Backport of fixes in master/v7 https://bugs.squid-cache.org/show_bug.cgi?id=5322 https://bugs.squid-cache.org/attachment.cgi?id=3891 diff -aurN a/src/AclRegs.cc b/src/AclRegs.cc --- a/src/AclRegs.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/AclRegs.cc 2024-05-02 14:39:02.842264552 +0300 @@ -130,8 +130,8 @@ RegisterMaker("dstdom_regex", [](TypeName name)->ACL* { return new ACLStrategised(new ACLRegexData, new ACLDestinationDomainStrategy, name); }); RegisterMaker("dst", [](TypeName)->ACL* { return new ACLDestinationIP; }); // XXX: Add name parameter to ctor RegisterMaker("hier_code", [](TypeName name)->ACL* { return new ACLStrategised(new ACLHierCodeData, new ACLHierCodeStrategy, name); }); - RegisterMaker("rep_header", [](TypeName name)->ACL* { return new ACLStrategised(new ACLHTTPHeaderData, new ACLHTTPRepHeaderStrategy, name); }); - RegisterMaker("req_header", [](TypeName name)->ACL* { return new ACLStrategised(new ACLHTTPHeaderData, new ACLHTTPReqHeaderStrategy, name); }); + RegisterMaker("rep_header", [](TypeName name)->ACL* { return new ACLStrategised(new ACLHTTPHeaderData, new ACLHTTPRepHeaderStrategy, name); }); + RegisterMaker("req_header", [](TypeName name)->ACL* { return new ACLStrategised(new ACLHTTPHeaderData, new ACLHTTPReqHeaderStrategy, name); }); RegisterMaker("http_status", [](TypeName name)->ACL* { return new ACLHTTPStatus(name); }); RegisterMaker("maxconn", [](TypeName name)->ACL* { return new ACLMaxConnection(name); }); RegisterMaker("method", [](TypeName name)->ACL* { return new ACLStrategised(new ACLMethodData, new ACLMethodStrategy, name); }); diff -aurN a/src/DelayId.cc b/src/DelayId.cc --- a/src/DelayId.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/DelayId.cc 2024-05-02 13:14:06.529560559 +0300 @@ -87,10 +87,7 @@ ACLFilledChecklist ch(DelayPools::delay_data[pool].access, r, nullptr); clientAclChecklistFill(ch, http); - if (!ch.reply && reply) { - ch.reply = reply; - HTTPMSGLOCK(reply); - } + ch.updateReply(reply); // overwrite ACLFilledChecklist acl_uses_indirect_client-based decision #if FOLLOW_X_FORWARDED_FOR if (Config.onoff.delay_pool_uses_indirect_client) diff -aurN a/src/HttpHeaderTools.cc b/src/HttpHeaderTools.cc --- a/src/HttpHeaderTools.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/HttpHeaderTools.cc 2024-05-02 13:15:05.133567028 +0300 @@ -289,11 +289,7 @@ ACLFilledChecklist checklist(hm->access_list, request, nullptr); - checklist.al = al; - if (al && al->reply) { - checklist.reply = al->reply.getRaw(); - HTTPMSGLOCK(checklist.reply); - } + checklist.updateAle(al); // XXX: The two "It was denied" clauses below mishandle cases with no // matching rules, violating the "If no rules within the set have matching @@ -489,11 +485,7 @@ { ACLFilledChecklist checklist(nullptr, request, nullptr); - checklist.al = al; - if (al && al->reply) { - checklist.reply = al->reply.getRaw(); - HTTPMSGLOCK(checklist.reply); - } + checklist.updateAle(al); for (HeaderWithAclList::const_iterator hwa = headersAdd.begin(); hwa != headersAdd.end(); ++hwa) { if (!hwa->aclList || checklist.fastCheck(hwa->aclList).allowed()) { diff -aurN a/src/HttpReply.cc b/src/HttpReply.cc --- a/src/HttpReply.