Sync from SUSE:SLFO:Main squid revision 8946f92edc123c75b0b6b29bd729d571

This commit is contained in:
Adrian Schröter 2024-12-18 16:19:12 +01:00
commit 5e78dec414
20 changed files with 6753 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

13
CVE-2024-33427.patch Normal file
View File

@ -0,0 +1,13 @@
Index: squid-6.9/src/ConfigParser.cc
===================================================================
--- squid-6.9.orig/src/ConfigParser.cc
+++ squid-6.9/src/ConfigParser.cc
@@ -181,7 +181,7 @@ ConfigParser::UnQuote(const char *token,
*d = '\0';
// We are expecting a separator after quoted string, space or one of "()#"
- if (*(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1)) && !errorStr) {
+ if (!errorStr && *(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1))) {
errorStr = "Expecting space after the end of quoted token";
errorPos = token;
}

61
README.kerberos Normal file
View File

@ -0,0 +1,61 @@
This is the README.kerberos file
to have squid negotiate/authenticate via kerberos
any addons are very welcome
comments could be posted to <chris(at)computersalat.de>
1) you need to add a "USER" inside your "Domain-Computers" Container
called "squid". Yes a "USER" and not a Computer.
You may use another name, but why ?
2) After having successfully created the user, you need to create a
keytab file on your WIN box.
Example: !! This is all in one line !!
ktpass -princ HTTP/squid@DOMAIN.REALM -pType KRB5_NT_PRINCIPAL \
-mapuser squid -pass * -out HTTP.keytab
3) copy over HTTP.keytab to /etc/squid/ on your linux box
4) you have to tell your browsers to negotiate via kerberos
Have a look at:
a) Internet Explorer does not support Kerberos authentication with proxy servers
http://support.microsoft.com/?scid=kb%3Ben-us%3B321728&x=19&y=14
This limitation was removed in Windows Internet Explorer 7.
If Integrated Windows Authentication is turned on in Internet Explorer
for Windows 2000 and Windows XP, you can complete Kerberos authentication
with Web servers either directly or through a proxy server. However,
Internet Explorer cannot use Kerberos to authenticate with the proxy
server itself.
b) Unable to negotiate Kerberos authentication after upgrading to Internet Explorer 6
http://support.microsoft.com/kb/299838/EN-US/
To resolve this issue, enable Internet Explorer 6 to respond to
a negotiate challenge and perform Kerberos authentication:
1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Advanced tab, click to select the Enable
Integrated Windows Authentication (requires restart) check box
in the Security section, and then click OK.
3. Restart Internet Explorer.
Administrators can enable Integrated Windows Authentication by
setting the EnableNegotiate DWORD value to 1 in the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Note Internet Explorer 6, when used with Microsoft Windows 98,
Microsoft Windows 98 Second Edition, Microsoft Windows Millennium Edition,
and Microsoft Windows NT 4.0 does not respond to a negotiate challenge and
default to NTLM (or Windows NT Challenge/Response) authentication even if
the Enable Integrated Windows Authentication (requires restart) check
box is selected because Kerberos authentication is not available on
these operating systems.

7
cache_dir.sed Normal file
View File

@ -0,0 +1,7 @@
#!/usr/bin/sed -nf
/^\s*cache_dir\s\+[[:alnum:]]\+\s\+\([[:graph:]\/]\+\)\s.*/ {
s//\1\/00/p
q
}

View File

@ -0,0 +1,23 @@
Index: squid-6.2/tools/systemd/squid.service
===================================================================
--- squid-6.2.orig/tools/systemd/squid.service
+++ squid-6.2/tools/systemd/squid.service
@@ -11,6 +11,18 @@ Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=notify
PIDFile=/var/run/squid.pid
ExecStartPre=/usr/sbin/squid --foreground -z

View File

@ -0,0 +1,13 @@
#!/bin/sh
DIR=$(dirname $0)
CACHE_DIR=$($DIR/cache_dir.sed < /etc/squid/squid.conf)
if [ 'x'$CACHE_DIR = 'x' ]; then
exit 0
fi
if ! test -d $CACHE_DIR; then
echo "Initializing cache directories..."
exec /usr/sbin/squid -z -F --foreground -S
fi

16
missing_installs.patch Normal file
View File

@ -0,0 +1,16 @@
Index: squid-6.2/src/acl/external/kerberos_ldap_group/Makefile.am
===================================================================
--- squid-6.2.orig/src/acl/external/kerberos_ldap_group/Makefile.am
+++ squid-6.2/src/acl/external/kerberos_ldap_group/Makefile.am
@@ -15,9 +15,11 @@ EXTRA_DIST= \
AM_CPPFLAGS += -I$(srcdir)
+
libexec_SCRIPTS = cert_tool
libexec_PROGRAMS = ext_kerberos_ldap_group_acl
+man_MANS = ext_kerberos_ldap_group_acl.8
ext_kerberos_ldap_group_acl_SOURCES = \
kerberos_ldap_group.cc \

