Hello community,
here is the log from the commit of package squid3 for openSUSE:Factory checked in at 2012-02-14 19:08:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/squid3 (Old)
and /work/SRC/openSUSE:Factory/.squid3.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "squid3", Maintainer is "draht@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/squid3/squid3.changes 2011-12-25 17:42:04.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.squid3.new/squid3.changes 2012-02-14 19:08:53.000000000 +0100
@@ -1,0 +2,9 @@
+Mon Jan 16 13:49:22 UTC 2012 - chris@computersalat.de
+
+- add upstream patches
+ * 3.1-10419: Bug #3085: Crash when parsing esi:include
+ * 3.1-10420: Bug #3473: erase last uses of obsolete auth_user_hash_pointer
+ * 3.1-10421: Bug #3420: Request body consumption races and !theConsumer
+ exception.
+
+-------------------------------------------------------------------
New:
----
squid-3.1-10419.patch
squid-3.1-10420.patch
squid-3.1-10421.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ squid3.spec ++++++
--- /var/tmp/diff_new_pack.HnAsf9/_old 2012-02-14 19:08:56.000000000 +0100
+++ /var/tmp/diff_new_pack.HnAsf9/_new 2012-02-14 19:08:56.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package squid3
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -54,6 +54,12 @@
Patch2: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10417.patch
# Bug #3442: assertion failed: external_acl.cc:908: ch->auth_user_request != NULL
Patch3: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10418.patch
+# Bug #3085: Crash when parsing esi:include
+Patch4: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10419.patch
+# Bug #3473: erase last uses of obsolete auth_user_hash_pointer
+Patch5: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10420.patch
+# Bug #3420: Request body consumption races and !theConsumer exception.
+Patch6: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10421.patch
#
# some useful defaults for squid
Patch100: squid-3.1.12-config.patch
@@ -137,6 +143,9 @@
%patch1 -p0
%patch2 -p0
%patch3 -p0
+%patch4 -p0
+%patch5 -p0
+%patch6 -p0
##### other patches
%patch100 -p1
%if 0%{?suse_version} > 1010
++++++ squid-3.1-10419.patch ++++++
------------------------------------------------------------
revno: 10419
revision-id: squid3@treenet.co.nz-20120103221151-682r7ux8n1on6hle
parent: squid3@treenet.co.nz-20111208111329-4p5ugr1bj8lxdd8i
fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3085
committer: Amos Jeffries
branch nick: SQUID_3_1
timestamp: Tue 2012-01-03 15:11:51 -0700
message:
Bug 3085: Crash when parsing esi:include
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20120103221151-682r7ux8n1on6hle
# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
# /SQUID_3_1/
# testament_sha1: 9ac3e39da9fe702a92596f8fdee77dba9563d044
# timestamp: 2012-01-03 22:52:55 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
# /SQUID_3_1
# base_revision_id: squid3@treenet.co.nz-20111208111329-\
# 4p5ugr1bj8lxdd8i
#
# Begin patch
=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc 2011-12-02 12:17:07 +0000
+++ src/client_side_request.cc 2012-01-03 22:11:51 +0000
@@ -873,18 +873,22 @@
request->flags.auth = 1;
ConnStateData *http_conn = http->getConn();
- assert(http_conn);
- request->flags.connection_auth_disabled = http_conn->port->connection_auth_disabled;
- if (!request->flags.connection_auth_disabled) {
- if (http_conn->pinning.fd != -1) {
- if (http_conn->pinning.auth) {
- request->flags.connection_auth = 1;
- request->flags.auth = 1;
- } else {
- request->flags.connection_proxy_auth = 1;
+ if (http_conn) {
+ request->flags.connection_auth_disabled = http_conn->port->connection_auth_disabled;
+ if (!request->flags.connection_auth_disabled) {
+ if (http_conn->pinning.fd != -1) {
+ if (http_conn->pinning.auth) {
+ request->flags.connection_auth = 1;
+ request->flags.auth = 1;
+ } else {
+ request->flags.connection_proxy_auth = 1;
+ }
+ request->setPinnedConnection(http_conn);
}
- request->setPinnedConnection(http_conn);
}
+ } else {
+ // internal requests and ESI don't have client conn.
