + mylog(ERROR, "unable to allocate memory in add_to_patterns()\n"); + echo_mode = 1; + return; + } + strcpy(rpattern.urlgroup, urlgroup); + } + else { + rpattern.urlgroup = NULL; + } + add_to_plist(rpattern, plist); } @@ -233,6 +312,7 @@ add_to_plist(pattern_item pattern, patte new->accel_type = pattern.accel_type; #endif new->case_sensitive = pattern.case_sensitive; + new->urlgroup = pattern.urlgroup; /* not sure whether we need to copy each item in the struct */ new->cpattern = pattern.cpattern; @@ -268,6 +348,42 @@ int count_parenthesis (char *pattern) return (lcount); } +#ifdef DEBUG +void +print_plist(pattern_item **plist) { + pattern_item *curr; + pattern_item *new; + + curr = NULL; + new = NULL; + int count = 0; + + if (! (*plist)) { + /* empty list */ + printf("empty list\n"); + } else { + /* find end of list */ + curr = *plist; + while(curr) { + printf("rule %d\n", count); + switch( curr->type ) + { + case 1 : printf( "\tnormal\n" ); break; + case 2 : printf( "\textended\n" ); break; + case 3 : printf( "\tabort\n" ); break; + } + printf("\tpattern \"%s\"\n", curr->pattern ); + printf("\treplacement \"%s\"\n", curr->replacement ); + printf("\turlgroup \"%s\"\n", curr->urlgroup ); + curr = curr->next; + count++; + printf("\n"); + } + } +} +#endif + + void plist_destroy(pattern_item **a) { --- a/pattern_list.h +++ b/pattern_list.h @@ -39,6 +39,7 @@ typedef struct _pattern_item { char *pattern; char *replacement; + char *urlgroup; int case_sensitive; int type; #ifdef USE_ACCEL --- a/rewrite.c +++ b/rewrite.c @@ -61,52 +61,72 @@ static int match_accel(char *, char *, i int parse_buff(char *buff, char **url, char **src_addr, char **ident, - char **method, ip_acl *ip, pattern_item *p) + char **method, char **urlgroup, ip_acl *ip, pattern_item *p) + //char **method, ip_acl *ip, pattern_item *p) { int c, i; struct in_addr address; char *token, *new_token; - char *end[4]; + char *end[5]; + //char **urlgroup; c = 0; + *urlgroup = '\0'; + token = strchr(buff,' '); if ( token ) { /* URL */ c++; *token = '\0'; end[0] = token; *url = buff; + new_token = strchr(++token,' '); if (new_token) { /* Address */ c++; *new_token = '\0'; end[1] = new_token; *src_addr = token; + token = strchr(++new_token,' '); if (token) { /* Ident */ c++; *token = '\0'; end[2] = token; *ident = new_token; - new_token = strchr(++token,'\n'); + + /* this might be the last token, check for a space + or a newline */ + if (!( new_token = strchr(++token,' '))) + new_token = strchr(token,'\n'); if (new_token) { /* Method */ c++; *new_token = '\0'; end[3] = new_token; *method = token; - /* Squid 2.6 adds Url-group, - this should make jesred backwards-compatible */ - new_token = strchr(token,' '); - if (new_token) - { - *new_token = '\0'; - end[3] = new_token; - } + + /* this will be the last token, stop at a space or newline + to avoid spaces in urlgroup. maybe be too rare to + waste a test on */ + if (!( token = strchr(++new_token,' '))) + token = strchr(new_token,'\n'); + if (token) { /* urlgroup */ + c++; + *token = '\0'; + end[4] = token; + /* squid sends "-" as indicator for no urlgroup */ + if (strcmp(new_token,"-")) + *urlgroup = new_token; } } + + } } } - if(c != 4) { + + /* 4 pre 2.6 or no urlgroup + 5 post 2.6 with a urlgroup */ + if(( c != 5) && ( c != 4)) { for(i = 0; i < c; i++) { if ( end[i] ) *end[i] = ' '; @@ -114,6 +134,9 @@ parse_buff(char *buff, char **url, char mylog(ERROR, "incorrect input (%d): %s", c, buff); return 1; } + + + #ifdef DEBUG mylog(DEBG, "Request: %s %s %s %s\n", *url, *src_addr, *ident, *method); #endif @@ -159,7 +182,7 @@ parse_buff(char *buff, char **url, char < 0 if abort pattern match, 0 if no match found, > 1 pattern match if match, the number of the matching rule will be returned */ int -pattern_compare(char *url,char *newurl, pattern_item *phead) +pattern_compare(char *url, char *urlgroup, char *newurl, pattern_item *phead) { pattern_item *curr; int pos; @@ -173,6 +196,16 @@ pattern_compare(char *url,char *newurl, pattern_no++; matched = 1; /* assume a match until a character isn't the same */ + + /* urlgroup is checked ONLY IF the rule has one */ + if (curr->urlgroup) { + if (!urlgroup || strcmp(curr->urlgroup, urlgroup) != 0) + { + matched = 0; + continue; + } + } + if(curr->type == ABORT) { len = strlen(curr->pattern); pos = strlen(url) - len; /* this is dangerous */ --- a/rewrite.h +++ b/rewrite.h @@ -28,7 +28,7 @@ #ifndef REWRITE_H #define REWRITE_H -extern int parse_buff(char *, char **, char **, char **, char **, +extern int parse_buff(char *, char **, char **, char **, char **, char **, ip_acl *, pattern_item *); #endif debian/patches/01-logfix0000644000000000000000000000073512215322107012246 0ustar Author: Alexander Zangerl Subject: #487976 fix logging safety --- a/log.c +++ b/log.c @@ -71,7 +71,8 @@ log(log_code c, char *format, ...) { struct timeval current_time; va_start(args, format); - if(vsprintf(msg, format, args) > (BUFSIZE - 1)) { + /* Use a safe printf function*/ + if(vsnprintf(msg, BUFSIZE, format, args) > (BUFSIZE - 1)) { /* string is longer than the maximum buffer we specified, so just return */ return; debian/patches/series0000644000000000000000000000015112221167715012033 0ustar 