[PATCH] squid 3.5.20: latest patches - Development

18 Aug 2016

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
---
 lfs/squid                               |   5 ++
 src/patches/squid/squid-3.5-14071.patch |  70 +++++++++++++++
 src/patches/squid/squid-3.5-14072.patch |  33 +++++++
 src/patches/squid/squid-3.5-14073.patch | 151 ++++++++++++++++++++++++++++++++
 src/patches/squid/squid-3.5-14074.patch |  55 ++++++++++++
 src/patches/squid/squid-3.5-14075.patch |  38 ++++++++
 6 files changed, 352 insertions(+)
 create mode 100644 src/patches/squid/squid-3.5-14071.patch
 create mode 100644 src/patches/squid/squid-3.5-14072.patch
 create mode 100644 src/patches/squid/squid-3.5-14073.patch
 create mode 100644 src/patches/squid/squid-3.5-14074.patch
 create mode 100644 src/patches/squid/squid-3.5-14075.patch

diff --git a/lfs/squid b/lfs/squid
index c07afe8..2d9c596 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -74,6 +74,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14068.patch
    cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14069.patch
    cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14070.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14071.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14072.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14073.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14074.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14075.patch
    cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.20-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi
diff --git a/src/patches/squid/squid-3.5-14071.patch b/src/patches/squid/squid-3.5-14071.patch
new file mode 100644
index 0000000..6b353ea
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14071.patch
@@ -0,0 +1,70 @@
+------------------------------------------------------------
+revno: 14071
+revision-id: squid3@treenet.co.nz-20160817025501-e66sjxm0bfy3ksn3
+parent: squid3@treenet.co.nz-20160805145933-0cpyy47o8955lamx
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4428
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Wed 2016-08-17 14:55:01 +1200
+message:
+  Bug 4428: mal-formed Cache-Control:stale-if-error header
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160817025501-e66sjxm0bfy3ksn3
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: b3b3ef13c45062a97bd5cc88c934019fe4af7a3c
+# timestamp: 2016-08-17 02:55:20 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160805145933-\
+#   0cpyy47o8955lamx
+# 
+# Begin patch
+=== modified file 'src/HttpHdrCc.cc'
+--- src/HttpHdrCc.cc	2016-01-01 00:14:27 +0000
++++ src/HttpHdrCc.cc	2016-08-17 02:55:01 +0000
+@@ -257,6 +257,27 @@
+ 
+             /* for all options having values, "=value" after the name */
+             switch (flag) {
++            case CC_BADHDR:
++                break;
++            case CC_PUBLIC:
++                break;
++            case CC_PRIVATE:
++                if (Private().size())
++                    packerPrintf(p, "="" SQUIDSTRINGPH """, SQUIDSTRINGPRINT(Private()));
++                break;
++
++            case CC_NO_CACHE:
++                if (noCache().size())
++                    packerPrintf(p, "="" SQUIDSTRINGPH """, SQUIDSTRINGPRINT(noCache()));
++                break;
++            case CC_NO_STORE:
++                break;
++            case CC_NO_TRANSFORM:
++                break;
++            case CC_MUST_REVALIDATE:
++                break;
++            case CC_PROXY_REVALIDATE:
++                break;
+             case CC_MAX_AGE:
+                 packerPrintf(p, "=%d", (int) maxAge());
+                 break;
+@@ -272,8 +293,14 @@
+             case CC_MIN_FRESH:
+                 packerPrintf(p, "=%d", (int) minFresh());
+                 break;
+-            default:
+-                /* do nothing, directive was already printed */
++            case CC_ONLY_IF_CACHED:
++                break;
++            case CC_STALE_IF_ERROR:
++                packerPrintf(p, "=%d", staleIfError());
++                break;
++            case CC_OTHER:
++            case CC_ENUM_END:
++                // done below after the loop
+                 break;
+             }
+ 
+
diff --git a/src/patches/squid/squid-3.5-14072.patch b/src/patches/squid/squid-3.5-14072.patch
new file mode 100644
index 0000000..228e773
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14072.patch
@@ -0,0 +1,33 @@
+------------------------------------------------------------
+revno: 14072
+revision-id: squid3@treenet.co.nz-20160817025828-s4102klt2ei25tsm
+parent: squid3@treenet.co.nz-20160817025501-e66sjxm0bfy3ksn3
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Wed 2016-08-17 14:58:28 +1200
+message:
+  Fix SSL-Bump failure results in SEGFAULT
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160817025828-s4102klt2ei25tsm
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 73877d276fba41282aeb5973207d02851d5eb784
+# timestamp: 2016-08-17 03:50:56 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160817025501-\
+#   e66sjxm0bfy3ksn3
+# 
+# Begin patch
+=== modified file 'src/client_side_request.cc'
+--- src/client_side_request.cc	2016-05-06 08:24:29 +0000
++++ src/client_side_request.cc	2016-08-17 02:58:28 +0000
+@@ -1811,7 +1811,7 @@
+             repContext->setReplyToStoreEntry(e, "immediate SslBump error");
+             errorAppendEntry(e, calloutContext->error);
+             calloutContext->error = NULL;
+-            if (calloutContext->readNextRequest)
++            if (calloutContext->readNextRequest && getConn())
+                 getConn()->flags.readMore = true; // resume any pipeline reads.
