Changelog:
"Release 1.5
2010-09-09 Fixed inconsistent blocking (bug 59). Replaced defined routine in sgDB.c
2010-09-08 Added Russian translation from Vladimir Ipatov to squidGuard.cgi.in.
2009-10-19 Fixed two bypass problems with URLs which length is close to the limit defined by MAX_BUF. The resulting proxy line exceeds this limit and causes either squid or squidGuard to properly block a site.
2009-10-15 Fixed a problem with very long URLs. SquidGuard will go into emergency mode when a overlong URLs are encountered. The emergency mode causes an entire stop of blocking. This is not appropriate in this situation.
2009-09-30 Added patch by beber and gentoo (thank you!) to fix a problem when cross compiling (bug 56).
2009-09-27 Added patch by gentoo to fix alocal warnings (bug 57).
2009-09-15 Added a feature to send log messages to syslog based on the patch from Jun Jiang (thank you). (bug 42) In order to use syslog you have to run configure with the new option "--with-syslog". In the configuration file you need to add a line "syslog enable". If any other value but "enable" is used syslog is disabled and logging to squidGuard.log takes place as usual. The following log level are used: DEBUG, NOTICE, WARN, ERROR and EMERG. The local4 syslog facility is used by default. If you want to change this, use the configure option "--with-syslog-facility=<facility>".
2009-09-12 Anonymized passwords (for connecting to the ldap or mysql server) written to logfiles when squidGuard is starting. Added two configure options for choosing different location for the LDAP include and library files.
2009-08-25 Added patch to check IP addresses against LDAP. Patch by Denis Bonnenfant (bug 41) - thank you.
2009-08-23 Added patch to allow quoted strings in the configuration file (bug 53). For more information see README.QuotedStrings. Thanks to Iain Fothergill for providing the patch. Removed the fix for usernames starting with a number because it breaks the time declarations.
2009-05-08 Added patch by INL to enable blocking against DNS based blacklists (bug 55). Fixed re-opened bug 12: a problem with regular expressions. An entry like "www.google.de" did not block www.google.de which it was supposed to do. Solving this issue solved bug 46 as well.
2009-03-08 Fixed bug 52: Sometimes squidGuard crashes with an overflow error message for vsprintf. Thanks to Dirk Schoebel for suggesting the proper fix. Fixed bug 49: Using numeric username made squidGuard goes into emergency mode. This has been fixed. Usernames can now start with a number, be numeric and can additionally contain the following characters: @,à,é,è,ñ,á,ì,í,ò,ó,ù,ú."
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/squidguard | 34 ++++-- .../01_squidguard-1.5-beta_db_v4_up.patch | 14 +++ .../02_squidguard-1.5-beta_helper-protocol.patch | 125 +++++++++++++++++++++ ..._squidguard-1.5-beta_remove-debug-logging.patch | 66 +++++++++++ .../04_squidguard-1.5-beta_stdout-always.patch | 76 +++++++++++++ ...ions-unused_variables-noinput_and_nounput.patch | 56 +++++++++ src/patches/squidguard/06_squidguard_version.patch | 8 ++ 7 files changed, 370 insertions(+), 9 deletions(-) create mode 100644 src/patches/squidguard/01_squidguard-1.5-beta_db_v4_up.patch create mode 100644 src/patches/squidguard/02_squidguard-1.5-beta_helper-protocol.patch create mode 100644 src/patches/squidguard/03_squidguard-1.5-beta_remove-debug-logging.patch create mode 100644 src/patches/squidguard/04_squidguard-1.5-beta_stdout-always.patch create mode 100644 src/patches/squidguard/05_squidguard-1.5-beta_fixes_htunescape-size_t-ldap_functions-unused_variables-noinput_and_nounput.patch create mode 100644 src/patches/squidguard/06_squidguard_version.patch