01-extregex 01-logfix 01-old-debdiffs 02-warnings 03-allredir 04-urlgroup 05-squid3 06-hardening 07-ipv6 debian/patches/07-ipv60000644000000000000000000001545712221717674011675 0ustar --- a/ip_list.c +++ b/ip_list.c @@ -106,76 +106,115 @@ # include #endif -#include -#include +#include + +#include +#include #include "ip_list.h" #include "util.h" #include "log.h" -static int ip_acl_match(struct in_addr c, const ip_acl *a); - - -static int -ip_acl_match(struct in_addr c, const ip_acl *a) -{ - static struct in_addr h; - - h.s_addr = c.s_addr & a->mask.s_addr; - if (h.s_addr == a->addr.s_addr) - return 1; - else - return 0; -} - ip_access_type -ip_access_check(struct in_addr address, const ip_acl *list) +ip_access_check(int afamily, const void *address, const ip_acl *list) { const ip_acl *p = NULL; - /* address ... network byte-order IP addr */ - + struct in_addr h; + ip_access_type response=IP_DENY; + int i; #ifdef DEBUG - if (!list) { - mylog(DEBG, "ACL: denied %s\n", inet_ntoa(address)); - return IP_DENY; - } - for (p = list; p; p = p->next) { - if (ip_acl_match(address, p)) { - mylog(DEBG, "ACL: %s %s\n", p->access==IP_DENY ? "denied" : "allowed", - inet_ntoa(address)); - return p->access; - } - } - mylog(DEBG, "ACL: denied %s\n", inet_ntoa(address)); - return IP_DENY; -#else - if (!list) - return IP_DENY; - for (p = list; p; p = p->next) { - if (ip_acl_match(address, p)) - return p->access; + char addrbuffer[INET6_ADDRSTRLEN]; + + if (!inet_ntop(afamily,address,addrbuffer,sizeof(addrbuffer))) + addrbuffer[0]=0; +#endif + + if (list) + { + for (p = list; p; p = p->next) + { + if (p->af!=afamily) + continue; + if (p->af==AF_INET) + { + h.s_addr = ((struct in_addr *)address)->s_addr & p->mask.s_addr; + if (h.s_addr == p->addr.s_addr) + { + response=p->access; + break; + } + } + else if (p->af==AF_INET6) + { + int equal=1; + /* apply mask and compare byte-wise*/ + for (i=0;iaddr6.s6_addr);++i) + { + if (p->addr6.s6_addr[i] != + (((struct in6_addr *)address)->s6_addr[i] & p->mask6.s6_addr[i])) + { + equal=0; + break; + } + } + if (equal) + { + response=p->access; + break; + } + } + } } - return IP_DENY; +#ifdef DEBUG + mylog(DEBG, "ACL: %s %s\n", + response==IP_DENY ? "denied":"allowed", + addrbuffer); #endif + return response; } void addToIPACL(ip_acl **list, const char *ip_str) { ip_acl *p, *q; - int a1, a2, a3, a4, m1; - struct in_addr lmask; - int inv = 0; - int c; + int inv=0, masklen; + char *masklenp; + int family,i; if (!ip_str) { return; } + + /* decode ip address */ + if (*ip_str == '!') { + ip_str++; + inv++; + } + /* ipv6 or v4? */ + family=strchr(ip_str,':')?AF_INET6:AF_INET; + /* where's the mask length? */ + masklenp=strchr(ip_str,'/'); + if (!masklenp) + { + mylog(ERROR, "Ignoring invalid IP acl line '%s': no mask len\n",ip_str); + return; + } + *masklenp=0; + masklen=atoi(++masklenp); + if (masklen<0 || (family==AF_INET6 && masklen>128) + || (family==AF_INET && masklen>32)) + { + mylog(ERROR, "Ignoring invalid IP acl line '%s': bad mask len\n",ip_str); + return; + } + + if (! (*list)) { /* empty list */ *list = xcalloc(1, sizeof(ip_acl)); (*list)->next = NULL; q = *list; + p=NULL; } else { /* find end of list */ p = *list; @@ -186,22 +225,44 @@ addToIPACL(ip_acl **list, const char *ip p->next = q; } - /* decode ip address */ - if (*ip_str == '!') { - ip_str++; - inv++; - } - a1 = a2 = a3 = a4 = 0; - c = sscanf(ip_str, "%d.%d.%d.%d/%d", &a1, &a2, &a3, &a4, &m1); - if (m1 < 0 || m1 > 32) { - mylog(ERROR, "addToIPACL: Ignoring invalid IP acl line '%s'\n", - ip_str); - return; + q->af=family; + /* now parse the address */ + if (!inet_pton(family,ip_str,(family==AF_INET?(void*)&q->addr.s_addr: + (void*)&q->addr6.s6_addr))) + { + mylog(ERROR, "Ignoring invalid IP acl line '%s'\n",ip_str); + safe_free(q); + if (p) + p->next=NULL; + else + *list=NULL; + return; } + /* let's construct the mask and fill in the remaining bits */ q->access = inv ? IP_DENY : IP_ALLOW; - q->addr.s_addr = htonl(a1 * 0x1000000 + a2 * 0x10000 + a3 * 0x100 + a4); - lmask.s_addr = m1 ? htonl(0xfffffffful << (32 - m1)) : 0; - q->mask.s_addr = lmask.s_addr; + + if (family==AF_INET) + { + q->mask.s_addr= masklen ? htonl(0xfffffffful << (32 - masklen)) : 0; + } + else + { + for (i=0;imask6.s6_addr);++i) + { + if (imask6.s6_addr[i]=0xff; + } + else if (i>masklen/8) + { + q->mask6.s6_addr[i]=0; + } + else + { + q->mask6.s6_addr[i]= 0xff&(0xff<<(8-masklen%8)); + } + } + } } void --- a/ip_list.h +++ b/ip_list.h @@ -107,13 +107,16 @@ typedef enum { typedef struct _ip_acl { struct in_addr addr; struct in_addr mask; + struct in6_addr addr6, mask6; + int af; /* address family: AF_INET or AF_INET6 */ ip_access_type access; struct _ip_acl *next; + } ip_acl; extern void ip_acl_destroy(ip_acl **); extern void addToIPACL(ip_acl **, const char *); -extern ip_access_type ip_access_check(struct in_addr, const ip_acl *); +extern ip_access_type ip_access_check(int, const void *, const ip_acl *); #endif --- a/rewrite.c +++ b/rewrite.c @@ -66,8 +66,10 @@ parse_buff(char *buff, char **url, char { int c, i; struct in_addr address; + struct in6_addr address6; char *token, *new_token; char *end[5]; + int family=AF_INET; //char **urlgroup; c = 0; @@ -172,18 +174,26 @@ parse_buff(char *buff, char **url, char i.e. on 2.6 448K r-x + 40K rwx, but since it is a shared lib, it is already loaded, when squid runs - so not much waste of memory ;-) */ - if ( (address.s_addr = inet_addr(*src_addr)) == -1 ) { - mylog(ERROR, "client IP address not valid %s\n", - *src_addr ? *src_addr : ""); - if ( token ) - *token = '/'; - return 1; + if ( (address.s_addr = inet_addr(*src_addr)) == -1 ) + { + /* not ipv6, test ipv6 now */ + if (!inet_pton(AF_INET6,*src_addr,&address6.s6_addr)) + { + mylog(ERROR, "client IP address not valid %s\n", + *src_addr ? *src_addr : ""); + if ( token ) + *token = '/'; + return 1; + } + else + family=AF_INET6; } if ( token ) *token = '/'; /* make sure the IP source address matches that of the ones in our list */ - if( ip_access_check(address, ip) == IP_DENY ) { + if( ip_access_check(family,(family==AF_INET?(void*)&address: + (void*)&address6),ip) == IP_DENY ) { #ifdef DEBUG mylog(DEBG, "client IP address %s not matched\n", *src_addr); #endif debian/patches/02-warnings0000644000000000000000000002222512215322102012600 0ustar Author: Alexander Zangerl Subject: fix warnings --- a/config.c +++ b/config.c @@ -58,13 +58,13 @@ read_allow(char **file, ip_acl **list) { fd = fopen(*file, "r"); if(fd == NULL) { token = strerror(errno); - log(ERROR, "unable to open local addresses file %s: %s\n", + mylog(ERROR, "unable to open local addresses file %s: %s\n", *file ? *file : "", token); echo_mode = 1; return; } - log(INFO, "Loading IP List from %s\n",*file); + mylog(INFO, "Loading IP List from %s\n",*file); while( !echo_mode && (fgets(buff, BUFSIZE, fd) != NULL) ) { token = CleanLine(buff); if ( token == NULL ) @@ -177,11 +177,11 @@ read_rules(char **file, pattern_item **p if ( ! *file || (fd = fopen(*file, "rt")) == NULL ) { echo_mode = 1; token = strerror(errno); - log(ERROR, "unable to open redirect patterns file %s: %s\n", + mylog(ERROR, "unable to open redirect patterns file %s: %s\n", *file ? *file : "", token); return; } - log(INFO, "Reading Patterns from config %s\n", *file); + mylog(INFO, "Reading Patterns from config %s\n", *file); while(!echo_mode && (fgets(buff, BUFSIZE, fd) != NULL)) { --- a/ip_list.c +++ b/ip_list.c @@ -136,17 +136,17 @@ ip_access_check(struct in_addr address, #ifdef DEBUG if (!list) { - log(DEBG, "ACL: denied %s\n", inet_ntoa(address)); + mylog(DEBG, "ACL: denied %s\n", inet_ntoa(address)); return IP_DENY; } for (p = list; p; p = p->next) { if (ip_acl_match(address, p)) { - log(DEBG, "ACL: %s %s\n", p->access==IP_DENY ? "denied" : "allowed", + mylog(DEBG, "ACL: %s %s\n", p->access==IP_DENY ? "denied" : "allowed", inet_ntoa(address)); return p->access; } } - log(DEBG, "ACL: denied %s\n", inet_ntoa(address)); + mylog(DEBG, "ACL: denied %s\n", inet_ntoa(address)); return IP_DENY; #else if (!list) @@ -194,7 +194,7 @@ addToIPACL(ip_acl **list, const char *ip a1 = a2 = a3 = a4 = 0; c = sscanf(ip_str, "%d.%d.%d.%d/%d", &a1, &a2, &a3, &a4, &m1); if (m1 < 0 || m1 > 32) { - log(ERROR, "addToIPACL: Ignoring invalid IP acl line '%s'\n", + mylog(ERROR, "addToIPACL: Ignoring invalid IP acl line '%s'\n", ip_str); return; } --- a/log.c +++ b/log.c @@ -63,7 +63,7 @@ openFile(char *file) } void -log(log_code c, char *format, ...) { +mylog(log_code c, char *format, ...) { FILE *fd; char msg[BUFSIZE]; --- a/log.h +++ b/log.h @@ -30,7 +30,7 @@ typedef enum { INFO } log_code; -extern void log(log_code c, char *format, ...); +extern void mylog(log_code c, char *format, ...); extern void closeLogs(void); extern void openLogs(char **, char **); --- a/main.c +++ b/main.c @@ -96,7 +96,7 @@ int main(int argc, char **argv) int val; sig_hup = 0; - log(INFO, "Freeing up old linked lists\n"); + mylog(INFO, "Freeing up old linked lists\n"); ip_acl_destroy(&ip_list); plist_destroy(&pattern_list); closeLogs(); @@ -107,8 +107,8 @@ int main(int argc, char **argv) read_rules(&f_rules, &pattern_list); if(echo_mode) - log(ERROR, "Invalid condition - continuing in ECHO mode\n"); - log(INFO, "%s (PID %d) started\n", APPNAME, (int)getpid()); + mylog(ERROR, "Invalid condition - continuing in ECHO mode\n"); + mylog(INFO, "%s (PID %d) started\n", APPNAME, (int)getpid()); while((!sig_hup) && (fgets(buff, BUFSIZE, stdin) != NULL)){ if(echo_mode) { @@ -129,7 +129,7 @@ int main(int argc, char **argv) if(echo_mode) { puts(""); fflush(stdout); - log(ERROR, "Invalid condition - continuing in ECHO mode\n"); + mylog(ERROR, "Invalid condition - continuing in ECHO mode\n"); continue; } /* find a rule for rewriting the URL */ @@ -151,7 +151,7 @@ int main(int argc, char **argv) printf("%s %s %s %s\n", redirect_url, src_addr, ident, method); fflush(stdout); - log(MATCH, "%s %s %s %d\n", src_addr, url, redirect_url, + mylog(MATCH, "%s %s %s %d\n", src_addr, url, redirect_url, val); } } --- a/pattern_list.c +++ b/pattern_list.c @@ -79,7 +79,7 @@ add_to_patterns(char *pattern, pattern_i stored = sscanf(pattern, "%s %s %s", type, first, second); #endif if((stored < 2) || (stored > 4)) { - log(ERROR, "unable to get a pair of patterns in add_to_patterns() " + mylog(ERROR, "unable to get a pair of patterns in add_to_patterns() " "for [%s]\n", pattern); echo_mode = 1; return; @@ -99,21 +99,21 @@ add_to_patterns(char *pattern, pattern_i } if(regcomp(&compiled, first, regex_flags)) { - log(ERROR, "Invalid regex [%s] in pattern file\n", first); + mylog(ERROR, "Invalid regex [%s] in pattern file\n", first); echo_mode = 1; return; } rpattern.cpattern = compiled; rpattern.pattern = (char *)malloc(sizeof(char) * (strlen(first) +1)); if(rpattern.pattern == NULL) { - log(ERROR, "unable to allocate memory in add_to_patterns()\n"); + mylog(ERROR, "unable to allocate memory in add_to_patterns()\n"); echo_mode = 1; return; } strcpy(rpattern.pattern, first); rpattern.replacement = (char *)malloc(sizeof(char) * (strlen(second) +1)); if(rpattern.replacement == NULL) { - log(ERROR, "unable to allocate memory in add_to_patterns()\n"); + mylog(ERROR, "unable to allocate memory in add_to_patterns()\n"); echo_mode = 1; return; } @@ -126,7 +126,7 @@ add_to_patterns(char *pattern, pattern_i rpattern.accel = get_accel(accel, &rpattern.accel_type, rpattern.case_sensitive); if(rpattern.accel == NULL) { - log(ERROR, "unable to allocate memory from get_accel()\n"); + mylog(ERROR, "unable to allocate memory from get_accel()\n"); echo_mode = 1; return; } @@ -219,7 +219,7 @@ add_to_plist(pattern_item pattern, patte curr->next = new; } if(! new) { - log(ERROR, "unable to allocate memory in add_to_plist()\n"); + mylog(ERROR, "unable to allocate memory in add_to_plist()\n"); /* exit(3); */ echo_mode = 1; return; --- a/rewrite.c +++ b/rewrite.c @@ -111,11 +111,11 @@ parse_buff(char *buff, char **url, char if ( end[i] ) *end[i] = ' '; } - log(ERROR, "incorrect input (%d): %s", c, buff); + mylog(ERROR, "incorrect input (%d): %s", c, buff); return 1; } #ifdef DEBUG - log(DEBG, "Request: %s %s %s %s\n", *url, *src_addr, *ident, *method); + mylog(DEBG, "Request: %s %s %s %s\n", *url, *src_addr, *ident, *method); #endif /* all methods must be GET or ICP_QUERY */ @@ -130,14 +130,14 @@ parse_buff(char *buff, char **url, char if ( end[c] ) *end[c] = ' '; } - log(DEBG, "method not \"GET\" %s\n", buff); + mylog(DEBG, "method not \"GET\" %s\n", buff); #endif return 1; } /* URL with less than 7 char is invalid */ if(strlen(*url) <= 7) { - log(ERROR, "strlen url to short (%d)\n", strlen(*url)); + mylog(ERROR, "strlen url to short (%d)\n", strlen(*url)); return 1; } @@ -150,7 +150,7 @@ parse_buff(char *buff, char **url, char it is already loaded, when squid runs - so not much waste of memory ;-) */ if ( (address.s_addr = inet_addr(*src_addr)) == -1 ) { - log(ERROR, "client IP address not valid %s\n", + mylog(ERROR, "client IP address not valid %s\n", *src_addr ? *src_addr : ""); if ( token ) *token = '/'; @@ -162,7 +162,7 @@ parse_buff(char *buff, char **url, char /* make sure the IP source address matches that of the ones in our list */ if( ip_access_check(address, ip) == IP_DENY ) { #ifdef DEBUG - log(DEBG, "client IP address %s not matched\n", *src_addr); + mylog(DEBG, "client IP address %s not matched\n", *src_addr); #endif return 1; } @@ -199,7 +199,7 @@ pattern_compare(char *url,char *newurl, } if(matched) { #ifdef DEBUG - log(DEBG, "abort pattern matched: %s (rule %d)\n", + mylog(DEBG, "abort pattern matched: %s (rule %d)\n", url, pattern_no); #endif return (0 - pattern_no); /* URL matches abort file extension */ @@ -215,7 +215,7 @@ pattern_compare(char *url,char *newurl, curr->accel_type, curr->case_sensitive)) { #ifdef DEBUG - log(DEBG, "URL %s matches accelerator %s (rule %d)\n", + mylog(DEBG, "URL %s matches accelerator %s (rule %d)\n", url, curr->accel, pattern_no); #endif /* Now we must test for normal or extended */ --- a/util.c +++ b/util.c @@ -100,6 +100,7 @@ #include #include #include +#include #include "util.h" #include "log.h" @@ -109,7 +110,7 @@ void HUPhandler(int kill) { sig_hup = 1; - log(ERROR, "HUP received. Reconfiguring....\n"); + mylog(ERROR, "HUP received. Reconfiguring....\n"); signal(SIGHUP, HUPhandler); } @@ -117,7 +118,7 @@ void KILLhandler(int kill) { sig_hup = 1; - log(ERROR, "KILL received. Shutting down....\n"); + mylog(ERROR, "KILL received. Shutting down....\n"); closeLogs(); exit(1); } @@ -150,7 +151,7 @@ savestr(const char *str) save = (char *)malloc(strlen(str) + 1); if ( save == NULL ) { perror("Problems allocating memory for a string:"); - log(ERROR,"Problems allocating memory for \"%s\"",str); + mylog(ERROR,"Problems allocating memory for \"%s\"",str); } else { strcpy(save, str); debian/patches/06-hardening0000644000000000000000000000072212215322062012716 0ustar Description: fix compilation infrastructure to allow hardening options Author: Alexander Zangerl --- a/Makefile +++ b/Makefile @@ -5,7 +5,6 @@ CC=gcc INCLUDE = -I. -LDFLAGS = #LDFLAGS = -pg -lc_p # Compiler Options @@ -70,7 +69,7 @@ OBJS = \ CFILES = $(patsubst %.o,%.c,$(OBJS)) PROGS = jesred -CFLAGS = $(AC_CFLAGS) $(INCLUDE) +CFLAGS += $(AC_CFLAGS) $(INCLUDE) LIBS = -L. $(XTRA_LIBS) .SUFFIXES: .o debian/patches/01-old-debdiffs0000644000000000000000000003065312215322104013277 0ustar Author: Alexander Zangerl Subject: properly integrate ancient patches that lingered in the debian diff --- a/Makefile +++ b/Makefile @@ -2,21 +2,25 @@ # HINT: If you want to run the program on an UltraSPARC driven machine, # I recommend to use Sun C-Compiler >= 4.0 or gcc >= 2.8.0 with # optimization level >= 4 for best performance. -CC=cc +CC=gcc INCLUDE = -I. LDFLAGS = +#LDFLAGS = -pg -lc_p # Compiler Options -AC_CFLAGS = -xO5 -mr -s -xcrossfile #-g -xsb # SUN cc >= 4.0 +#AC_CFLAGS = -xO5 -mr -s -xcrossfile #-g -xsb # SUN cc >= 4.0 #AC_CFLAGS = -O3 -s # SGI cc, AIX cc #AC_CFLAGS = -O5 -s # GNU cc +AC_CFLAGS = -O3 -g -DLINUX -Wall +#AC_CFLAGS = -O3 -g -pg -DLINUX -Wall # extra Libraries ( we need this for inet_addr(char *) only ) -XTRA_LIBS = -lnsl # Solaris 2.x +#XTRA_LIBS = -lnsl # Solaris 2.x #XTRA_LIBS = # AIX 4.2, Linux 2.x.x, IRIX 5.x, 6.x +XTRA_LIBS = # if you want to have the option, to enable debug message logging, # uncomment the following line, but beware: This DECREASES THE PERFORMANCE @@ -49,7 +53,7 @@ XTRA_LIBS = -lnsl # Solaris 2.x # If jesred is compiled without -DUSE_ACCEL the ACCEL strings in the # redirect rules are ignored, if there are some. # -# DEFS = -DUSE_ACCEL +#DEFS = -DUSE_ACCEL # That's it - no further changes should be necessary ;-) # =========================================================================== --- a/config.c +++ b/config.c @@ -22,6 +22,7 @@ */ #include +#include #include #include #include @@ -52,7 +53,7 @@ read_allow(char **file, ip_acl **list) { FILE *fd; char *token = NULL; char buff[BUFSIZE]; - struct in_addr addr; +/* struct in_addr addr; */ fd = fopen(*file, "r"); if(fd == NULL) { --- a/etc/jesred.conf +++ b/etc/jesred.conf @@ -1,17 +1,18 @@ # file with IP addresses, for which URL rewriting is [not] allowed -allow = /local/squid/etc/redirect.acl +allow = /etc/jesred.acl # file with rules for URL rewriting -rules = /local/squid/etc/redirect.rules +rules = /etc/jesred.rules +#rules = /usr/share/doc/jesred/jesred.bofh.rules # log file for general, error and debug messages (empty value or commenting # this out disables logging) -redirect_log = /local/squid/logs/redirect.log +redirect_log = /var/log/squid/jesred-redirect.log # log file for URL rewrites (empty value or commenting this out disables # logging of URL rewrites) # Log file format: Timestamp Client/Ident URL RURL NO -rewrite_log = /local/squid/logs/rewrite.log +# rewrite_log = /var/log/squid/jesred-rewrite.log # Debug mode: if set to yes and DEBUG option was compiled in, this enables # debug logging to redirect_log --- a/etc/redirect.acl +++ b/etc/redirect.acl @@ -19,12 +19,14 @@ # If the client IP address matches an entry below, rewrite rules # are applied immediately (i.e. no further checks for other IP access # pattern matches will be done). -# -# These are my children caches which have their own redirectors running -!141.44.251.15/32 -!149.203.102.1/32 +# These are example children caches which have their own redirectors running +# !141.44.251.15/32 +# !149.203.102.1/32 # rewrite all URLs from -141.44.0.0/16 -149.203.0.0/16 -193.175.28.0/24 +# 141.44.0.0/16 +# 149.203.0.0/16 +# 193.175.28.0/24 + +# Uncomment the following to rewrite all URLs from all sources: +# 0.0.0.0/0 --- a/etc/redirect.rules +++ b/etc/redirect.rules @@ -1,60 +1,44 @@ -# Example: redirector rules +# jesred example redirector rules +# this rules file does NOT redirect any URLs. +# after uncommenting/adding rules you need to either reload squid or send jesred a HUP signal. -# since jesred uses exactly the same pattern functions as squirm 1.0 betaB, -# you can also find detailed information about this file on: -# http://www.senet.com.au/squirm/#squirm_patterns - -############################################################################# -# Since jesred uses a linear list of redirect rules, the order of the rules # -# in this file is important!!! # -############################################################################# +# Syntax: +# +# regex|regexi pattern replacement +# +# or +# +# abort .filename_extension -# TAG: abort string +# jesred uses a linear list of redirect rules and terminates on first match, +# so the order of rules is important! + +# abort string: # # If jesred enconters the specified string at the end # of the passed URL, it immediately returns and echo's back a newline (i.e. -# no rewrite) - so this speeds up the lookup process a lot! -# such rules are referred as ABORT rules +# no rewrite) - so this speeds up the lookup process a lot for commonly +# accepted URLs. -# rule 1 - 7 -abort .html -abort .jpg -abort .html -abort .shtml -abort .java -abort .jar -abort .htm +# examples: +# abort .html +# abort .jpg +# abort .html +# abort .shtml +# abort .java +# abort .jar +# abort .htm -# TAG: regex RE [RURL [ACCEL]] -# TAG: regexi RE [RURL [ACCEL]] -# -# ACCEL is honored only, if you compiled jesred with the switch -DUSE_ACCEL +# regex RE [RURL] +# regexi RE [RURL] # # regex ... indicates, that the following RE is case-sensitive # regexi ... indicates, that the following RE is case-insensitive # RE ... is the regular expression, which has to match the passed URL to get -# rewritten with the following RURL (it is only limited by the -# implementation of the used regex functions - so see the man page -# for the regex functions you compiled jesred with, to get detailed -# information on supported RE's) +# rewritten with the following RURL (see regex(7)). # RURL ... if RE matches the passed URL, jesred returns RURL -# ACCEL ... a string, which -# starts with a '^' if the string after the '^' is NOT completely -# the same as the passed URL starts with -# OR (except when case-insensitive) no egexc with -# RE and the passed URL (relative expensive) will -# be called, since the RE wouldn't match the -# pased URL - i.e. no match -# ends with a '$' if the passed URL does NOT end exactly with the -# string before the '$' (expcept case-insensitive) -# OR , no egexc with with RE and the passed URL -# will be called - i.e. no match -# is plain text if accelerator string does not occur in the URL, -# no regexc with RE and the passed URL will be -# called - i.e. no match -# -#------------------------------------------------------------------------------ -# If RURL and ACCEL are omitted, all URLs which match RE, are NOT rewritten. + +# If RURL is omitted, all URLs which match RE are NOT rewritten. # So the following two rules prevent jesred from rewriting matched URLs, but # with the 2nd rule jesred does NOT need to store the RURL (thus consuming # less memory) and does NOT need to do all the pattern replacements (faster)... @@ -63,31 +47,19 @@ abort .htm # # NO_REDIRECT rule # regex ^http://(.*)/ads/minizoff(.*) -#------------------------------------------------------------------------------ -# -# I recommend to use the "accelerators" '^' and '$' in REs whereever it is -# possible, since this speeds up the pattern matching a lot! -#------------------------------------------------------------------------------ - -# rule 8 - 9 -regex ^http://199.78.52.10/~web_ani/.*\.gif http://141.44.30.2/images/dot.gif ^http://199.78.52.10/~web_ani/ -abort .gif - -# rule 10 - 17 -regexi ^http://ad.doubleclick.net/ad/.* http://141.44.30.2/images/dot.gif ^http://ad.doubleclick.net/ad/ -regex ^http://ad.preferences.com/image.* http://141.44.30.2/images/dot.gif ^http://ad.preferences.com/image -regex ^http://ads[0-9][0-9].focalink.com/SmartBanner/nph-graphic.* http://141.44.30.2/images/dot.gif -regex ^http://adserver.developer.com/cgi-bin/accipiter/adserver.exe.* http://141.44.30.2/images/dot.gif http://adserver.developer.com/cgi-bin/accipiter/adserver.exe -regex ^http://tracker.clicktrade.com/Tracker.* http://141.44.30.2/images/dot.gif http://tracker.clicktrade.com/Tracker -regex ^http://adforce.imgis.com/?adserv.* http://141.44.30.2/images/dot.gif ^http://adforce.imgis.com/?adserv -regex ^http://195.90.252.40/banner.* http://141.44.30.2/images/dot.gif ^http://195.90.252.40/banner -regex ^http://www.artuframe.com/partners/affiliates/banners.* http://141.44.30.2/images/dot.gif ^http://www.artuframe.com/partners/affiliates/banners - - -# NOTE: actually '.' in RE is any character, so if you want to be sure, -# escape the special meaning with a prefixed '\' ;-) - -# We use the IP address in the rewritten URL to get the local image cached ;-) -# BTW: You might have a look at our latest redirect.rules file for our -# parent proxy cache via -# http://www.cs.uni-magdeburg.de/proxy/filter.shtml + +# NOTE: '.' in RE stands for "a single character", so if you want to be sure to match only dots +# escape the special meaning with a prefixed '\' + +# regex ^http://199.78.52.10/~web_ani/.*\.gif http://141.44.30.2/images/dot.gif +# abort .gif + +# regexi ^http://ad.doubleclick.net/ad/.* http://141.44.30.2/images/dot.gif +# regex ^http://ad.preferences.com/image.* http://141.44.30.2/images/dot.gif +# regex ^http://ads[0-9][0-9].focalink.com/SmartBanner/nph-graphic.* http://141.44.30.2/images/dot.gif +# regex ^http://adserver.developer.com/cgi-bin/accipiter/adserver.exe.* http://141.44.30.2/images/dot.gif +# regex ^http://tracker.clicktrade.com/Tracker.* http://141.44.30.2/images/dot.gif +# regex ^http://adforce.imgis.com/?adserv.* http://141.44.30.2/images/dot.gif +# regex ^http://195.90.252.40/banner.* http://141.44.30.2/images/dot.gif +# regex ^http://www.artuframe.com/partners/affiliates/banners.* http://141.44.30.2/images/dot.gif + --- a/ip_list.c +++ b/ip_list.c @@ -101,6 +101,11 @@ # include #endif /* __FreeBSD__ */ +#ifdef LINUX +# include +# include +#endif + #include #include --- a/main.c +++ b/main.c @@ -29,6 +29,10 @@ #include #include +#ifdef LINUX +#include +#endif + #ifdef LOCAL_REGEX #include "regex.h" #else @@ -44,6 +48,8 @@ #include "version.h" #include "rewrite.h" +extern int pattern_compare(); /* from rewrite.c */ + static void Usage (void); static void GetOptions(int argc, char *argv[]); @@ -66,7 +72,7 @@ int main(int argc, char **argv) char *f_redirect = NULL; - int first_run = 1; +/* int first_run = 1; */ char buff[BUFSIZE]; char redirect_url[BUFSIZE]; char *url, *src_addr, *ident, *method; --- a/path.h +++ b/path.h @@ -7,6 +7,6 @@ /* change this to the path, which contains your jesred.conf */ -#define DEFAULT_PATH "/local/squid/etc" +#define DEFAULT_PATH "/etc" #endif --- a/pattern_list.c +++ b/pattern_list.c @@ -24,8 +24,14 @@ */ #include +#include +#include #include +#ifdef LINUX +#include /* for tolower() */ +#endif + #ifdef LOCAL_REGEX #include "regex.h" #else @@ -37,6 +43,8 @@ #include "util.h" #include "pattern_list.h" +int count_parenthesis (char *pattern); + void