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/HttpReply.cc 2024-05-02 13:15:39.572584896 +0300 @@ -596,8 +596,7 @@ ACLFilledChecklist ch(nullptr, &request, nullptr); // XXX: cont-cast becomes irrelevant when checklist is HttpReply::Pointer - ch.reply = const_cast(this); - HTTPMSGLOCK(ch.reply); + ch.updateReply(this); for (AclSizeLimit *l = Config.ReplyBodySize; l; l = l -> next) { /* if there is no ACL list or if the ACLs listed match use this size value */ if (!l->aclList || ch.fastCheck(l->aclList).allowed()) { diff -aurN a/src/Notes.cc b/src/Notes.cc --- a/src/Notes.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/Notes.cc 2024-05-02 13:54:09.664336645 +0300 @@ -70,11 +70,9 @@ Note::match(HttpRequest *request, HttpReply *reply, const AccessLogEntry::Pointer &al, SBuf &matched) { ACLFilledChecklist ch(nullptr, request, nullptr); - ch.al = al; - ch.reply = reply; + ch.updateAle(al); + ch.updateReply(reply); ch.syncAle(request, nullptr); - if (reply) - HTTPMSGLOCK(ch.reply); for (const auto &v: values) { assert(v->aclList); diff -aurN a/src/acl/ConnectionsEncrypted.cc b/src/acl/ConnectionsEncrypted.cc --- a/src/acl/ConnectionsEncrypted.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/acl/ConnectionsEncrypted.cc 2024-05-02 14:11:23.059165031 +0300 @@ -55,8 +55,8 @@ const bool safeRequest = !(filled->request->sources & Http::Message::srcUnsafe); - const bool safeReply = !filled->reply || - !(filled->reply->sources & Http::Message::srcUnsafe); + const bool safeReply = !filled->hasReply() || + !(filled->reply().sources & Http::Message::srcUnsafe); return (safeRequest && safeReply) ? 1 : 0; } diff -aurN a/src/acl/FilledChecklist.cc b/src/acl/FilledChecklist.cc --- a/src/acl/FilledChecklist.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/acl/FilledChecklist.cc 2024-05-02 14:07:41.297685699 +0300 @@ -27,7 +27,6 @@ ACLFilledChecklist::ACLFilledChecklist() : dst_rdns(nullptr), request (nullptr), - reply (nullptr), #if USE_AUTH auth_user_request (nullptr), #endif @@ -54,8 +53,6 @@ HTTPMSGUNLOCK(request); - HTTPMSGUNLOCK(reply); - cbdataReferenceDone(conn_); debugs(28, 4, "ACLFilledChecklist destroyed " << this); @@ -107,9 +104,9 @@ } } - if (reply && !al->reply) { + if (hasReply() && !al->reply) { showDebugWarning("HttpReply object"); - al->reply = reply; + al->reply = reply_; } #if USE_IDENT @@ -214,7 +211,6 @@ ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_request, const char *ident): dst_rdns(nullptr), request(nullptr), - reply(nullptr), #if USE_AUTH auth_user_request(nullptr), #endif @@ -268,3 +264,21 @@ #endif } +void +ACLFilledChecklist::updateAle(const AccessLogEntry::Pointer &a) +{ + if (!a) + return; + + al = a; // could have been set already (to a different value) + if (!request) + setRequest(a->request); + updateReply(a->reply); +} + +void +ACLFilledChecklist::updateReply(const HttpReply::Pointer &r) +{ + if (r) + reply_ = r; // may already be set, including to r +} diff -aurN a/src/acl/FilledChecklist.h b/src/acl/FilledChecklist.h --- a/src/acl/FilledChecklist.h 2024-04-08 08:02:07.000000000 +0300 +++ b/src/acl/FilledChecklist.h 2024-05-02 13:45:57.773923228 +0300 @@ -14,6 +14,8 @@ #include "acl/forward.h" #include "base/CbcPointer.h" #include "error/forward.h" +#include "HttpReply.h" +#include "HttpRequest.h" #include "ip/Address.h" #if USE_AUTH #include "auth/UserRequest.h" @@ -42,6 +44,7 @@ void setRequest(HttpRequest *); /// configure rfc931 user identity