Re: ACL domain based [Q]

Leong Tiang Wah writes:
> I got a somehow related question. I notice by adding a trailing dot at the
> end of hostname of URL can actually bypass the following ACLs. The DNS
> lookup does return a valid IP address since it is a fully-qualified domain
> name.
>
> case 1 : http://www.playboy.com.
> case 2 : http://www.playboy.com./~sex
>
> Case 1
> ######
> acl Block_Site1 domain www.playboy.com
> http_access deny Block_Site1
>
> Case 2
> ######
> acl Block_Site2 url_regex www.playboy.com/~sex
> http_access deny Block_Site2
>
>
> I guess Squid should 'chop off' the trailing dot before comparing it with
> the ACLs.
there is a quickhack for this: (and the upper/lower case problem),
but think twice before installing this patch, because your neighbors/parents
may not convert hostnames to canonical, and you will see misses on all URLs
having mixed/upper case hostnames even if they were hits!

*** squid-1.0.0/src/url.c.orig Tue Sep 3 19:11:10 1996
--- squid-1.0.0/src/url.c Tue Sep 3 20:24:43 1996
***************
*** 248,258 ****
  {
      static char urlbuf[MAX_URL + 1];
      static char portbuf[32];
      if (buf == NULL)
          buf = urlbuf;
      switch (request->method) {
      case METHOD_CONNECT:
! sprintf(buf, "%s:%d", request->host, request->port);
          break;
      default:
          portbuf[0] = '\0';
--- 248,274 ----
  {
      static char urlbuf[MAX_URL + 1];
      static char portbuf[32];
+
+ /* make host name canonical to keep host-based Acl's working - bne */
+ static char hostbuf[SQUIDHOSTNAMELEN+1];
+ register char *inp,*outp;
+ /* first make the hostname UPPER case */
+ for(inp=request->host,outp=hostbuf;*inp;inp++,outp++)
+ {
+ *outp=tolower(*inp);
+ }
+ /* finally eat trailing dots */
+ outp--;
+ while(*outp == '.')
+ outp--;
+ outp++;
+ *outp='\0';
+
      if (buf == NULL)
          buf = urlbuf;
      switch (request->method) {
      case METHOD_CONNECT:
! sprintf(buf, "%s:%d", hostbuf, request->port);
          break;
      default:
          portbuf[0] = '\0';
***************
*** 262,268 ****
              ProtocolStr[request->protocol],
              request->login,
              *request->login ? "@" : "",
! request->host,
              portbuf,
              request->urlpath);
          break;
--- 278,284 ----
              ProtocolStr[request->protocol],
              request->login,
              *request->login ? "@" : "",
! hostbuf,
              portbuf,
              request->urlpath);
          break;
--------
and a perl script to update your logs:
(first kill RunCache and squid, run this script, install the patched squid and
restart RunCache)

open(LOG,"/usr/local/squid/cache/log");
open(NEWLOG,">/usr/local/squid/cache/new-log");
while(<LOG>)
{
  chop;
  ($file,$url,$n1,$n2,$n3)=($_ =~ m/^(\S+) (.*) (\d+) (\d+) (\d+)$/);
  $surl=&url_norm($url);
  printf NEWLOG "%s %s %d %d %d\n",$file,$surl,$n1,$n2,$n3;
}
close LOG;
close NEWLOG;
rename "/usr/local/squid/cache/new-log", "/usr/local/squid/cache/log";
sub url_norm
{
  local($url)=$_[0];
  ($method,$hostport,$path) = ($url =~ m!([^:]+)://([^/]+)(/[^#]*)!);
  $url="\L$method://\L$hostport"."$path";
}

Andrew. (Endre Balint Nagy) <bne@CareNet.hu>

P.S: another improvement towards standard conformance:
(excerpt from rfc1945)

   The canonical form for "http" URLs is obtained by converting any
   UPALPHA characters in host to their LOALPHA equivalent (hostnames are
   case-insensitive), eliding the [ ":" port ] if the port is 80, and
   replacing an empty abs_path with "/".
Received on Tue Sep 03 1996 - 11:53:14 MDT