diff --git a/lfs/squidguard b/lfs/squidguard index a48c25cbe..e3fd0c4e4 100644 --- a/lfs/squidguard +++ b/lfs/squidguard @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2016 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.4.1 +VER = 1.5-beta
THISAPP = squidGuard-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 9ae7b62a63631bb2dd1f474cf2bbe4dc +$(DL_FILE)_MD5 = 85216992d14acb29d6f345608f21f268
install : $(TARGET)
@@ -70,12 +70,28 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard-1.4-squid-helper-protocol.patch - cd $(DIR_APP) && ./configure --prefix=/usr --datadir=/usr/share \ - --sysconfdir=/etc --localstatedir=/var --infodir=/usr/info --mandir=/usr/man \ + + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard/01_squidguard-1.5-beta_db_v4_up.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard/02_squidguard-1.5-beta_helper-protocol.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard/03_squidguard-1.5-beta_remove-debug-logging.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard/04_squidguard-1.5-beta_stdout-always.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard/05_squidguard-1.5-beta_fixes_htunescape-size_t-ldap_functions-unused_variables-noinput_and_nounput.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squidguard/06_squidguard_version.patch + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --datadir=/usr/share \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --infodir=/usr/info \ + --mandir=/usr/man \ --with-sg-config=/var/ipfire/urlfilter/squidGuard.conf \ - --with-sg-logdir=/var/log/squidGuard --with-sg-dbhome=/var/lib/squidguard \ - --with-db=/usr --with-db-inc=/usr/include --with-db-lib=/usr/lib + --with-sg-logdir=/var/log/squidGuard \ + --with-syslog=yes \ + --with-sg-dbhome=/var/lib/squidguard \ + --with-db=/usr \ + --with-db-inc=/usr/include \ + --with-db-lib=/usr/lib + cd $(DIR_APP) && make cd $(DIR_APP) && make install
@@ -91,7 +107,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chmod 755 /var/ipfire/urlfilter/bin/prebuild.pl cp -f $(DIR_CONF)/urlfilter/autoupdate.pl /var/ipfire/urlfilter/bin/autoupdate.pl chmod 755 /var/ipfire/urlfilter/bin/autoupdate.pl - echo "1.7.1" > /var/ipfire/urlfilter/version + echo "1.5-beta" > /var/ipfire/urlfilter/version # Wrapper cp -f $(DIR_CONF)/urlfilter/redirect_wrapper /usr/sbin diff --git a/src/patches/squidguard/01_squidguard-1.5-beta_db_v4_up.patch b/src/patches/squidguard/01_squidguard-1.5-beta_db_v4_up.patch new file mode 100644 index 000000000..bc50efd68 --- /dev/null +++ b/src/patches/squidguard/01_squidguard-1.5-beta_db_v4_up.patch @@ -0,0 +1,14 @@ +Make BerkeleyDB version 4.7 and higher working. + +diff -Nur a/src/sgDb.c b/src/sgDb.c +--- a/src/sgDb.c 2010-09-09 12:35:22.000000000 +0200 ++++ b/src/sgDb.c 2013-11-23 10:05:55.000000000 +0100 +@@ -112,7 +112,7 @@ + } + } + #endif +-#if DB_VERSION_MAJOR == 4 ++#if DB_VERSION_MAJOR >= 4 + if(globalUpdate || createdb || (dbfile != NULL && stat(dbfile,&st))){ + flag = DB_CREATE; + if(createdb) diff --git a/src/patches/squidguard/02_squidguard-1.5-beta_helper-protocol.patch b/src/patches/squidguard/02_squidguard-1.5-beta_helper-protocol.patch new file mode 100644 index 000000000..a2f9177f5 --- /dev/null +++ b/src/patches/squidguard/02_squidguard-1.5-beta_helper-protocol.patch @@ -0,0 +1,125 @@ + +From Jeffries Amos http://bugs.squid-cache.org/show_bug.cgi?id=3978#c5 + +--- squidGuard-1.5-beta.orig/src/main.c 2013-12-12 11:47:31.000000000 +1300 ++++ squidGuard-1.5-beta.orig/src/main.c 2013-12-12 11:50:38.000000000 +1300 +@@ -185,7 +185,7 @@ + sgReloadConfig(); + } + if(failsafe_mode) { +- puts(""); ++ puts("ERR message="squidGuard failsafe mode""); + fflush(stdout); + if(sig_hup){ + sgReloadConfig(); +@@ -194,7 +194,7 @@ + } + if(parseLine(buf,&squidInfo) != 1){ + sgLogError("ERROR: Error parsing squid line: %s",buf); +- puts(""); ++ puts("BH message="squidGuard error parsing squid line""); + } + else { + src = Source; +@@ -206,14 +206,14 @@ + acl = sgAclCheckSource(src); + if((redirect = sgAclAccess(src,acl,&squidInfo)) == NULL){ + if(src == NULL || src->cont_search == 0){ +- puts(""); ++ puts("ERR"); + break; + } else + if(src->next != NULL){ + src = src->next; + continue; + } else { +- puts(""); ++ puts("ERR"); + break; + } + } else { +@@ -228,6 +228,10 @@ + fprintf(stdout,"%s %s/%s %s %s\n",redirect,squidInfo.src, + squidInfo.srcDomain,squidInfo.ident, + squidInfo.method); ++ if (isdigit(redirect[0]) && isdigit(redirect[1]) && isdigit(redirect[2]) && redirect[3]==':') { ++ fprintf(stdout,"OK status=%c%c%c url="%s"\n", redirect[0], redirect[1], redirect[2], &redirect[4]); ++ } else ++ fprintf(stdout,"OK rewrite-url="%s"\n",redirect); + /* sgLogDebug("DEBUG: %s %s/%s %s %s\n",redirect,squidInfo.src,squidInfo.srcDomain,squidInfo.ident,squidInfo.method); */ + break; + } +--- squidGuard-1.5-beta.orig/src/main.c.in 2013-12-12 11:47:31.000000000 +1300 ++++ squidGuard-1.5-beta.orig/src/main.c.in 2013-12-12 11:53:18.000000000 +1300 +@@ -185,7 +185,7 @@ + sgReloadConfig(); + } + if(failsafe_mode) { +- puts(""); ++ puts("ERR message="squidGuard failsafe mode""); + fflush(stdout); + if(sig_hup){ + sgReloadConfig(); +@@ -194,7 +194,7 @@ + } + if(parseLine(buf,&squidInfo) != 1){ + sgLogError("ERROR: Error parsing squid line: %s",buf); +- puts(""); ++ puts("BH message="squidGuard error parsing squid line""); + } + else { + src = Source; +@@ -206,14 +206,14 @@ + acl = sgAclCheckSource(src); + if((redirect = sgAclAccess(src,acl,&squidInfo)) == NULL){ + if(src == NULL || src->cont_search == 0){ +- puts(""); ++ puts("ERR"); + break; + } else + if(src->next != NULL){ + src = src->next; + continue; + } else { +- puts(""); ++ puts("ERR"); + break; + } + } else { +@@ -225,9 +225,11 @@ + squidInfo.ident[0] = '-'; + squidInfo.ident[1] = '\0'; + } +- fprintf(stdout,"%s %s/%s %s %s\n",redirect,squidInfo.src, +- squidInfo.srcDomain,squidInfo.ident, +- squidInfo.method); ++ if (isdigit(redirect[0]) && isdigit(redirect[1]) && isdigit(redirect[2]) && redirect[3]==':') { ++ fprintf(stdout,"OK status=%c%c%c url="%s"\n", redirect[0], redirect[1], redirect[2], &redirect[4]); ++ } else ++ fprintf(stdout,"OK rewrite-url="%s"\n",redirect); ++ + /* sgLogDebug("DEBUG: %s %s/%s %s %s\n",redirect,squidInfo.src,squidInfo.srcDomain,squidInfo.ident,squidInfo.method); */ + break; + } +--- squidGuard-1.5-beta.orig/src/sgDiv.c 2013-12-12 11:47:31.000000000 +1300 ++++ squidGuard-1.5-beta.orig/src/sgDiv.c 2013-12-12 11:48:36.000000000 +1300 +@@ -782,7 +782,7 @@ + } + sgLogError("ERROR: Going into emergency mode"); + while(fgets(buf, MAX_BUF, stdin) != NULL){ +- puts(""); ++ puts("ERR"); + fflush(stdout); + } + sgLogError("ERROR: Ending emergency mode, stdin empty"); +--- squidGuard-1.5-beta.orig/src/sgDiv.c.in 2013-12-12 11:47:31.000000000 +1300 ++++ squidGuard-1.5-beta.orig/src/sgDiv.c.in 2013-12-12 11:48:36.000000000 +1300 +@@ -782,7 +782,7 @@ + } + sgLogError("ERROR: Going into emergency mode"); + while(fgets(buf, MAX_BUF, stdin) != NULL){ +- puts(""); ++ puts("ERR"); + fflush(stdout); + } + sgLogError("ERROR: Ending emergency mode, stdin empty"); diff --git a/src/patches/squidguard/03_squidguard-1.5-beta_remove-debug-logging.patch b/src/patches/squidguard/03_squidguard-1.5-beta_remove-debug-logging.patch new