423
old_nettle_compat.patch Normal file
View File

@ -0,0 +1,423 @@
Author: Adam Majer <amajer@suse.de>
Date: Thu Jul 18 13:57:22 CEST 2019
nettle from SLE-12 is missing the change from later
versions that ignores the destLen parameter size to
base64_decode_update function. This is only used in
the assert() but we need to pass real size of the buffer
as otherwise all we get is a crash.
The missing commit in nettle is,
commit 07cb0b62a5fab216ed647f5a87e0f17ab3c9a615
Author: Niels Möller <nisse@lysator.liu.se>
Date: Fri Feb 7 09:11:20 2014 +0100
Base64 and base16 decoding: Use *dst_length as output only.
Index: squid-5.4.1/src/HttpHeader.cc
===================================================================
--- squid-5.4.1.orig/src/HttpHeader.cc
+++ squid-5.4.1/src/HttpHeader.cc
@@ -1351,8 +1351,8 @@ HttpHeader::getAuthToken(Http::HdrType i
char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen));
struct base64_decode_ctx ctx;
base64_decode_init(&ctx);
- size_t decodedLen = 0;
- if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, field) ||
+ unsigned decodedLen = BASE64_DECODE_LENGTH(fieldLen);
+ if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, (uint8_t*)field) ||
!base64_decode_final(&ctx)) {
return nil;
}
Index: squid-5.4.1/src/auth/basic/Config.cc
===================================================================
--- squid-5.4.1.orig/src/auth/basic/Config.cc
+++ squid-5.4.1/src/auth/basic/Config.cc
@@ -178,8 +178,8 @@ Auth::Basic::Config::decodeCleartext(con
struct base64_decode_ctx ctx;
base64_decode_init(&ctx);
- size_t dstLen = 0;
- if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, eek) && base64_decode_final(&ctx)) {
+ unsigned int dstLen = BASE64_DECODE_LENGTH(srcLen)+1;
+ if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, (const uint8_t*)eek) && base64_decode_final(&ctx)) {
cleartext[dstLen] = '\0';
if (utf8 && !isValidUtf8String(cleartext, cleartext + dstLen)) {
Index: squid-5.4.1/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc
===================================================================
--- squid-5.4.1.orig/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc
+++ squid-5.4.1/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc
@@ -131,6 +131,7 @@ token_decode(size_t *decodedLen, uint8_t
{
struct base64_decode_ctx ctx;
base64_decode_init(&ctx);
+ *decodedLen = BASE64_DECODE_LENGTH(strlen(srcLen));
if (!base64_decode_update(&ctx, decodedLen, decoded, strlen(buf), buf) ||
!base64_decode_final(&ctx)) {
SEND("BH base64 decode failed");
Index: squid-5.4.1/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
===================================================================
--- squid-5.4.1.orig/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
+++ squid-5.4.1/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
@@ -681,8 +681,8 @@ main(int argc, char *const argv[])
struct base64_decode_ctx ctx;
base64_decode_init(&ctx);
- size_t dstLen = 0;
- if (!base64_decode_update(&ctx, &dstLen, static_cast<uint8_t*>(input_token.value), srcLen, b64Token) ||
+ unsigned dstLen = BASE64_DECODE_LENGTH(srcLen);
+ if (!base64_decode_update(&ctx, &dstLen, static_cast<uint8_t*>(input_token.value), srcLen, (const uint8_t*)b64Token) ||
!base64_decode_final(&ctx)) {
debug((char *) "%s| %s: ERROR: Invalid base64 token [%s]\n", LogTime(), PROGRAM, b64Token);
fprintf(stdout, "BH Invalid negotiate request token\n");
@@ -743,8 +743,8 @@ main(int argc, char *const argv[])
}
struct base64_encode_ctx tokCtx;
base64_encode_init(&tokCtx);
- size_t blen = base64_encode_update(&tokCtx, token, spnegoTokenLength, reinterpret_cast<const uint8_t*>(spnegoToken));
- blen += base64_encode_final(&tokCtx, token+blen);
+ size_t blen = base64_encode_update(&tokCtx, (uint8_t*)token, spnegoTokenLength, reinterpret_cast<const uint8_t*>(spnegoToken));
+ blen += base64_encode_final(&tokCtx, (uint8_t*)token+blen);
token[blen] = '\0';
if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log, 1))
Index: squid-5.4.1/src/auth/negotiate/wrapper/negotiate_wrapper.cc
===================================================================
--- squid-5.4.1.orig/src/auth/negotiate/wrapper/negotiate_wrapper.cc
+++ squid-5.4.1/src/auth/negotiate/wrapper/negotiate_wrapper.cc
@@ -192,8 +192,8 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT
struct base64_decode_ctx ctx;
base64_decode_init(&ctx);
- size_t dstLen = 0;
- if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), buf+3) ||
+ unsigned dstLen = length+1;
+ if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), (const uint8_t*)buf+3) ||
!base64_decode_final(&ctx)) {
if (debug_enabled)
fprintf(stderr, "%s| %s: Invalid base64 token [%s]\n", LogTime(), PROGRAM, buf+3);
Index: squid-5.4.1/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc
===================================================================
--- squid-5.4.1.orig/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc
+++ squid-5.4.1/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc
@@ -203,8 +203,8 @@ make_challenge(char *domain, char *domai
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
- size_t blen = base64_encode_update(&ctx, b64buf, len, reinterpret_cast<const uint8_t *>(&chal));
- blen += base64_encode_final(&ctx, b64buf+blen);
+ size_t blen = base64_encode_update(&ctx, (uint8_t*)b64buf, len, reinterpret_cast<const uint8_t *>(&chal));
+ blen += base64_encode_final(&ctx, (uint8_t*)b64buf+blen);
b64buf[blen] = '\0';
return b64buf;