for the first time void setIdent(const char *userIdentity); + void updateAle(const AccessLogEntry::Pointer &); public: /// The client connection manager @@ -57,6 +60,14 @@ //int authenticated(); + /// response added by updateReply() + /// \prec hasReply() + const HttpReply &reply() const { return *reply_; } + + /// Remembers the given response (if it is not nil) or does nothing + /// (otherwise). + void updateReply(const HttpReply::Pointer &); + bool destinationDomainChecked() const; void markDestinationDomainChecked(); bool sourceDomainChecked() const; @@ -64,7 +75,7 @@ // ACLChecklist API bool hasRequest() const override { return request != nullptr; } - bool hasReply() const override { return reply != nullptr; } + bool hasReply() const override { return reply_ != nullptr; } bool hasAle() const override { return al != nullptr; } void syncAle(HttpRequest *adaptedRequest, const char *logUri) const override; void verifyAle() const override; @@ -77,7 +88,6 @@ char *dst_rdns; HttpRequest *request; - HttpReply *reply; char rfc931[USER_IDENT_SZ]; #if USE_AUTH @@ -108,6 +118,9 @@ private: ConnStateData * conn_; /**< hack for ident and NTLM */ int fd_; /**< may be available when conn_ is not */ + + HttpReply::Pointer reply_; ///< response added by updateReply() or nil + bool destinationDomainChecked_; bool sourceDomainChecked_; /// not implemented; will cause link failures if used diff -aurN a/src/acl/HttpHeaderData.cc b/src/acl/HttpHeaderData.cc --- a/src/acl/HttpHeaderData.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/acl/HttpHeaderData.cc 2024-05-02 13:39:44.260625713 +0300 @@ -36,20 +36,18 @@ } bool -ACLHTTPHeaderData::match(HttpHeader* hdr) +ACLHTTPHeaderData::match(const HttpHeader &hdr) { - if (hdr == nullptr) - return false; debugs(28, 3, "aclHeaderData::match: checking '" << hdrName << "'"); String value; if (hdrId != Http::HdrType::BAD_HDR) { - if (!hdr->has(hdrId)) + if (!hdr.has(hdrId)) return false; - value = hdr->getStrOrList(hdrId); + value = hdr.getStrOrList(hdrId); } else { - if (!hdr->hasNamed(hdrName, &value)) + if (!hdr.hasNamed(hdrName, &value)) return false; } diff -aurN a/src/acl/HttpHeaderData.h b/src/acl/HttpHeaderData.h --- a/src/acl/HttpHeaderData.h 2024-04-08 08:02:07.000000000 +0300 +++ b/src/acl/HttpHeaderData.h 2024-05-02 13:40:26.326492200 +0300 @@ -14,14 +14,14 @@ #include "sbuf/SBuf.h" #include "SquidString.h" -class ACLHTTPHeaderData : public ACLData +class ACLHTTPHeaderData: public ACLData { MEMPROXY_CLASS(ACLHTTPHeaderData); public: ACLHTTPHeaderData(); ~ACLHTTPHeaderData() override; - bool match(HttpHeader* hdr) override; + bool match(const HttpHeader &) override; SBufList dump() const override; void parse() override; bool empty() const override; diff -aurN a/src/acl/HttpRepHeader.cc b/src/acl/HttpRepHeader.cc --- a/src/acl/HttpRepHeader.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/acl/HttpRepHeader.cc 2024-05-02 14:22:13.208427916 +0300 @@ -13,8 +13,9 @@ #include "HttpReply.h" int -ACLHTTPRepHeaderStrategy::match (ACLData * &data, ACLFilledChecklist *checklist) +ACLHTTPRepHeaderStrategy::match (ACLData * &data, ACLFilledChecklist * const ch) { - return data->match (&checklist->reply->header); + const auto checklist = Filled(ch); + return data->match(checklist->reply().header); } diff -aurN a/src/acl/HttpRepHeader.h b/src/acl/HttpRepHeader.h --- a/src/acl/HttpRepHeader.h 2024-04-08 08:02:07.000000000 +0300 +++ b/src/acl/HttpRepHeader.h 2024-05-02 14:26:12.634833092 +0300 @@ -14,7 +14,7 @@ #include "HttpHeader.h" /// \ingroup ACLAPI -class ACLHTTPRepHeaderStrategy : public ACLStrategy +class ACLHTTPRepHeaderStrategy : public ACLStrategy { public: diff -aurN a/src/acl/HttpReqHeader.cc b/src/acl/HttpReqHeader.cc --- a/src/acl/HttpReqHeader.