Remove URN support #1930
Remove URN support #1930
Conversation
There was a problem hiding this comment.
This minimal PR implements URN support removal as I requested earlier. It does not add support for forwarding requests with URN scheme (and other unsupported schemes) to cache_peers. I am not sure there is enough need for such forwarding, but that should be settled separately if somebody actually decides to work on adding that new feature.
errors/template.am
Outdated
| @@ -48,6 +48,5 @@ ERROR_TEMPLATES = \ | |||
| templates/ERR_TOO_BIG \ | |||
| templates/ERR_UNSUP_HTTPVERSION \ | |||
| templates/ERR_UNSUP_REQ \ | |||
| templates/ERR_URN_RESOLVE \ | |||
There was a problem hiding this comment.
This PR does not update PO/POT files based on an earlier recommendation. If those files should be updated to reflect ERR_URN_RESOLVE removal, please let me know, and we will update them (you can even preview most of those changes in earlier branch commit c00c79a that was later reverted).
There was a problem hiding this comment.
These templates are used to generate the "langpack" releases which get installed for use by much older versions of Squid. The template file needs to be retained until no supported version of Squid tries to load it on startup.
This is also why the ERR_ESI remains.
There was a problem hiding this comment.
The template file needs to be retained
Restored at 0f42fbd.
rousskov
added
the
S-waiting-for-more-reviewers
doc/release-notes/release-7.sgml.in
Outdated
| <p>If necessary, a similar feature can be implemented externally, using | ||
| url_rewrite_program helpers or adaptation services. |
There was a problem hiding this comment.
That would be a bug. You have removed the ability for Squid to correctly:
a) parse any request-target with "urn:" scheme, and
b) send a valid URN anywhere (including helpers, ICAP, eCAP, and even cache.log - receive unknown:// at most)
A squid lacking "foo:" support should reject all "foo:" URLs on initial parse/validate. Failure to do that re-opens one of those security vulnerabilities I closed off by fixing the URN NID validation.
There was a problem hiding this comment.
You have removed the ability for Squid to ... send a valid URN anywhere (including helpers, ICAP, eCAP...)
Agreed. I have adjusted PR description and release notes (commit 14914f4) to precondition external support on enhancing Squid to handle unknown (to Squid) URI schemes (which should not be limited to URN scheme, of course). Fortunately, we do not need to debate the details of that hypothetical enhancement -- folks implementing it should initiate that debate outside this PR.
errors/template.am
Outdated
| @@ -48,6 +48,5 @@ ERROR_TEMPLATES = \ | |||
| templates/ERR_TOO_BIG \ | |||
| templates/ERR_UNSUP_HTTPVERSION \ | |||
| templates/ERR_UNSUP_REQ \ | |||
| templates/ERR_URN_RESOLVE \ | |||
There was a problem hiding this comment.
These templates are used to generate the "langpack" releases which get installed for use by much older versions of Squid. The template file needs to be retained until no supported version of Squid tries to load it on startup.
This is also why the ERR_ESI remains.
doc/release-notes/release-7.sgml.in
Outdated
| <p>Squid URN resolution code has been neglected for a very long time and caused | ||
| multiple security vulnerabilities. This feature was rarely used (if at all). |
There was a problem hiding this comment.
Come on be honest. All attempts to update the code were vetoed by you. Otherwise this code would very much have been updated by at least four authors in the past 10 years.
There was a problem hiding this comment.
Come on be honest. All attempts to update the code were vetoed by you. Otherwise this code would very much have been updated by at least four authors in the past 10 years.
I hope that any vetoes were correct, but this discussion and implications of dishonesty feel out of scope: PR text describes code state. It does not speculate about the reasons that led to that code state.
| @@ -56,7 +56,6 @@ Adaptation::Ecap::Host::Host() | |||
| libecap::protocolHttps.assignHostId(AnyP::PROTO_HTTPS); | |||
| libecap::protocolFtp.assignHostId(AnyP::PROTO_FTP); | |||
| libecap::protocolWais.assignHostId(AnyP::PROTO_WAIS); | |||
| libecap::protocolUrn.assignHostId(AnyP::PROTO_URN); | |||
There was a problem hiding this comment.
Thus rendering eCAP unable to meet the release notes claimed capability of performing Trivial-HTTP Resolver gateway.
("AnyP::PROTO_UNKNOWN" are passed as static string "unknown", not as the received scheme image)
There was a problem hiding this comment.
Host application IDs being configured by this code are an optimization that speeds up string comparison for common cases. eCAP code should function correctly without that optimization. If it does not, it is an out-of-scope bug (in eCAP adapter or host application code).
| absolute_.append(":", 1); | ||
| absolute_.append("//", 2); | ||
| const bool allowUserInfo = getScheme() == AnyP::PROTO_FTP || | ||
| getScheme() == AnyP::PROTO_UNKNOWN; |
There was a problem hiding this comment.