+ request->flags.connection_auth_disabled = 1;
}
/* check if connection auth is used, and flag as candidate for pinning
++++++ squid-3.1-10420.patch ++++++
------------------------------------------------------------
revno: 10420
revision-id: squid3@treenet.co.nz-20120110024032-c8etrkkdfc4h30v9
parent: squid3@treenet.co.nz-20120103221151-682r7ux8n1on6hle
fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3473
committer: Amos Jeffries
branch nick: SQUID_3_1
timestamp: Mon 2012-01-09 19:40:32 -0700
message:
Bug 3473: erase last uses of obsolete auth_user_hash_pointer
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20120110024032-c8etrkkdfc4h30v9
# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
# /SQUID_3_1/
# testament_sha1: 689d8cb8aed52305281c317a3cd03153c8f83e5a
# timestamp: 2012-01-10 02:53:30 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
# /SQUID_3_1
# base_revision_id: squid3@treenet.co.nz-20120103221151-\
# 682r7ux8n1on6hle
#
# Begin patch
=== modified file 'src/auth/digest/auth_digest.cc'
--- src/auth/digest/auth_digest.cc 2011-10-31 01:15:38 +0000
+++ src/auth/digest/auth_digest.cc 2012-01-10 02:40:32 +0000
@@ -490,10 +490,10 @@
AuthUser *auth_user;
debugs(29, 9, HERE << "Looking for user '" << username << "'");
- if (username && (usernamehash = static_cast < auth_user_hash_pointer * >(hash_lookup(proxy_auth_username_cache, username)))) {
+ if (username && (usernamehash = static_cast < AuthUserHashPointer * >(hash_lookup(proxy_auth_username_cache, username)))) {
while ((usernamehash->user()->auth_type != AUTH_DIGEST) &&
(usernamehash->next))
- usernamehash = static_cast < auth_user_hash_pointer * >(usernamehash->next);
+ usernamehash = static_cast < AuthUserHashPointer * >(usernamehash->next);
auth_user = NULL;
@@ -515,7 +515,7 @@
AuthUser *auth_user;
hash_first(proxy_auth_username_cache);
- while ((usernamehash = ((auth_user_hash_pointer *) hash_next(proxy_auth_username_cache)))) {
+ while ((usernamehash = ((AuthUserHashPointer *) hash_next(proxy_auth_username_cache)))) {
auth_user = usernamehash->user();
if (strcmp(auth_user->config->type(), "digest") == 0)
=== modified file 'src/auth/ntlm/auth_ntlm.cc'
--- src/auth/ntlm/auth_ntlm.cc 2011-05-29 06:02:19 +0000
+++ src/auth/ntlm/auth_ntlm.cc 2012-01-10 02:40:32 +0000
@@ -393,7 +393,7 @@
debugs(29, 4, "AuthNTLMUserRequest::authenticate: authenticated user " << ntlm_user->username());
/* see if this is an existing user with a different proxy_auth
* string */
- auth_user_hash_pointer *usernamehash = static_cast(hash_lookup(proxy_auth_username_cache, ntlm_user->username()));
+ AuthUserHashPointer *usernamehash = static_cast(hash_lookup(proxy_auth_username_cache, ntlm_user->username()));
AuthUser *local_auth_user = ntlm_request->user();
while (usernamehash && (usernamehash->user()->auth_type != AUTH_NTLM || strcmp(usernamehash->user()->username(), ntlm_user->username()) != 0))
usernamehash = static_cast(usernamehash->next);
=== modified file 'src/typedefs.h'
--- src/typedefs.h 2010-09-30 03:07:33 +0000
+++ src/typedefs.h 2012-01-10 02:40:32 +0000
@@ -49,11 +49,6 @@
//UNUSED typedef struct _acl_deny_info_list acl_deny_info_list;
//UNUSED typedef class AuthUser auth_user_t;
-
-/// \ingroup AuthAPI
-/// \deprecated Use AuthUserHashPointer instead.
-typedef struct AuthUserHashPointer auth_user_hash_pointer;
-
/// \ingroup AuthAPI
/// \deprecated Use AuthUserIP instead.
typedef struct AuthUserIP auth_user_ip_t;
++++++ squid-3.1-10421.patch ++++++
------------------------------------------------------------
revno: 10421
revision-id: squid3@treenet.co.nz-20120114071941-5g6csg0cy0ho5e7q
parent: squid3@treenet.co.nz-20120110024032-c8etrkkdfc4h30v9
fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3420
author: Alex Rousskov
committer: Amos Jeffries
branch nick: SQUID_3_1
timestamp: Sat 2012-01-14 00:19:41 -0700
message:
Bug 3420: Request body consumption races and !theConsumer exception.
Also fixes endless waiting for HTTP client to send req body we no longer need.
Before these changes, the client side used a single "closing" state to
handle two different error conditions:
1. We stopped receiving request body because of some error.
2. We stopped sending response because of some error.
When a "directional" error occurred, we try to keep the transaction going in
the other direction (e.g., to give ICAP the entire request or to give HTTP
client the entire response). However, because there was just one "closing"
state, the code failed to correctly detect or process many corner cases,
resulting in stuck transactions and !theConsumer assertions/exceptions due to
races between enableAutoConsumption() and expectNoConsumption() calls.