}
@@ -516,9 +516,9 @@ manage_request()
/* figure out what we got */
struct base64_decode_ctx ctx;
base64_decode_init(&ctx);
- size_t dstLen = 0;
+ unsigned dstLen = NTLM_BLOB_BUFFER_SIZE;
int decodedLen = 0;
- if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(decoded), strlen(buf)-3, buf+3) ||
+ if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(decoded), strlen(buf)-3, (const uint8_t*)buf+3) ||
!base64_decode_final(&ctx)) {
SEND("NA Packet format error, couldn't base64-decode");
return;
Index: squid-5.4.1/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc
===================================================================
--- squid-5.4.1.orig/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc
+++ squid-5.4.1/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc
@@ -418,6 +418,7 @@ token_decode(size_t *decodedLen, uint8_t
{
struct base64_decode_ctx ctx;
base64_decode_init(&ctx);
+ *decodedLen = BASE64_DECODE_LENGTH(strlen(buf))+1;
if (!base64_decode_update(&ctx, decodedLen, decoded, strlen(buf), buf) ||
!base64_decode_final(&ctx)) {
SEND_BH("message=\"base64 decode failed\"");
Index: squid-5.4.1/src/auth/ntlm/fake/ntlm_fake_auth.cc
===================================================================
--- squid-5.4.1.orig/src/auth/ntlm/fake/ntlm_fake_auth.cc
+++ squid-5.4.1/src/auth/ntlm/fake/ntlm_fake_auth.cc
@@ -164,9 +164,9 @@ main(int argc, char *argv[])
ntlmhdr *packet;
struct base64_decode_ctx ctx;
base64_decode_init(&ctx);
- size_t dstLen = 0;
+ unsigned dstLen = HELPER_INPUT_BUFFER;
if (buflen > 3 &&
- base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, buf+3) &&
+ base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, (const uint8_t*)buf+3) &&
base64_decode_final(&ctx)) {
decodedLen = dstLen;
packet = (ntlmhdr*)decodedBuf;
@@ -205,8 +205,8 @@ main(int argc, char *argv[])
struct base64_encode_ctx eCtx;
base64_encode_init(&eCtx);
char *data = static_cast<char *>(xcalloc(base64_encode_len(len), 1));
- size_t blen = base64_encode_update(&eCtx, data, len, reinterpret_cast<const uint8_t *>(&chal));
- blen += base64_encode_final(&eCtx, data+blen);
+ size_t blen = base64_encode_update(&eCtx, (uint8_t*)data, len, reinterpret_cast<const uint8_t *>(&chal));
+ blen += base64_encode_final(&eCtx, (uint8_t*)data+blen);
if (NTLM_packet_debug_enabled) {
printf("TT %.*s\n", (int)blen, data);
debug("sending 'TT' to squid with data:\n");
Index: squid-5.4.1/tools/cachemgr.cc
===================================================================
--- squid-5.4.1.orig/tools/cachemgr.cc
+++ squid-5.4.1/tools/cachemgr.cc
@@ -1110,8 +1110,8 @@ make_pub_auth(cachemgr_request * req)
req->pub_auth = (char *) xmalloc(encodedLen);
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
- size_t blen = base64_encode_update(&ctx, req->pub_auth, bufLen, reinterpret_cast<uint8_t*>(buf));
- blen += base64_encode_final(&ctx, req->pub_auth + blen);
+ size_t blen = base64_encode_update(&ctx, (uint8_t*)req->pub_auth, bufLen, reinterpret_cast<uint8_t*>(buf));
+ blen += base64_encode_final(&ctx, (uint8_t*)req->pub_auth + blen);
req->pub_auth[blen] = '\0';
debug("cmgr: encoded: '%s'\n", req->pub_auth);
}
@@ -1131,8 +1131,8 @@ decode_pub_auth(cachemgr_request * req)
char *buf = static_cast<char*>(xmalloc(BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1));
struct base64_decode_ctx ctx;
base64_decode_init(&ctx);
- size_t decodedLen = 0;
- if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(buf), strlen(req->pub_auth), req->pub_auth) ||
+ unsigned decodedLen = BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1;
+ if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(buf), strlen(req->pub_auth), (uint8_t*)req->pub_auth) ||
!base64_decode_final(&ctx)) {
debug("cmgr: base64 decode failure. Incomplete auth token string.\n");
xfree(buf);
@@ -1225,8 +1225,8 @@ make_auth_header(const cachemgr_request
char *str64 = static_cast<char *>(xmalloc(encodedLen));
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
- size_t blen = base64_encode_update(&ctx, str64, bufLen, reinterpret_cast<uint8_t*>(buf));
- blen += base64_encode_final(&ctx, str64+blen);
+ size_t blen = base64_encode_update(&ctx, (uint8_t*)str64, bufLen, reinterpret_cast<uint8_t*>(buf));
+ blen += base64_encode_final(&ctx, (uint8_t*)str64+blen);
str64[blen] = '\0';
stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %.*s\r\n", (int)blen, str64);
Index: squid-5.4.1/include/base64.h
===================================================================
--- squid-5.4.1.orig/include/base64.h
+++ squid-5.4.1/include/base64.h
@@ -9,11 +9,11 @@
#ifndef _SQUID_BASE64_H
#define _SQUID_BASE64_H
-#if HAVE_NETTLE_BASE64_H && HAVE_NETTLE34_BASE64
+#if HAVE_NETTLE_BASE64_H
#include <nettle/base64.h>
#else /* Base64 functions copied from Nettle 3.4 under GPLv2, with adjustments */
-
+#error "Mssing libnettle-devel"
/* base64.h
Base-64 encoding and decoding.
Index: squid-5.4.1/lib/base64.c
===================================================================
--- squid-5.4.1.orig/lib/base64.c
+++ squid-5.4.1/lib/base64.c
@@ -13,7 +13,7 @@
#include "squid.h"
#include "base64.h"
-#if !HAVE_NETTLE_BASE64_H || !HAVE_NETTLE34_BASE64
+#if !HAVE_NETTLE_BASE64_H
/* base64-encode.c
Index: squid-5.4.1/src/format/Format.cc
===================================================================
--- squid-5.4.1.orig/src/format/Format.cc
+++ squid-5.4.1/src/format/Format.cc
@@ -556,8 +556,8 @@ Format::Format::assemble(MemBuf &mb, con