file mode 100644 index 000000000..ba2840bac --- /dev/null +++ b/src/patches/squidguard/03_squidguard-1.5-beta_remove-debug-logging.patch @@ -0,0 +1,66 @@ +--- a/src/sg.y.in 2014-04-14 16:23:39.183396677 +0200 ++++ b/src/sg.y.in 2014-04-14 16:24:19.000000000 +0200 +@@ -795,9 +795,9 @@ + { + struct Source *sp; + sp = lastSource; +- ++/* DEBUG + @NOLOG1@ sgLogError("DEBUG: sgSourceLdapIpSearch called with: %s", url); @NOLOG2@ +- ++*/ + if(!ldap_is_ldap_url(url)) { + sgLogError("%s: can't parse LDAP url %s",progname, url); + return; +@@ -1311,10 +1311,12 @@ + } + sp->domainlistDb = (struct sgDb *) sgCalloc(1,sizeof(struct sgDb)); + sp->domainlistDb->type=SGDBTYPE_DOMAINLIST; ++/* DEBUG + sgLogError("init domainlist %s",sp->domainlist); ++*/ + sgDbInit(sp->domainlistDb,sp->domainlist); + if(sp->domainlistDb->entries == 0) { /* empty database */ +- sgLogError("domainlist empty, removed from memory"); ++ sgLogError("domainlist %s empty, removed from memory",sp->domainlist); + sgFree(sp->domainlistDb); + sp->domainlistDb = NULL; + } +@@ -1356,10 +1356,12 @@ + } + sp->urllistDb = (struct sgDb *) sgCalloc(1,sizeof(struct sgDb)); + sp->urllistDb->type=SGDBTYPE_URLLIST; ++/* DEBUG + sgLogError("init urllist %s",sp->urllist); ++*/ + sgDbInit(sp->urllistDb,sp->urllist); + if(sp->urllistDb->entries == 0) { /* empty database */ +- sgLogError("urllist empty, removed from memory"); ++ sgLogError("urllist empty %s, removed from memory",sp->urllist); + sgFree(sp->urllistDb); + sp->urllistDb = NULL; + } +@@ -2773,9 +2773,9 @@ + char *interval; + struct UserInfo *userinfo; + static struct UserInfo info; +- ++/* DEBUG + @NOLOG1@ sgLogError("DEBUG: sgFindUser called with: %s", ident); @NOLOG2@ +- ++*/ + /* defined in the userDB? */ + if(defined(src->userDb, ident, (char **) &userinfo) == 1) { + #ifdef HAVE_LIBLDAP +--- a/src/sgDb.c 2014-04-17 08:53:29.961367395 +0200 ++++ b/src/sgDb.c 2014-04-17 08:53:58.000000000 +0200 +@@ -48,7 +48,9 @@ + strcat(dbfile,".db"); + if(stat(dbfile,&st) == 0){ + if(!createdb){ ++/* DEBUG + sgLogNotice("INFO: loading dbfile %s",dbfile); ++*/ + } + } else { + if(!createdb){ diff --git a/src/patches/squidguard/04_squidguard-1.5-beta_stdout-always.patch b/src/patches/squidguard/04_squidguard-1.5-beta_stdout-always.patch new file mode 100644 index 000000000..8e2d0c75a --- /dev/null +++ b/src/patches/squidguard/04_squidguard-1.5-beta_stdout-always.patch @@ -0,0 +1,76 @@ +Original input to stdout, to be useable with multiple redirectors +when option -f is given on squidGuard start +We have to remember the raw original URL as the URL is modified for testing +purpose. So the exisiting HTML entities like %3F (?), %26 (&), %3D (=) etc. are changed +which breaks the URL for further processing if it is send to stdout like we do it for the +redirector chain (THIS patch). +diff -Nur a/src/main.c.in b/src/main.c.in +--- a/src/main.c.in 2009-09-27 21:41:50.000000000 +0200 ++++ b/src/main.c.in 2013-06-01 21:18:55.000000000 +0200 +@@ -59,6 +59,7 @@ + char **globalEnvp ; + int globalDebugTimeDelta = 0; + int globalDebug = 0; ++int globalFullStdout = 0; + int globalPid = 0; + int globalUpdate = 0; + int passthrough = 0; +@@ -89,6 +90,7 @@ + struct Acl *acl; + struct timeval start_time,ready_time,stop_time; + char buf[MAX_BUF]; ++ char origraw[MAX_BUF]; + char *redirect,tmp[MAX_BUF]; + char *configFile = NULL; + time_t t; +@@ -101,11 +102,14 @@ + #ifdef USE_SYSLOG + openlog("squidGuard", LOG_PID | LOG_NDELAY | LOG_CONS, LOG_@LOGFAC@); + #endif +- while ((ch = getopt(argc, argv, "hbduPC:t:c:v")) != EOF) ++ while ((ch = getopt(argc, argv, "hbdfuPC:t:c:v")) != EOF) + switch (ch) { + case 'd': + globalDebug = 