This patch replaces the "closing" state with two direction-specific "we
stopped sending/receiving" flags.
Now, when the response sending code is done, it now checks whether the
receiving code stopped and closes the connection as needed. This is done both
when we encounter a sending error (ClientSocketContext::initiateClose) and
when we successfully sent the entire response to the client
(ClientSocketContext::keepaliveNextRequest).
Similarly, when the request body reading code is done, it now checks whether
the receiving code stopped and closes the connection as needed. This is done
both when we encounter a receiving error
(ConnStateData::noteBodyConsumerAborted) and when we successfully receive the
entire request body from the client (ClientSocketContext::writeComplete).
TODO: This patch focuses on various error cases. We might still have problems
when there is an early HTTP response and no errors of any kind. I marked the
corresponding old code with an XXX.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20120114071941-5g6csg0cy0ho5e7q
# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
# /SQUID_3_1/
# testament_sha1: 71adfa8d85097074d14b95d813625db3a5d4dc35
# timestamp: 2012-01-14 07:54:24 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
# /SQUID_3_1
# base_revision_id: squid3@treenet.co.nz-20120110024032-\
# c8etrkkdfc4h30v9
#
# Begin patch
=== modified file 'src/client_side.cc'
--- src/client_side.cc 2011-10-12 02:15:19 +0000
+++ src/client_side.cc 2012-01-14 07:19:41 +0000
@@ -1390,6 +1390,7 @@
*/
}
+/// called when we have successfully finished writing the response
void
ClientSocketContext::keepaliveNextRequest()
{
@@ -1406,6 +1407,26 @@
}
/** \par
+ * We are done with the response, and we are either still receiving request
+ * body (early response!) or have already stopped receiving anything.
+ *
+ * If we are still receiving, then clientParseRequest() below will fail.
+ * (XXX: but then we will call readNextRequest() which may succeed and
+ * execute a smuggled request as we are not done with the current request).
+ *
+ * If we stopped because we got everything, then try the next request.
+ *
+ * If we stopped receiving because of an error, then close now to avoid
+ * getting stuck and to prevent accidental request smuggling.
+ */
+
+ if (const char *reason = conn->stoppedReceiving()) {
+ debugs(33, 3, HERE << "closing for earlier request error: " << reason);
+ comm_close(conn->fd);
+ return;
+ }
+
+ /** \par
* Attempt to parse a request from the request buffer.
* If we've been fed a pipelined request it may already
* be in our read buffer.
@@ -1634,44 +1655,36 @@
comm_close(fd());
}
-/** Called to initiate (and possibly complete) closing of the context.
- * The underlying socket may be already closed */
+/// called when we encounter a response-related error
void
ClientSocketContext::initiateClose(const char *reason)
{
- debugs(33, 5, HERE << "initiateClose: closing for " << reason);
-
- if (http != NULL) {
- ConnStateData * conn = http->getConn();
-
- if (conn != NULL) {
- if (const int64_t expecting = conn->bodySizeLeft()) {
- debugs(33, 5, HERE << "ClientSocketContext::initiateClose: " <<
- "closing, but first " << conn << " needs to read " <<
- expecting << " request body bytes with " <<
- conn->in.notYetUsed << " notYetUsed");
-
- if (conn->closing()) {
- debugs(33, 2, HERE << "avoiding double-closing " << conn);
- return;
- }
-
- /*
- * XXX We assume the reply fits in the TCP transmit
- * window. If not the connection may stall while sending
- * the reply (before reaching here) if the client does not
- * try to read the response while sending the request body.
- * As of yet we have not received any complaints indicating
- * this may be an issue.
- */
- conn->startClosing(reason);
-
- return;
- }
+ http->getConn()->stopSending(reason); // closes ASAP
+}
+
+void
+ConnStateData::stopSending(const char *error)
+{
+ debugs(33, 4, HERE << "sending error (FD " << fd << "): " << error <<
+ "; old receiving error: " <<
+ (stoppedReceiving() ? stoppedReceiving_ : "none"));
+
+ if (const char *oldError = stoppedSending()) {
+ debugs(33, 3, HERE << "already stopped sending: " << oldError);
+ return; // nothing has changed as far as this connection is concerned
+ }
+
+ stoppedSending_ = error;
+
+ if (!stoppedReceiving()) {
+ if (const int64_t expecting = bodySizeLeft()) {
+ debugs(33, 5, HERE << "must still read " << expecting <<
+ " request body bytes with " << in.notYetUsed << " unused");
+ return; // wait for the request receiver to finish reading
}
}
- doClose();
+ comm_close(fd);
}
void
@@ -2928,16 +2941,11 @@
if (!bodyPipe) {
debugs(33,5, HERE << "produced entire request body for FD " << fd);
- if (closing()) {
+ if (const char *reason = stoppedSending()) {
/* we've finished reading like good clients,
* now do the close that initiateClose initiated.