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
- auto encLength = base64_encode_update(&ctx, buf, rawLength, reinterpret_cast<const uint8_t*>(handshake.rawContent()));
- encLength += base64_encode_final(&ctx, buf + encLength);
+ auto encLength = base64_encode_update(&ctx, (uint8_t*)buf, rawLength, reinterpret_cast<const uint8_t*>(handshake.rawContent()));
+ encLength += base64_encode_final(&ctx, (uint8_t*)buf + encLength);
sb.rawAppendFinish(buf, encLength);
out = sb.c_str();
Index: squid-5.4.1/src/auth/negotiate/kerberos/negotiate_kerberos_auth_test.cc
===================================================================
--- squid-5.4.1.orig/src/auth/negotiate/kerberos/negotiate_kerberos_auth_test.cc
+++ squid-5.4.1/src/auth/negotiate/kerberos/negotiate_kerberos_auth_test.cc
@@ -203,8 +203,8 @@ squid_kerb_proxy_auth(char *proxy)
token = (char *) xcalloc(base64_encode_len(output_token.length), 1);
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
- size_t blen = base64_encode_update(&ctx, token, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
- blen += base64_encode_final(&ctx, token+blen);
+ size_t blen = base64_encode_update(&ctx, (uint8_t*)token, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
+ blen += base64_encode_final(&ctx, (uint8_t*)token+blen);
}
}
Index: squid-5.4.1/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
===================================================================
--- squid-5.4.1.orig/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
+++ squid-5.4.1/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
@@ -245,8 +245,8 @@ getdomaingids(char *ad_groups, uint32_t
base64_encode_init(&ctx);
const uint32_t expectedSz = base64_encode_len(length+4) +1 /* terminator */;
char *b64buf = static_cast<char *>(xcalloc(expectedSz, 1));
- size_t blen = base64_encode_update(&ctx, b64buf, length+4, reinterpret_cast<uint8_t*>(ag));
- blen += base64_encode_final(&ctx, b64buf+blen);
+ size_t blen = base64_encode_update(&ctx, (uint8_t*)b64buf, length+4, reinterpret_cast<uint8_t*>(ag));
+ blen += base64_encode_final(&ctx, (uint8_t*)b64buf+blen);
b64buf[expectedSz-1] = '\0';
if (!pstrcat(ad_groups, b64buf)) {
debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n",
@@ -334,8 +334,8 @@ getextrasids(char *ad_groups, uint32_t E
base64_encode_init(&ctx);
const uint32_t expectedSz = base64_encode_len(length) +1 /* terminator */;
char *b64buf = static_cast<char *>(xcalloc(expectedSz, 1));
- size_t blen = base64_encode_update(&ctx, b64buf, length, reinterpret_cast<uint8_t*>(ag));
- blen += base64_encode_final(&ctx, b64buf+blen);
+ size_t blen = base64_encode_update(&ctx, (uint8_t*)b64buf, length, reinterpret_cast<uint8_t*>(ag));
+ blen += base64_encode_final(&ctx, (uint8_t*)b64buf+blen);
b64buf[expectedSz-1] = '\0';
if (!pstrcat(ad_groups, reinterpret_cast<char*>(b64buf))) {
debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n",
Index: squid-5.4.1/src/adaptation/icap/ModXact.cc
===================================================================
--- squid-5.4.1.orig/src/adaptation/icap/ModXact.cc
+++ squid-5.4.1/src/adaptation/icap/ModXact.cc
@@ -1412,10 +1412,10 @@ void Adaptation::Icap::ModXact::makeRequ
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
char base64buf[base64_encode_len(MAX_LOGIN_SZ)];
- size_t resultLen = base64_encode_update(&ctx, base64buf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
- resultLen += base64_encode_update(&ctx, base64buf+resultLen, 1, reinterpret_cast<const uint8_t*>(":"));
- resultLen += base64_encode_update(&ctx, base64buf+resultLen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
- resultLen += base64_encode_final(&ctx, base64buf+resultLen);
+ size_t resultLen = base64_encode_update(&ctx, (uint8_t*)base64buf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
+ resultLen += base64_encode_update(&ctx, (uint8_t*)base64buf+resultLen, 1, reinterpret_cast<const uint8_t*>(":"));
+ resultLen += base64_encode_update(&ctx, (uint8_t*)base64buf+resultLen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
+ resultLen += base64_encode_final(&ctx, (uint8_t*)base64buf+resultLen);
buf.appendf("Proxy-Authorization: Basic %.*s\r\n", (int)resultLen, base64buf);
}
@@ -1571,8 +1571,8 @@ void Adaptation::Icap::ModXact::makeUser
if (value) {
if (TheConfig.client_username_encode) {
char base64buf[base64_encode_len(MAX_LOGIN_SZ)];
- size_t resultLen = base64_encode_update(&ctx, base64buf, strlen(value), reinterpret_cast<const uint8_t*>(value));
- resultLen += base64_encode_final(&ctx, base64buf+resultLen);
+ size_t resultLen = base64_encode_update(&ctx, (uint8_t*)base64buf, strlen(value), reinterpret_cast<const uint8_t*>(value));
+ resultLen += base64_encode_final(&ctx, (uint8_t*)base64buf+resultLen);
buf.appendf("%s: %.*s\r\n", TheConfig.client_username_header, (int)resultLen, base64buf);
} else
buf.appendf("%s: %s\r\n", TheConfig.client_username_header, value);
Index: squid-5.4.1/src/http.cc
===================================================================
--- squid-5.4.1.orig/src/http.cc
+++ squid-5.4.1/src/http.cc
@@ -1807,9 +1807,9 @@ httpFixupAuthentication(HttpRequest * re
username = request->auth_user_request->username();
#endif
- blen = base64_encode_update(&ctx, loginbuf, strlen(username), reinterpret_cast<const uint8_t*>(username));
- blen += base64_encode_update(&ctx, loginbuf+blen, strlen(request->peer_login +1), reinterpret_cast<const uint8_t*>(request->peer_login +1));