+             node = (clientStreamNode *)client_stream.tail->data;
+             clientStreamRead(node, this, node->readBuffer);
+
diff --git a/src/patches/squid/squid-3.5-14073.patch b/src/patches/squid/squid-3.5-14073.patch
new file mode 100644
index 0000000..b7915a4
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14073.patch
@@ -0,0 +1,151 @@
+------------------------------------------------------------
+revno: 14073
+revision-id: squid3@treenet.co.nz-20160817051037-p0kaj2iw2u4u8iqj
+parent: squid3@treenet.co.nz-20160817025828-s4102klt2ei25tsm
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4563
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Wed 2016-08-17 17:10:37 +1200
+message:
+  Bug 4563: duplicate code in httpMakeVaryMark
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160817051037-p0kaj2iw2u4u8iqj
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: bba9a17715b8759e9d70db2c75f70f3c6152ae8a
+# timestamp: 2016-08-17 05:50:53 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160817025828-\
+#   s4102klt2ei25tsm
+# 
+# Begin patch
+=== modified file 'src/http.cc'
+--- src/http.cc	2016-04-01 06:15:31 +0000
++++ src/http.cc	2016-08-17 05:10:37 +0000
+@@ -572,6 +572,38 @@
+     /* NOTREACHED */
+ }
+ 
++/// assemble a variant key (vary-mark) from the given Vary header and HTTP request
++static void
++assembleVaryKey(String &vary, SBuf &vstr, const HttpRequest &request)
++{
++    static const SBuf asterisk("*");
++    const char *pos = nullptr;
++    const char *item = nullptr;
++    int ilen = 0;
++
++    while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
++        SBuf name(item, ilen);
++        if (name == asterisk) {
++            vstr.clear();
++            break;
++        }
++        name.toLower();
++        if (!vstr.isEmpty())
++            vstr.append(", ", 2);
++        vstr.append(name);
++        String hdr(request.header.getByName(name.c_str()));
++        const char *value = hdr.termedBuf();
++        if (value) {
++            value = rfc1738_escape_part(value);
++            vstr.append("="", 2);
++            vstr.append(value);
++            vstr.append(""", 1);
++        }
++
++        hdr.clean();
++    }
++}
++
+ /*
+  * For Vary, store the relevant request headers as
+  * virtual headers in the reply
+@@ -580,81 +612,16 @@
+ SBuf
+ httpMakeVaryMark(HttpRequest * request, HttpReply const * reply)
+ {
+-    String vary, hdr;
+-    const char *pos = NULL;
+-    const char *item;
+-    const char *value;
+-    int ilen;
+     SBuf vstr;
+-    static const SBuf asterisk("*");
++    String vary;
+ 
+     vary = reply->header.getList(HDR_VARY);
+-
+-    while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
+-        char *name = (char *)xmalloc(ilen + 1);
+-        xstrncpy(name, item, ilen + 1);
+-        Tolower(name);
+-
+-        if (strcmp(name, "*") == 0) {
+-            /* Can not handle "Vary: *" withtout ETag support */
+-            safe_free(name);
+-            vstr.clear();
+-            break;
+-        }
+-
+-        if (!vstr.isEmpty())
+-            vstr.append(", ", 2);
+-        vstr.append(name);
+-        hdr = request->header.getByName(name);
+-        safe_free(name);
+-        value = hdr.termedBuf();
+-
+-        if (value) {
+-            value = rfc1738_escape_part(value);
+-            vstr.append("="", 2);
+-            vstr.append(value);
+-            vstr.append(""", 1);
+-        }
+-
+-        hdr.clean();
+-    }
+-
++    assembleVaryKey(vary, vstr, *request);
++
++#if X_ACCELERATOR_VARY
+     vary.clean();
+-#if X_ACCELERATOR_VARY
+-
+-    pos = NULL;
+     vary = reply->header.getList(HDR_X_ACCELERATOR_VARY);
+-
+-    while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
+-        char *name = (char *)xmalloc(ilen + 1);
+-        xstrncpy(name, item, ilen + 1);
+-        Tolower(name);
+-
+-        if (strcmp(name, "*") == 0) {
+-            /* Can not handle "Vary: *" withtout ETag support */
+-            safe_free(name);
+-            vstr.clear();
+-            break;
+-        }
+-
+-        if (!vstr.isEmpty())
+-            vstr.append(", ", 2);
+-        vstr.append(name);
+-        hdr = request->header.getByName(name);
+-        safe_free(name);
+-        value = hdr.termedBuf();
+-
+-        if (value) {
+-            value = rfc1738_escape_part(value);