add_to_plist(pattern_item, pattern_item **); #ifdef USE_ACCEL char * get_accel(char *, int *, int); --- a/rewrite.c +++ b/rewrite.c @@ -26,7 +26,11 @@ */ #include +#ifdef LINUX +#include +#else #include +#endif #include #include #include @@ -45,6 +49,8 @@ #include "rewrite.h" #include "main.h" +extern int count_parenthesis(); /* from pattern_list.c */ + /* load the stdin for the redirector into an IN_BUFF structure Sets in_buff.url to "" if the fields can't be converted */ @@ -82,11 +88,20 @@ parse_buff(char *buff, char **url, char end[2] = token; *ident = new_token; new_token = strchr(++token,'\n'); - if (new_token) { + if (new_token) { /* Method */ c++; *new_token = '\0'; end[3] = new_token; *method = token; + /* Squid 2.6 adds Url-group, + this should make jesred backwards-compatible */ + new_token = strchr(token,' '); + if (new_token) + { + *new_token = '\0'; + end[3] = new_token; + } + } } } @@ -242,7 +257,7 @@ pattern_compare(char *url,char *newurl, int replace_string (pattern_item *curr, char *url, char *buffer) { - char *replacement_string = NULL; +/* char *replacement_string = NULL; */ regmatch_t match_data[10]; int parenthesis; char *in_ptr; debian/patches/03-allredir0000644000000000000000000000143312215322100012543 0ustar Author: Alexander Zangerl Subject: #487978 redir any method, not just GET --- a/rewrite.c +++ b/rewrite.c @@ -118,22 +118,8 @@ parse_buff(char *buff, char **url, char mylog(DEBG, "Request: %s %s %s %s\n", *url, *src_addr, *ident, *method); #endif - /* all methods must be GET or ICP_QUERY */ - c = 0; - if (allow_siblings && (! strcmp(*method, "ICP_QUERY")) ) - c--; - if( strcmp(*method, "GET") ) - c++; - if ( c ) { -#ifdef DEBUG - for(c = 0; c < 4; c++) { - if ( end[c] ) - *end[c] = ' '; - } - mylog(DEBG, "method not \"GET\" %s\n", buff); -#endif - return 1; - } + /* forward all methods */ + /* removed restriction to GET or ICP_QUERY */ /* URL with less than 7 char is invalid */ if(strlen(*url) <= 7) { debian/changelog0000644000000000000000000001211112221720147011032 0ustar jesred (1.2pl1-19) unstable; urgency=low * added support for ipv6 (closes: #714819) -- Alexander Zangerl Sun, 29 Sep 2013 13:37:11 +1000 jesred (1.2pl1-18) unstable; urgency=low * lifted standards version, dh compat version * migrated to 3.0 quilt source format (closes: #671645) * enabled hardening build options * removed very old example files, updated README.Debian -- Alexander Zangerl Sun, 15 Sep 2013 21:38:30 +1000 jesred (1.2pl1-17) unstable; urgency=low * integrated some old, overlooked patches from the debian diff. * lifted standards version -- Alexander Zangerl Mon, 20 Sep 2010 19:22:09 +1000 jesred (1.2pl1-16) unstable; urgency=high * fix for rewriter message format changes in squid 3 (closes: #505199) * amended the urlgroup matching: now urlgroups are compared IFF a rule explicitely says to (like the docs state). -- Alexander Zangerl Tue, 11 Nov 2008 10:03:01 +1000 jesred (1.2pl1-15) unstable; urgency=high * reworked patch for urlgroup matching: didn't recognize squid telling us "no urlgroup" and hence wouldn't match. -- Alexander Zangerl Sat, 28 Jun 2008 16:13:52 +1000 jesred (1.2pl1-14) unstable; urgency=low * incorporated fixes and contributions by Nathan Rickerby (thanks!): use vsnprintf to not segfault (closes: #487976) remove method restriction (closes: #487978) add support for urlgroup matching and returning (closes: #487980) * lifted standards version -- Alexander Zangerl Fri, 27 Jun 2008 13:11:39 +1000 jesred (1.2pl1-13) unstable; urgency=low * added squid3 as alternative squid-provider (closes: #446721) -- Alexander Zangerl Mon, 15 Oct 2007 18:51:43 +1000 jesred (1.2pl1-12) unstable; urgency=low * lifted standards version, updated debhelper depencendy -- Alexander Zangerl Tue, 10 Apr 2007 18:31:12 +1000 jesred (1.2pl1-11) unstable; urgency=low * adjusted rewrite.c to understand both old and new redirector input format which squid 2.6 introduced (closes: #381984) -- Alexander Zangerl Wed, 9 Aug 2006 14:02:16 +1000 jesred (1.2pl1-10) unstable; urgency=low * a brown paper-bag release to fix the garbled build-depends (closes: #328925) -- Alexander Zangerl Sun, 18 Sep 2005 22:14:21 +1000 jesred (1.2pl1-9) unstable; urgency=low * updated standards version * switched to dpatch for debian-specific stuff * updated code to always use extended regexps (closes: #328506) * cleaned up code a bit to get rid of compiler warnings (on suggestion by Alexander Davydenko) -- Alexander Zangerl Sat, 17 Sep 2005 17:46:04 +1000 jesred (1.2pl1-8) unstable; urgency=low * updated zed's comments in the example bofh rule file (closes: #263774) * added dhttpd as minimal but explicit suggestion -- Alexander Zangerl Fri, 13 Aug 2004 18:23:34 +1000 jesred (1.2pl1-7) unstable; urgency=low * cleaned up description, added homepage. * lifted standards version * moved squid from recommends to depends * improved documentation (closes: #106999) -- Alexander Zangerl Thu, 11 Dec 2003 12:23:47 +1000 jesred (1.2pl1-6) unstable; urgency=low * new maintainer (closes: #194117) * cleaned up build process slightly -- Alexander Zangerl Sun, 25 May 2003 13:08:41 +1000 jesred (1.2pl1-5) unstable; urgency=low * Move sample redirect images and files into their own redir directory for easy access (closes: #146443) * Bump standards version to 3.5.10 * Orphaned. I no longer use this redirector, having moved everything over to SquidGuard a long time ago. * #include in pattern_list.c -- Zed Pobre Wed, 21 May 2003 00:09:39 -0500 jesred (1.2pl1-4) unstable; urgency=low * Been almost a year since the last BOFH ruleset update. Massive changes in this one, including a merge of a lot of individual entries into a single ad.