- blen += base64_encode_final(&ctx, loginbuf+blen);
+ blen = base64_encode_update(&ctx, (uint8_t*)loginbuf, strlen(username), reinterpret_cast<const uint8_t*>(username));
+ blen += base64_encode_update(&ctx, (uint8_t*)loginbuf+blen, strlen(request->peer_login +1), reinterpret_cast<const uint8_t*>(request->peer_login +1));
+ blen += base64_encode_final(&ctx, (uint8_t*)loginbuf+blen);
httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
return;
}
@@ -1819,10 +1819,10 @@ httpFixupAuthentication(HttpRequest * re
(strcmp(request->peer_login, "PASS") == 0 ||
strcmp(request->peer_login, "PROXYPASS") == 0)) {
- blen = base64_encode_update(&ctx, loginbuf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
- blen += base64_encode_update(&ctx, loginbuf+blen, 1, reinterpret_cast<const uint8_t*>(":"));
- blen += base64_encode_update(&ctx, loginbuf+blen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
- blen += base64_encode_final(&ctx, loginbuf+blen);
+ blen = base64_encode_update(&ctx, (uint8_t*)loginbuf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
+ blen += base64_encode_update(&ctx, (uint8_t*)loginbuf+blen, 1, reinterpret_cast<const uint8_t*>(":"));
+ blen += base64_encode_update(&ctx, (uint8_t*)loginbuf+blen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
+ blen += base64_encode_final(&ctx, (uint8_t*)loginbuf+blen);
httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
return;
}
@@ -1851,8 +1851,8 @@ httpFixupAuthentication(HttpRequest * re
}
#endif /* HAVE_KRB5 && HAVE_GSSAPI */
- blen = base64_encode_update(&ctx, loginbuf, strlen(request->peer_login), reinterpret_cast<const uint8_t*>(request->peer_login));
- blen += base64_encode_final(&ctx, loginbuf+blen);
+ blen = base64_encode_update(&ctx, (uint8_t*)loginbuf, strlen(request->peer_login), reinterpret_cast<const uint8_t*>(request->peer_login));
+ blen += base64_encode_final(&ctx, (uint8_t*)loginbuf+blen);
httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
return;
}
@@ -1979,8 +1979,8 @@ HttpStateData::httpBuildRequestHeader(Ht
static char result[base64_encode_len(MAX_URL*2)]; // should be big enough for a single URI segment
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
- size_t blen = base64_encode_update(&ctx, result, request->url.userInfo().length(), reinterpret_cast<const uint8_t*>(request->url.userInfo().rawContent()));
- blen += base64_encode_final(&ctx, result+blen);
+ size_t blen = base64_encode_update(&ctx, (uint8_t*)result, request->url.userInfo().length(), reinterpret_cast<const uint8_t*>(request->url.userInfo().rawContent()));
+ blen += base64_encode_final(&ctx, (uint8_t*)result+blen);
result[blen] = '\0';
if (blen)
httpHeaderPutStrf(hdr_out, Http::HdrType::AUTHORIZATION, "Basic %.*s", (int)blen, result);
Index: squid-5.4.1/src/peer_proxy_negotiate_auth.cc
===================================================================
--- squid-5.4.1.orig/src/peer_proxy_negotiate_auth.cc
+++ squid-5.4.1/src/peer_proxy_negotiate_auth.cc
@@ -562,8 +562,8 @@ char *peer_proxy_negotiate_auth(char *pr
static char b64buf[8192]; // XXX: 8KB only because base64_encode_bin() used to.
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
- size_t blen = base64_encode_update(&ctx, b64buf, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
- blen += base64_encode_final(&ctx, b64buf+blen);
+ size_t blen = base64_encode_update(&ctx, (uint8_t*)b64buf, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
+ blen += base64_encode_final(&ctx, (uint8_t*)b64buf+blen);
b64buf[blen] = '\0';
token = reinterpret_cast<char*>(b64buf);
Index: squid-5.4.1/tools/squidclient/gssapi_support.cc
===================================================================
--- squid-5.4.1.orig/tools/squidclient/gssapi_support.cc
+++ squid-5.4.1/tools/squidclient/gssapi_support.cc
@@ -134,8 +134,8 @@ GSSAPI_token(const char *server)
token = new char[base64_encode_len(output_token.length)];
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
- size_t blen = base64_encode_update(&ctx, token, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
- blen += base64_encode_final(&ctx, token+blen);
+ size_t blen = base64_encode_update(&ctx, (uint8_t*)token, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
+ blen += base64_encode_final(&ctx, (uint8_t*)token+blen);
token[blen] = '\0';
}
}
Index: squid-5.4.1/tools/squidclient/squidclient.cc
===================================================================
--- squid-5.4.1.orig/tools/squidclient/squidclient.cc
+++ squid-5.4.1/tools/squidclient/squidclient.cc
@@ -212,10 +212,10 @@ Authorization::commit(std::ostream &os)
const auto buf = new char[bcapacity];
size_t bsize = 0;
- bsize += base64_encode_update(&ctx, buf, strlen(user), reinterpret_cast<const uint8_t*>(user));
- bsize += base64_encode_update(&ctx, buf+bsize, 1, reinterpret_cast<const uint8_t*>(":"));
- bsize += base64_encode_update(&ctx, buf+bsize, strlen(password), reinterpret_cast<const uint8_t*>(password));
- bsize += base64_encode_final(&ctx, buf+bsize);
+ bsize += base64_encode_update(&ctx, (uint8_t*)buf, strlen(user), reinterpret_cast<const uint8_t*>(user));
+ bsize += base64_encode_update(&ctx, (uint8_t*)buf+bsize, 1, reinterpret_cast<const uint8_t*>(":"));
+ bsize += base64_encode_update(&ctx, (uint8_t*)buf+bsize, strlen(password), reinterpret_cast<const uint8_t*>(password));
+ bsize += base64_encode_final(&ctx, (uint8_t*)buf+bsize);
assert(bsize <= bcapacity); // paranoid and late but better than nothing
os << header << ": Basic ";