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/acl/HttpReqHeader.cc 2024-05-02 14:22:47.381726897 +0300 @@ -13,8 +13,9 @@ #include "HttpRequest.h" int -ACLHTTPReqHeaderStrategy::match (ACLData * &data, ACLFilledChecklist *checklist) +ACLHTTPReqHeaderStrategy::match (ACLData * &data, ACLFilledChecklist * const ch) { - return data->match (&checklist->request->header); + const auto checklist = Filled(ch); + return data->match (checklist->request->header); } diff -aurN a/src/acl/HttpReqHeader.h b/src/acl/HttpReqHeader.h --- a/src/acl/HttpReqHeader.h 2024-04-08 08:02:07.000000000 +0300 +++ b/src/acl/HttpReqHeader.h 2024-05-02 14:26:59.730191970 +0300 @@ -13,7 +13,7 @@ #include "HttpHeader.h" /// \ingroup ACLAPI -class ACLHTTPReqHeaderStrategy : public ACLStrategy +class ACLHTTPReqHeaderStrategy : public ACLStrategy { public: diff -aurN a/src/acl/HttpStatus.cc b/src/acl/HttpStatus.cc --- a/src/acl/HttpStatus.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/acl/HttpStatus.cc 2024-05-02 13:48:12.200714068 +0300 @@ -116,7 +116,7 @@ int ACLHTTPStatus::match(ACLChecklist *checklist) { - return aclMatchHTTPStatus(&data, Filled(checklist)->reply->sline.status()); + return aclMatchHTTPStatus(&data, Filled(checklist)->reply().sline.status()); } int diff -aurN a/src/acl/ReplyHeaderStrategy.h b/src/acl/ReplyHeaderStrategy.h --- a/src/acl/ReplyHeaderStrategy.h 2024-04-08 08:02:07.000000000 +0300 +++ b/src/acl/ReplyHeaderStrategy.h 2024-05-02 13:48:40.981219348 +0300 @@ -28,7 +28,7 @@ int ACLReplyHeaderStrategy
::match (ACLData * &data, ACLFilledChecklist *checklist) { - char const *theHeader = checklist->reply->header.getStr(header); + char const *theHeader = checklist->reply().header.getStr(header); if (nullptr == theHeader) return 0; diff -aurN a/src/acl/ReplyMimeType.h b/src/acl/ReplyMimeType.h --- a/src/acl/ReplyMimeType.h 2024-04-08 08:02:07.000000000 +0300 +++ b/src/acl/ReplyMimeType.h 2024-05-02 13:51:50.684699376 +0300 @@ -19,7 +19,8 @@ inline int ACLReplyHeaderStrategy::match(ACLData * &data, ACLFilledChecklist *checklist) { - char const *theHeader = checklist->reply->header.getStr(Http::HdrType::CONTENT_TYPE); + char const *theHeader = checklist->reply().header.getStr(Http::HdrType::CONTENT_TYPE); + if (nullptr == theHeader) theHeader = ""; diff -aurN a/src/adaptation/AccessCheck.cc b/src/adaptation/AccessCheck.cc --- a/src/adaptation/AccessCheck.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/adaptation/AccessCheck.cc 2024-05-02 13:56:05.309606789 +0300 @@ -131,9 +131,8 @@ /* BUG 2526: what to do when r->acl is empty?? */ // XXX: we do not have access to conn->rfc931 here. acl_checklist = new ACLFilledChecklist(r->acl, filter.request, dash_str); - if ((acl_checklist->reply = filter.reply)) - HTTPMSGLOCK(acl_checklist->reply); - acl_checklist->al = filter.al; + acl_checklist->updateAle(filter.al); + acl_checklist->updateReply(filter.reply); acl_checklist->syncAle(filter.request, nullptr); acl_checklist->nonBlockingCheck(AccessCheckCallbackWrapper, this); return; diff -aurN a/src/adaptation/icap/Launcher.cc b/src/adaptation/icap/Launcher.cc --- a/src/adaptation/icap/Launcher.