1; + break; ++ case 'f': ++ globalFullStdout = 1; ++ break; + case 'c': + configFile = optarg; + break; +@@ -192,6 +193,8 @@ + } + continue; + } ++ strcpy(origraw,buf); ++ if (strlen(origraw) && (origraw[strlen(origraw)-1] == '\n')) origraw[strlen(origraw)-1] = 0; + if(parseLine(buf,&squidInfo) != 1){ + sgLogError("ERROR: Error parsing squid line: %s",buf); + puts("BH message="squidGuard error parsing squid line""); +@@ -206,7 +210,12 @@ + acl = sgAclCheckSource(src); + if((redirect = sgAclAccess(src,acl,&squidInfo)) == NULL){ + if(src == NULL || src->cont_search == 0){ ++ if (globalFullStdout) { ++ puts(origraw); ++ } ++ else { + puts("ERR"); ++ } + break; + } else + if(src->next != NULL){ +@@ -213,7 +214,12 @@ + src = src->next; + continue; + } else { ++ if (globalFullStdout) { ++ puts(origraw); ++ } ++ else { + puts("ERR"); ++ } + break; + } + } else { diff --git a/src/patches/squidguard/05_squidguard-1.5-beta_fixes_htunescape-size_t-ldap_functions-unused_variables-noinput_and_nounput.patch b/src/patches/squidguard/05_squidguard-1.5-beta_fixes_htunescape-size_t-ldap_functions-unused_variables-noinput_and_nounput.patch new file mode 100644 index 000000000..33732deea --- /dev/null +++ b/src/patches/squidguard/05_squidguard-1.5-beta_fixes_htunescape-size_t-ldap_functions-unused_variables-noinput_and_nounput.patch @@ -0,0 +1,56 @@ +--- a/src/sg.l Sat Jan 30 13:51:12 2016 ++++ b/src/sg.l Sat Jan 30 14:01:28 2016 +@@ -23,6 +23,8 @@ + + %} + ++%option noinput ++%option nounput + ignore [,\t\r ]+ + s [\t ] + d [0-9] +--- a/src/sg.y.in Sat Jan 30 13:52:26 2016 ++++ b/src/sg.y.in Sat Jan 30 14:00:50 2016 +@@ -26,6 +26,7 @@ + + #ifdef HAVE_LIBLDAP + #include "lber.h" ++#define LDAP_DEPRECATED 1 + #include "ldap.h" + #endif + +@@ -1097,7 +1098,6 @@ + foundip = 1; + unblockedip = 1; + if(s->ipquota.seconds != 0){ +- struct IpInfo uq; + time_t t = time(NULL) + globalDebugTimeDelta; + sgLogError("status %d time %d lasttime %d consumed %d", ipquota->status, ipquota->time, ipquota->last, ipquota->consumed); + sgLogError("renew %d seconds %d", s->ipquota.renew, s->ipquota.seconds); +@@ -1157,7 +1157,6 @@ + founduser = 1; + unblockeduser = 1; + if(s->userquota.seconds != 0){ +- struct UserInfo uq; + time_t t = time(NULL) + globalDebugTimeDelta; + //sgLogError("status %d time %d lasttime %d consumed %d", userquota->status, userquota->time, userquota->last, userquota->consumed); + //sgLogError("renew %d seconds %d", s->userquota.renew, s->userquota.seconds); +--- a/src/sgDiv.c.in Sat Jan 30 13:52:10 2016 ++++ b/src/sgDiv.c.in Sat Jan 30 13:59:16 2016 +@@ -18,6 +18,7 @@ + + #include "sg.h" + #include "sgEx.h" ++#include "HTEscape.h" + + /* #define METEST 8; */ + +@@ -692,7 +693,7 @@ + struct UserInfo *userquota; + if(defined(s->userDb, req->ident, (char **) &userquota) == 1){ + char qbuf[150]; +- sprintf(qbuf, "%d-%d-%d-%d-%d-%d", s->userquota.renew, s->userquota.seconds, userquota->status, userquota->time, userquota->last, userquota->consumed); ++ sprintf(qbuf, "%d-%d-%d-%d-%d-%d", s->userquota.renew, (int)s->userquota.seconds, userquota->status, (int)userquota->time, (int)userquota->last, userquota->consumed); + strcat(buf, qbuf); + } else { + strcat(buf, "noquota"); diff --git a/src/patches/squidguard/06_squidguard_version.patch b/src/patches/squidguard/06_squidguard_version.patch new file mode 100644 index 000000000..351804c49 --- /dev/null +++ b/src/patches/squidguard/06_squidguard_version.patch @@ -0,0 +1,8 @@ +--- a/src/version.h Thu Apr 17 17:00:48 2008 ++++ b/src/version.h Fri May 08 20:44:48 2009 +@@ -16,4 +16,4 @@ + (GPL) along with this program. + */ + +-#define VERSION "1.5-alpha" ++#define VERSION "1.5-beta"