6
pam.squid Normal file
View File

@ -0,0 +1,6 @@
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session

BIN
squid-6.12.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

17
squid-6.12.tar.xz.asc Normal file
View File

@ -0,0 +1,17 @@
File: squid-6.12.tar.xz
Date: Fri Oct 11 08:30:43 PM UTC 2024
Size: 2548220
MD5 : 26a264b234e22e012ea531d4f5d43ed1
SHA1: 2885015423b66f0b87e2e3ed0dfd17f3f124d7e6
Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 <kinkie@squid-cache.org>
29B4 B1F7 CE03 D1B1 DED2 2F30 28F8 5029 FEF6 E865
sub cv25519 2021-05-15 [E]
keyring = http://www.squid-cache.org/pgp.asc
keyserver = pool.sks-keyservers.net
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCZwmLBQAKCRAo+FAp/vbo
ZYYJAP9pMd7sF4qmLLMlHIu48KMKqGhJdkEEpZJbOvmXS4lpBQD/QzCU3cng78NN
orwehX0iYHf0lWvY8IjBV/9YEPi9iww=
=yaaw
-----END PGP SIGNATURE-----

4
squid-user.conf Normal file
View File

@ -0,0 +1,4 @@
# Type Name ID GECOS [HOME]
u squid - "WWW-proxy squid" /var/cache/squid
g winbind - -
m squid winbind

3378
squid.changes Normal file

File diff suppressed because it is too large Load Diff

2067
squid.keyring Normal file

File diff suppressed because it is too large Load Diff

15
squid.logrotate Normal file
View File

@ -0,0 +1,15 @@
/var/log/squid/access.log /var/log/squid/store.log /var/log/squid/cache.log {
su squid squid
compress
dateext
maxage 365
rotate 99
size=+4096k
notifempty
missingok
create 640 squid squid
sharedscripts
postrotate
/usr/bin/systemctl -q is-active squid.service && /usr/sbin/squid -k rotate
endscript
}

2
squid.permissions Normal file
View File

@ -0,0 +1,2 @@
/var/cache/squid/ squid:root 750
/var/log/squid/ squid:root 750

28
squid.service Normal file
View File

@ -0,0 +1,28 @@
[Unit]
Description=Squid caching proxy
Documentation=man:squid(8)
After=network.target named.service nss-lookup.service
[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Type=forking
ExecStartPre=%{_libexecdir}/squid/initialize_cache_if_needed.sh
ExecStart=/usr/sbin/squid -FC
ExecReload=/usr/bin/kill -HUP $MAINPID
LimitNOFILE=4096
[Install]
WantedBy=multi-user.target