*.com type entry. Fixed the automatic tracking avoidance rulesets as well, commented why it was broken before. * DH_COMPAT=3 (Build-Depends updated) * Standards-Version: 3.5.2 * INSTALL file removed from deb * Some unused templates removed -- Zed Pobre Sat, 24 Feb 2001 11:28:03 -0600 jesred (1.2pl1-3) unstable; urgency=low * Added sharutils to the Build-Depends (closes: #62120) * BOFH ruleset updated. * Removed the "Faster than other redirectors" line from the description, since my compiles are slow for some reason. -- Zed Pobre Mon, 10 Apr 2000 11:38:05 -0500 jesred (1.2pl1-2) unstable; urgency=medium * -DUSE_ACCEL commented out. It was causing too many problems for a marginal increase in performance. * BOFH ruleset updated. http://www.nasdaq.com should no longer have problems due to the akamaitech filters. -- Zed Pobre Sat, 25 Mar 2000 17:09:46 -0600 jesred (1.2pl1-1) unstable; urgency=low * Initial Release. -- Zed Pobre Mon, 20 Mar 2000 16:45:45 -0600 debian/README.Debian0000644000000000000000000000064312215324077011235 0ustar jesred for Debian ----------------- To enable jesred you have to do these things: *) add the following line to /etc/squid.conf: redirect_program /usr/lib/squid/jesred *) edit /etc/jesred.acl to activate jesred. *) fine-tune /etc/jesred.rules to suit your needs. This example rules file includes all necessary information how to build rules. -- Alexander Zangerl , Sun, 15 Sep 2013 22:29:51 +1000 debian/control0000644000000000000000000000112112215324606010565 0ustar Source: jesred Build-Depends: debhelper (>= 8.0.0), dpkg-dev (>= 1.16.1~) Section: web Priority: optional Maintainer: Alexander Zangerl Standards-Version: 3.9.4 Package: jesred Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, squid | squid3 Recommends: dhttpd | httpd Homepage: http://www.linofee.org/~elkner/webtools/jesred/ Description: Redirector for the Squid proxy Jesred is a very fast and highly configurable redirector for the Squid Internet Object Cache. Jesred needs little memory, can rewrite all HTTP request methods and offers extensive logging. debian/copyright0000644000000000000000000000261711770614760011140 0ustar This package was originally debianized by Zed Pobre on Sat, 5 Feb 2000 16:27:59 -0600. Since 25 May 2003 it is maintained by Alexander Zangerl . It was downloaded from http://www.linofee.org/~elkner/webtools/jesred/ Upstream Author: Jens Elkner for a number of the rules in the BOFH ruleset and for providing the do_nothing.js replacement script. Credit for the closeme.html file goes to Danny "Cloudmaster" Sauer for being the author, and again to Craig Sanders for putting it up on his redirector page at http://taz.net.au/block/ Copyright: Copyright (C) 1998 Jens Elkner (elkner@ivs.cs.uni-magdeburg.de) http://www.linofee.org/~elkner/webtools/jesred/ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. On a modern Debian system, a copy of the GPL is available under /usr/share/common-licenses/GPL. See your system documentation. debian/TODO0000644000000000000000000000006511770614760007670 0ustar * make manpage documenting the configuration options debian/compat0000644000000000000000000000000212215314367010370 0ustar 8 debian/jesred.dirs0000644000000000000000000000006012215324554011324 0ustar etc usr/lib/squid usr/share/doc/jesred/examples debian/rules0000755000000000000000000000221612221717651010253 0ustar #!/usr/bin/make -f PACKAGE=jesred DEST=$(CURDIR)/debian/$(PACKAGE) DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk # to get -D_FORTIFY_SOURCE=2 CFLAGS += $(CPPFLAGS) build-arch: build build-indep: build: build-stamp build-stamp: dh_testdir $(MAKE) touch build-stamp clean: dh_testdir dh_testroot rm -f build-stamp $(MAKE) clean dh_clean install: build dh_testdir dh_testroot dh_prep dh_installdirs install -d -m 0755 $(DEST)/etc/ $(DEST)/usr/lib/squid/ install -m 0755 jesred $(CURDIR)/debian/$(PACKAGE)/usr/lib/squid/ install -m 0644 etc/jesred.conf $(DEST)/etc install -m 0644 etc/redirect.acl $(DEST)/etc/jesred.acl install -m 0644 etc/redirect.rules $(DEST)/etc/jesred.rules install -m 0644 etc/redirect.rules $(DEST)/usr/share/doc/$(PACKAGE)/examples/jesred.default.rules binary-arch: build install dh_testdir dh_testroot dh_installdocs -n dh_installexamples dh_installman dh_installchangelogs ChangeLog dh_strip dh_compress -Xjesred.bofh.rules dh_fixperms dh_installdeb dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb binary: binary-arch .PHONY: build clean binary-indep binary-arch binary install debian/jesred.docs0000644000000000000000000000000612215323622011306 0ustar READMEdebian/source/0000755000000000000000000000000012215314362010465 5ustar debian/source/format0000644000000000000000000000001412215314362011673 0ustar 3.0 (quilt)