This needs to exclude URI with image() of "urn:" (which is now part of AnyP::PROTO_UNKNOWN) or we open a security vulnerability for sensitive data exfiltration.
There was a problem hiding this comment.
Also, these changes are what render ICAP and helpers unable to meet the release notes claimed capability of performing Trivial-HTTP Resolver gateway.
There was a problem hiding this comment.
This needs to exclude URI with image() of "urn:" (which is now part of
AnyP::PROTO_UNKNOWN) or we open a security vulnerability for sensitive data exfiltration.
PR code treats all unknown (to Squid) URI schemes the same. This code had received unknown non-URN schemes prior to PR changes. Thus, the "we open a vulnerability" assertion is false: Either that vulnerability existed before these changes, or these changes do not open it.
Also, these changes are what render ICAP and helpers unable to meet the release notes claimed capability of performing Trivial-HTTP Resolver gateway.
That problem was flagged and addressed in another change request. If necessary, let's continue this part of the discussion there.
kinkie
added
S-waiting-for-author
Also described how URNs are treated now.
doc/release-notes/release-7.sgml.in
Outdated
| <p>Squid URN resolution code has been neglected for a very long time and caused | ||
| multiple security vulnerabilities. This feature was rarely used (if at all). |
There was a problem hiding this comment.
Come on be honest. All attempts to update the code were vetoed by you. Otherwise this code would very much have been updated by at least four authors in the past 10 years.
I hope that any vetoes were correct, but this discussion and implications of dishonesty feel out of scope: PR text describes code state. It does not speculate about the reasons that led to that code state.
doc/release-notes/release-7.sgml.in
Outdated
| <p>If necessary, a similar feature can be implemented externally, using | ||
| url_rewrite_program helpers or adaptation services. |
There was a problem hiding this comment.
You have removed the ability for Squid to ... send a valid URN anywhere (including helpers, ICAP, eCAP...)
Agreed. I have adjusted PR description and release notes (commit 14914f4) to precondition external support on enhancing Squid to handle unknown (to Squid) URI schemes (which should not be limited to URN scheme, of course). Fortunately, we do not need to debate the details of that hypothetical enhancement -- folks implementing it should initiate that debate outside this PR.
| @@ -56,7 +56,6 @@ Adaptation::Ecap::Host::Host() | |||
| libecap::protocolHttps.assignHostId(AnyP::PROTO_HTTPS); | |||
| libecap::protocolFtp.assignHostId(AnyP::PROTO_FTP); | |||
| libecap::protocolWais.assignHostId(AnyP::PROTO_WAIS); | |||
| libecap::protocolUrn.assignHostId(AnyP::PROTO_URN); | |||
There was a problem hiding this comment.
Host application IDs being configured by this code are an optimization that speeds up string comparison for common cases. eCAP code should function correctly without that optimization. If it does not, it is an out-of-scope bug (in eCAP adapter or host application code).
| absolute_.append(":", 1); | ||
| absolute_.append("//", 2); | ||
| const bool allowUserInfo = getScheme() == AnyP::PROTO_FTP || | ||
| getScheme() == AnyP::PROTO_UNKNOWN; |
There was a problem hiding this comment.
This needs to exclude URI with image() of "urn:" (which is now part of
AnyP::PROTO_UNKNOWN) or we open a security vulnerability for sensitive data exfiltration.
PR code treats all unknown (to Squid) URI schemes the same. This code had received unknown non-URN schemes prior to PR changes. Thus, the "we open a vulnerability" assertion is false: Either that vulnerability existed before these changes, or these changes do not open it.
Also, these changes are what render ICAP and helpers unable to meet the release notes claimed capability of performing Trivial-HTTP Resolver gateway.
That problem was flagged and addressed in another change request. If necessary, let's continue this part of the discussion there.
rousskov
added
S-waiting-for-reviewer
Squid URN resolution code has been neglected for a very long time and
caused multiple security vulnerabilities. Its existence complicates
planned StoreClient API refactoring. URN resolution feature is rarely
used (if at all). If Squid handling of unknown (to Squid) URI schemes is
enhanced, a similar feature can be implemented externally, using
url_rewrite_program helpers or adaptation services.
Squid now treats URN as any unknown (to Squid) URI scheme, typically
responding with an HTTP 400 (Bad Request) ERR_INVALID_URL.
Prior to these changes, Squid did not forward HTTP requests with URN
scheme targets to cache_peers either. Instead, Squid rewrote request
targets into URLs with an HTTP scheme (and a
/uri-res/N2L?pathprefix; see Historic THTTP RFC 2169) and forwarded those adapted
requests. That hard-coded adaptation and forwarding are now gone.