434
squid.spec Normal file
View File

@ -0,0 +1,434 @@
#
# spec file for package squid
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define squidlibexecdir %{_libexecdir}/squid
%define squidconfdir %{_sysconfdir}/squid
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300
%define squidhelperdir %{squidlibexecdir}
%else
%define squidhelperdir %{_sbindir}
%endif
Name: squid
Version: 6.12
Release: 0
Summary: Caching and forwarding HTTP web proxy
License: GPL-2.0-or-later
Group: Productivity/Networking/Web/Proxy
URL: http://www.squid-cache.org
Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz
Source1: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc
Source5: pam.squid
Source6: unsquid.pl
Source7: %{name}.logrotate
Source9: %{name}.permissions
Source10: README.kerberos
Source11: %{name}.service
Source12: %{name}-user.conf
# http://lists.squid-cache.org/pipermail/squid-announce/2016-October/000064.html
#Source13: http://www.squid-cache.org/pgp.asc#/squid.keyring
Source13: squid.keyring
Source15: cache_dir.sed
Source16: initialize_cache_if_needed.sh
Source17: tmpfilesdir.squid.conf
Patch1: missing_installs.patch
Patch2: old_nettle_compat.patch
Patch3: harden_squid.service.patch
Patch4: CVE-2024-33427.patch
BuildRequires: cppunit-devel
BuildRequires: expat
BuildRequires: fdupes
%if 0%{?suse_version} < 1590
BuildRequires: gcc11-c++
%else
BuildRequires: gcc-c++
%endif
BuildRequires: libcap-devel
BuildRequires: libtool
BuildRequires: openldap2-devel
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: samba-winbind
BuildRequires: sharutils
BuildRequires: pkgconfig(expat)
BuildRequires: pkgconfig(gssrpc)
BuildRequires: pkgconfig(krb5)
BuildRequires: pkgconfig(libsasl2)
BuildRequires: pkgconfig(libxml-2.0)
BuildRequires: pkgconfig(nettle)
BuildRequires: pkgconfig(tdb)
Requires(pre): permissions
Recommends: logrotate
Provides: http_proxy
%{?systemd_ordering}
%if 0%{?suse_version} <= 1500
# due to package rename
# Wed Aug 15 17:40:30 UTC 2012
# remove this after SLE15
Provides: %{name}3 = %{version}
Obsoletes: %{name}3 < %{version}
%endif
%if 0%{?suse_version} >= 1500
BuildRequires: sysuser-shadow
BuildRequires: sysuser-tools
%sysusers_requires
%else
Requires(pre): shadow
%endif
%if 0%{?suse_version} >= 1330 && 0%{?suse_version} < 1599
BuildRequires: libnsl-devel
%endif
%description
Squid is a caching proxy for the Web supporting HTTP(S), FTP, and
some others. It reduces bandwidth and improves response times by
caching and reusing frequently-requested web pages. Squid has
extensive access controls and can also be used as a server
accelerator.
%prep
%setup -q
cp %{SOURCE10} .
%patch -P 3 -p1
%patch -P 4 -p1
# upstream patches after RELEASE
perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`
%patch -P 1 -p1
%if 0%{?suse_version} < 1500
%patch -P 2 -p1
%endif
%build
autoreconf -fi
cd libltdl; autoreconf -fi; cd ..
export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
export LDFLAGS="-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro,-z,now -pie"
%if 0%{?suse_version} < 1590
export CC=gcc-11
export CXX=g++-11
%endif
%configure \
--disable-strict-error-checking \
--sysconfdir=%{squidconfdir} \
--libexecdir=%{squidhelperdir} \
--datadir=%{_datadir}/squid \
--sharedstatedir=%{_localstatedir}/squid \
--with-logdir=%{_localstatedir}/log/squid \
--with-pidfile=%{_rundir}/squid.pid \
--with-dl \
--enable-disk-io \
--enable-storeio \
--enable-removal-policies=heap,lru \
--enable-icmp \
--enable-delay-pools \
--enable-icap-client \
--enable-useragent-log \
--enable-referer-log \
--enable-kill-parent-hack \
--enable-arp-acl \
--enable-ssl-crtd \
--with-openssl \
--enable-forw-via-db \
--enable-cache-digests \
--enable-linux-netfilter \
--with-large-files \
--enable-underscores \
--enable-auth \
%if 0%{?suse_version} < 1599
--enable-auth-basic="SMB_LM,DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
%else
--enable-auth-basic="SMB_LM,DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
%endif
--enable-auth-ntlm="SMB_LM,fake" \
--enable-auth-negotiate \
--enable-auth-digest \
--enable-external-acl-helpers=LDAP_group,eDirectory_userip,file_userip,kerberos_ldap_group,session,unix_group,wbinfo_group,time_quota \
--enable-stacktraces \
--enable-x-accelerator-vary \
--with-default-user=%{name} \
--disable-ident-lookups \
--enable-follow-x-forwarded-for \
--disable-arch-native \
--enable-security-cert-generators \
--enable-security-cert-validators
#make -O SAMBAPREFIX=%{_prefix} %{?_smp_mflags}
mkdir src/icmp/tests
mkdir tools/squidclient/tests
mkdir tools/sysvinit/tests tools/tests
make %{?_smp_mflags}
%if 0%{?suse_version} >= 1500
%sysusers_generate_pre %{SOURCE12} squid
%endif
%install
install -d -m 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
install -d %{buildroot}%{_sbindir}
# make_install
%make_install SAMBAPREFIX=%{_prefix}
mv %{buildroot}{%{_sysconfdir}/%{name}/,%{_datadir}/%{name}/}mime.conf.default
ln -s %{_sysconfdir}/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
# install logrotate file
%if 0%{?suse_version} > 1500
mkdir -p %{buildroot}%{_distconfdir}/logrotate.d
install -Dpm 644 %{SOURCE7} \
%{buildroot}%{_distconfdir}/logrotate.d/%{name}
%else
install -Dpm 644 %{SOURCE7} \
%{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%endif
install -d -m 755 doc/scripts
install scripts/*.pl doc/scripts
cat > doc/scripts/cachemgr.readme <<-EOT
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300
cachemgr.cgi will now be found in %{squidhelperdir}