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/adaptation/icap/Launcher.cc 2024-05-02 13:25:41.483439412 +0300 @@ -142,8 +142,7 @@ ACLFilledChecklist *cl = new ACLFilledChecklist(TheConfig.repeat, info.icapRequest, dash_str); - cl->reply = info.icapReply; - HTTPMSGLOCK(cl->reply); + cl->updateReply(info.icapReply); bool result = cl->fastCheck().allowed(); delete cl; diff -aurN a/src/adaptation/icap/icap_log.cc b/src/adaptation/icap/icap_log.cc --- a/src/adaptation/icap/icap_log.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/adaptation/icap/icap_log.cc 2024-05-02 13:26:09.810655898 +0300 @@ -61,10 +61,7 @@ { if (IcapLogfileStatus == LOG_ENABLE) { ACLFilledChecklist checklist(nullptr, al->adapted_request, nullptr); - if (al->reply) { - checklist.reply = al->reply.getRaw(); - HTTPMSGLOCK(checklist.reply); - } + checklist.updateAle(al); accessLogLogTo(Config.Log.icaplogs, al, &checklist); } } diff -aurN a/src/auth/UserRequest.cc b/src/auth/UserRequest.cc --- a/src/auth/UserRequest.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/auth/UserRequest.cc 2024-05-02 13:26:56.382746257 +0300 @@ -466,8 +466,7 @@ { if (!Auth::TheConfig.schemeLists.empty() && Auth::TheConfig.schemeAccess) { ACLFilledChecklist ch(nullptr, request, nullptr); - ch.reply = rep; - HTTPMSGLOCK(ch.reply); + ch.updateReply(rep); const auto answer = ch.fastCheck(Auth::TheConfig.schemeAccess); if (answer.allowed()) return Auth::TheConfig.schemeLists.at(answer.kind).authConfigs; diff -aurN a/src/client_side.cc b/src/client_side.cc --- a/src/client_side.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/client_side.cc 2024-05-02 13:32:24.247196027 +0300 @@ -446,31 +446,19 @@ } // The al->notes and request->notes must point to the same object. al->syncNotes(request); - } - - ACLFilledChecklist checklist(nullptr, request, nullptr); - if (al->reply) { - checklist.reply = al->reply.getRaw(); - HTTPMSGLOCK(checklist.reply); - } - - if (request) { HTTPMSGUNLOCK(al->adapted_request); al->adapted_request = request; HTTPMSGLOCK(al->adapted_request); } + ACLFilledChecklist checklist(nullptr, request, nullptr); + checklist.updateAle(al); // no need checklist.syncAle(): already synced - checklist.al = al; accessLogLog(al, &checklist); bool updatePerformanceCounters = true; if (Config.accessList.stats_collection) { ACLFilledChecklist statsCheck(Config.accessList.stats_collection, request, nullptr); - statsCheck.al = al; - if (al->reply) { - statsCheck.reply = al->reply.getRaw(); - HTTPMSGLOCK(statsCheck.reply); - } + statsCheck.updateAle(al); updatePerformanceCounters = statsCheck.fastCheck().allowed(); } @@ -3546,12 +3534,8 @@ checklist.setRequest(http->request); if (!checklist.al && http->al) { - checklist.al = http->al; + checklist.updateAle(http->al); checklist.syncAle(http->request, http->log_uri); - if (!checklist.reply && http->al->reply) { - checklist.reply = http->al->reply.getRaw(); - HTTPMSGLOCK(checklist.reply); - } } if (const auto conn = http->getConn()) diff -aurN a/src/client_side_reply.cc b/src/client_side_reply.cc --- a/src/client_side_reply.cc 2024-05-02 14:48:58.863528254 +0300 +++ b/src/client_side_reply.cc 2024-05-02 13:33:55.668212735 +0300 @@ -843,11 +843,9 @@ if (http->flags.internal) return false; // internal content "hits" cannot be blocked - const auto &rep = http->storeEntry()->mem().freshestReply(); { std::unique_ptr chl(clientAclChecklistCreate(Config.accessList.sendHit, http)); - chl->reply = const_cast(&rep); // ACLChecklist API bug - HTTPMSGLOCK(chl->reply); + chl->updateReply(&http->storeEntry()->mem().freshestReply()); return !chl->fastCheck().allowed(); // when in doubt, block } } @@ -1850,8 +1848,7 @@ /** Process http_reply_access lists */ ACLFilledChecklist *replyChecklist = clientAclChecklistCreate(Config.accessList.reply, http); - replyChecklist->reply = reply; - HTTPMSGLOCK(replyChecklist->reply); + replyChecklist->updateReply(reply); replyChecklist->nonBlockingCheck(ProcessReplyAccessResult, this); } diff -aurN a/src/clients/Client.cc b/src/clients/Client.cc --- a/src/clients/Client.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/clients/Client.cc 2024-05-02 13:56:57.931087748 +0300 @@ -555,9 +555,8 @@ // This relatively expensive check is not in StoreEntry::checkCachable: // That method lacks HttpRequest and may be called too many times. ACLFilledChecklist ch(acl, originalRequest().getRaw()); - ch.reply = const_cast(&entry->mem().freshestReply()); // ACLFilledChecklist API bug - HTTPMSGLOCK(ch.reply); - ch.al = fwd->al; + ch.updateAle(fwd->al); + ch.updateReply(&entry->mem().freshestReply()); if (!ch.fastCheck().allowed()) { // when in doubt, block debugs(20, 3, "store_miss prohibits caching"); return true; diff -aurN a/src/http/Stream.cc b/src/http/Stream.cc --- a/src/http/Stream.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/http/Stream.cc 2024-05-02 13:35:57.062950806 +0300 @@ -294,8 +294,7 @@ for (const auto &pool: MessageDelayPools::Instance()->pools) { if (pool->access) { std::unique_ptr chl(clientAclChecklistCreate(pool->access, http)); - chl->reply = rep; - HTTPMSGLOCK(chl->reply); + chl->updateReply(rep); const auto answer = chl->fastCheck(); if (answer.allowed()) { writeQuotaHandler = pool->createBucket(); diff -aurN a/src/http.cc b/src/http.cc --- a/src/http.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/http.cc 2024-05-02 13:35:29.522323694 +0300 @@ -773,10 +773,9 @@ // check whether the 1xx response forwarding is allowed by squid.conf if (Config.accessList.reply) { ACLFilledChecklist ch(Config.accessList.reply, originalRequest().getRaw()); - ch.al = fwd->al; - ch.reply = reply; + ch.updateAle(fwd->al); + ch.updateReply(reply); ch.syncAle(originalRequest().getRaw(), nullptr); - HTTPMSGLOCK(ch.reply); if (!ch.fastCheck().allowed()) // TODO: support slow lookups? return drop1xx("http_reply_access blocked it"); } diff -aurN a/src/neighbors.cc b/src/neighbors.cc --- a/src/neighbors.cc 2024-04-08 08:02:07.000000000 +0300 +++ b/src/neighbors.cc 2024-05-02 13:36:27.203322463 +0300 @@ -170,11 +170,7 @@ return true; ACLFilledChecklist checklist(p->access, request, nullptr); - checklist.al = ps->al; - if (ps->al && ps->al->reply) { - checklist.reply = ps->al->reply.getRaw(); - HTTPMSGLOCK(checklist.reply); - } + checklist.updateAle(ps->al); checklist.syncAle(request, nullptr); return checklist.fastCheck().allowed(); }