- *
- * XXX: do we have to close? why not check keepalive et.
- *
- * XXX: To support chunked requests safely, we need to handle
- * the case of an endless request. This if-statement does not,
- * because mayNeedMoreData is true if request size is not known.
*/
+ debugs(33, 3, HERE << "closing for earlier sending error: " << reason);
comm_close(fd);
return false;
}
@@ -2952,7 +2960,7 @@
return;
// too late to read more body
- if (!isOpen() || closing())
+ if (!isOpen() || stoppedReceiving())
return;
readSomeData();
@@ -2961,8 +2969,11 @@
void
ConnStateData::noteBodyConsumerAborted(BodyPipe::Pointer )
{
- if (!closing())
- startClosing("body consumer aborted");
+ // request reader may get stuck waiting for space if nobody consumes body
+ if (bodyPipe != NULL)
+ bodyPipe->enableAutoConsumption();
+
+ stopReceiving("virgin request body consumer aborted"); // closes ASAP
}
/** general lifetime handler for HTTP requests */
@@ -3755,7 +3766,9 @@
CBDATA_CLASS_INIT(ConnStateData);
-ConnStateData::ConnStateData() :AsyncJob("ConnStateData"), transparent_ (false), closing_ (false), switchedToHttps_(false)
+ConnStateData::ConnStateData() :AsyncJob("ConnStateData"), transparent_ (false),
+ switchedToHttps_(false),
+ stoppedSending_(NULL), stoppedReceiving_(NULL)
{
pinning.fd = -1;
pinning.pinned = false;
@@ -3798,33 +3811,24 @@
return bodyPipe;
}
-bool
-ConnStateData::closing() const
-{
- return closing_;
-}
-
-/**
- * Called by ClientSocketContext to give the connection a chance to read
- * the entire body before closing the socket.
- */
void
-ConnStateData::startClosing(const char *reason)
+ConnStateData::stopReceiving(const char *error)
{
- debugs(33, 5, HERE << "startClosing " << this << " for " << reason);
- assert(!closing());
- closing_ = true;
-
- assert(bodyPipe != NULL);
- assert(bodySizeLeft() > 0);
-
- // We do not have to abort the body pipeline because we are going to
- // read the entire body anyway.
- // Perhaps an ICAP server wants to log the complete request.
-
- // If a consumer abort have caused this closing, we may get stuck
- // as nobody is consuming our data. Allow auto-consumption.
- bodyPipe->enableAutoConsumption();
+ debugs(33, 4, HERE << "receiving error (FD " << fd << "): " << error <<
+ "; old sending error: " <<
+ (stoppedSending() ? stoppedSending_ : "none"));
+
+ if (const char *oldError = stoppedReceiving()) {
+ debugs(33, 3, HERE << "already stopped receiving: " << oldError);
+ return; // nothing has changed as far as this connection is concerned
+ }
+
+ stoppedReceiving_ = error;
+
+ if (const char *sendError = stoppedSending()) {
+ debugs(33, 3, HERE << "closing because also stopped sending: " << sendError);
+ comm_close(fd);
+ }
}
void
=== modified file 'src/client_side.h'
--- src/client_side.h 2011-10-11 02:04:19 +0000
+++ src/client_side.h 2012-01-14 07:19:41 +0000
@@ -214,8 +214,15 @@
bool reading() const;
void stopReading(); ///< cancels comm_read if it is scheduled
- bool closing() const;
- void startClosing(const char *reason);
+ /// true if we stopped receiving the request
+ const char *stoppedReceiving() const { return stoppedReceiving_; }
+ /// true if we stopped sending the response
+ const char *stoppedSending() const { return stoppedSending_; }
+ /// note request receiving error and close as soon as we write the response
+ void stopReceiving(const char *error);
+ /// note response sending error and close as soon as we read the request
+ void stopSending(const char *error);
+
void expectNoForwarding(); ///< cleans up virgin request [body] forwarding state
BodyPipe::Pointer expectRequestBody(int64_t size);
@@ -293,9 +300,14 @@
private:
CBDATA_CLASS2(ConnStateData);
bool transparent_;
- bool closing_;
bool switchedToHttps_;
+
+ /// the reason why we no longer write the response or nil
+ const char *stoppedSending_;
+ /// the reason why we no longer read the request or nil
+ const char *stoppedReceiving_;
+
String sslHostName; ///< Host name for SSL certificate generation
AsyncCall::Pointer reader; ///< set when we are reading
BodyPipe::Pointer bodyPipe; // set when we are reading request body
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org