+-            vstr.append("="", 2);
+-            vstr.append(value);
+-            vstr.append(""", 1);
+-        }
+-
+-        hdr.clean();
+-    }
+-
+-    vary.clean();
++    assembleVaryKey(vary, vstr, *request);
+ #endif
+ 
+     debugs(11, 3, vstr);
+
diff --git a/src/patches/squid/squid-3.5-14074.patch b/src/patches/squid/squid-3.5-14074.patch
new file mode 100644
index 0000000..dbafbf0
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14074.patch
@@ -0,0 +1,55 @@
+------------------------------------------------------------
+revno: 14074
+revision-id: squid3@treenet.co.nz-20160817054829-rl7q49ysi40sj01i
+parent: squid3@treenet.co.nz-20160817051037-p0kaj2iw2u4u8iqj
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3025
+author: mkishi mkishi@104.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Wed 2016-08-17 17:48:29 +1200
+message:
+  Bug 3025: Proxy-Authenticate problem using ICAP server
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160817054829-rl7q49ysi40sj01i
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: f4eb1b35dc72bba74a398070900a0951257e547e
+# timestamp: 2016-08-17 05:50:56 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160817051037-\
+#   p0kaj2iw2u4u8iqj
+# 
+# Begin patch
+=== modified file 'src/client_side_reply.cc'
+--- src/client_side_reply.cc	2016-04-01 06:15:31 +0000
++++ src/client_side_reply.cc	2016-08-17 05:48:29 +0000
+@@ -1305,8 +1305,14 @@
+ 
+     // if there is not configured a peer proxy with login=PASS or login=PASSTHRU option enabled
+     // remove the Proxy-Authenticate header
+-    if ( !request->peer_login || (strcmp(request->peer_login,"PASS") != 0 && strcmp(request->peer_login,"PASSTHRU") != 0))
+-        reply->header.delById(HDR_PROXY_AUTHENTICATE);
++    if ( !request->peer_login || (strcmp(request->peer_login,"PASS") != 0 && strcmp(request->peer_login,"PASSTHRU") != 0)) {
++#if USE_ADAPTATION
++        // but allow adaptation services to authenticate clients
++        // via request satisfaction
++        if (!http->requestSatisfactionMode())
++#endif
++            reply->header.delById(HDR_PROXY_AUTHENTICATE);
++    }
+ 
+     reply->header.removeHopByHopEntries();
+ 
+
+=== modified file 'src/client_side_request.h'
+--- src/client_side_request.h	2016-01-01 00:14:27 +0000
++++ src/client_side_request.h	2016-08-17 05:48:29 +0000
+@@ -140,6 +140,7 @@
+ 
+ public:
+     void startAdaptation(const Adaptation::ServiceGroupPointer &g);
++    bool requestSatisfactionMode() const { return request_satisfaction_mode; }
+ 
+     // private but exposed for ClientRequestContext
+     void handleAdaptationFailure(int errDetail, bool bypassable = false);
+
diff --git a/src/patches/squid/squid-3.5-14075.patch b/src/patches/squid/squid-3.5-14075.patch
new file mode 100644
index 0000000..8c0b5a3
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14075.patch
@@ -0,0 +1,38 @@
+------------------------------------------------------------
+revno: 14075
+revision-id: squid3@treenet.co.nz-20160817133413-vdmm0d6kvo8bfszk
+parent: squid3@treenet.co.nz-20160817054829-rl7q49ysi40sj01i
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Thu 2016-08-18 01:34:13 +1200
+message:
+  Fix logic error in rev.13930
+  
+   Using !=0 on both string compares means any login= value will permit
+   40x responses through. Only PASS and PASSTHRU should be doing that.
+  
+   Detected by Coverity Scan. Issue 1364711
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160817133413-vdmm0d6kvo8bfszk
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 31f0c4e0f435e0aa994ffe8937e4d4c58fed37f5
+# timestamp: 2016-08-17 13:34:59 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160817054829-\
+#   rl7q49ysi40sj01i
+# 
+# Begin patch
+=== modified file 'src/tunnel.cc'
+--- src/tunnel.cc	2016-01-01 00:14:27 +0000
++++ src/tunnel.cc	2016-08-17 13:34:13 +0000
+@@ -476,7 +476,7 @@
+ 
+     // we need to relay the 401/407 responses when login=PASS(THRU)
+     const char *pwd = server.conn->getPeer()->login;
+-    const bool relay = pwd && (strcmp(pwd, "PASS") != 0 || strcmp(pwd, "PASSTHRU") != 0) &&
++    const bool relay = pwd && (strcmp(pwd, "PASS") == 0 || strcmp(pwd, "PASSTHRU") == 0) &&
+                        (*status_ptr == Http::scProxyAuthenticationRequired ||
+                         *status_ptr == Http::scUnauthorized);
+ 
+
-- 
2.9.3


    