%else
cachemgr.cgi will now be found in %{_libdir}/%{name}
%endif
EOT
%if 0%{?suse_version} <= 1500 && 0%{?sle_version} < 150300
install -dpm 755 %{buildroot}/%{_libdir}/%{name}
mv %{buildroot}%{_sbindir}/cachemgr.cgi %{buildroot}/%{_libdir}/%{name}
%endif
install -dpm 755 doc/contrib
install %{SOURCE6} doc/contrib
%if 0%{?suse_version} > 1500
mkdir -p %{buildroot}%{_pam_vendordir}
install -Dpm 644 %{SOURCE5} %{buildroot}%{_pam_vendordir}/%{name}
%else
install -Dpm 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/%{name}
%endif
rm -rf %{buildroot}%{squidconfdir}/errors
for i in errors/*; do
if [ -d $i ]; then
mkdir -p %{buildroot}%{_datadir}/%{name}/$i
install -m 644 $i/* %{buildroot}%{_datadir}/%{name}/$i
fi
done
# systemd
install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
install -D -m 755 %{SOURCE15} %{buildroot}%{squidlibexecdir}/cache_dir.sed
install -D -m 755 %{SOURCE16} %{buildroot}%{squidlibexecdir}/initialize_cache_if_needed.sh
sed -i -e 's!%%{_libexecdir}!%{_libexecdir}!' %{buildroot}%{_unitdir}/%{name}.service
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
# needed for smp support (bsc#1112695, bsc#1112066)
mkdir -p %{buildroot}%{_tmpfilesdir}
install -D -m 644 %{SOURCE17} %{buildroot}%{_tmpfilesdir}/squid.conf
# Move the MIB definition to the proper place (and name)
mkdir -p %{buildroot}%{_datadir}/snmp/mibs
mv %{buildroot}%{_datadir}/squid/mib.txt \
%{buildroot}%{_datadir}/snmp/mibs/SQUID-MIB.txt
%if 0%{?suse_version} >= 1500
# Install sysusers file.
mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE12} %{buildroot}%{_sysusersdir}/
%endif
%check
# Fails in chroot environment
make check %{?_smp_mflags}
%pretrans -p <lua>
-- Remove symlink that is has become a directory
path = "%_datadir/squid/errors/es-mx"
st = posix.stat(path)
if st and st.type == "link" then
os.remove(path)
end
%if 0%{?suse_version} >= 1500
%pre -f squid.pre
%else
%pre
# we need this group for /usr/sbin/pinger
getent group %{name} >/dev/null || %{_sbindir}/groupadd -g 31 -r %{name}
# we need this group for squid (ntlmauth)
# read access to /var/lib/samba/winbindd_privileged
getent group winbind >/dev/null || %{_sbindir}/groupadd -r winbind
getent passwd squid >/dev/null || \
%{_sbindir}/useradd -c "WWW-proxy squid" -d %{_localstatedir}/cache/%{name} \
-G winbind -g %{name} -o -u 31 -r -s /bin/false \
%{name}
# if default group is not squid, change it
if [ "$(%{_bindir}/id -ng %{name} 2>/dev/null)" != "%{name}" ]; then
%{_sbindir}/usermod -g %{name} %{name}
fi
# if squid is not member of winbind, add him
if [ $(%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind; echo $?) -ne 0 ]; then
%{_sbindir}/usermod -G winbind %{name}
fi
%endif
%service_add_pre %{name}.service
%if 0%{?suse_version} > 1500
# Prepare for migration to /usr/etc; save any old .rpmsave
for i in logrotate.d/%{name} pam.d/%{name} ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%endif
%if 0%{?suse_version} > 1500
%posttrans
# Migration to /usr/etc, restore just created .rpmsave
for i in logrotate.d/%{name} pam.d/%{name} ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done
%endif
# update mode?
if [ "$1" -gt "1" ]; then
if [ -e %{_sysconfdir}/%{name}.conf -a ! -L %{_sysconfdir}/%{name}.conf -a ! -e %{_sysconfdir}/%{name}/%{name}.conf ]; then
echo "moving %{_sysconfdir}/%{name}.conf to %{_sysconfdir}/%{name}/%{name}.conf"
mv %{_sysconfdir}/%{name}.conf %{_sysconfdir}/%{name}/%{name}.conf
fi
fi
%post
%set_permissions %{squidhelperdir}/pinger
%set_permissions %{_localstatedir}/cache/squid/
%set_permissions %{_localstatedir}/log/squid/
%tmpfiles_create %{_tmpfilesdir}/squid.conf
%service_add_post squid.service
%preun
%service_del_preun squid.service
%verifyscript
%verify_permissions -e %{squidhelperdir}/pinger
%verify_permissions -e %{_localstatedir}/cache/squid/
%verify_permissions -e %{_localstatedir}/log/squid/
%postun
%service_del_postun squid.service
%files
%ghost %dir %{_rundir}/%{name}
%license COPYING
%doc ChangeLog CONTRIBUTORS CREDITS
%doc QUICKSTART README RELEASENOTES.html SPONSORS*
%doc README.kerberos
%doc doc/contrib doc/scripts
%doc doc/debug-sections.txt src/%{name}.conf.default
%{_mandir}/man?/*
%{_unitdir}/%{name}.service
%{squidlibexecdir}/initialize_cache_if_needed.sh
%{squidlibexecdir}/cache_dir.sed
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
%dir %{squidconfdir}
%dir %{_tmpfilesdir}
%dir %{_libexecdir}/%{name}
%{_tmpfilesdir}/squid.conf
%if 0%{?suse_version} >= 1500
%{_sysusersdir}/squid-user.conf
%endif
%config(noreplace) %{squidconfdir}/cachemgr.conf
%config(noreplace) %{squidconfdir}/errorpage.css
%if 0%{?suse_version} > 1500
%{_distconfdir}/logrotate.d/%{name}
%else
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%endif
%config(noreplace) %{squidconfdir}/mime.conf
%config(noreplace) %{squidconfdir}/%{name}.conf
%config %{squidconfdir}/cachemgr.conf.default
%config %{squidconfdir}/errorpage.css.default
%config %{squidconfdir}/%{name}.conf.default
%config %{squidconfdir}/%{name}.conf.documented
%if 0%{?suse_version} > 1500
%{_pam_vendordir}/%{name}
%else
%config %{_sysconfdir}/pam.d/%{name}
%endif
%dir %{_datadir}/%{name}
%dir %{_datadir}/snmp
%dir %{_datadir}/snmp/mibs
%{_datadir}/%{name}/errors
%{_datadir}/%{name}/icons
%{_datadir}/%{name}/mime.conf
%{_datadir}/%{name}/mime.conf.default
%{_datadir}/snmp/mibs/SQUID-MIB.txt
%{_bindir}/purge
%{_bindir}/squidclient
%{squidhelperdir}/basic_db_auth
%{squidhelperdir}/basic_fake_auth
%{squidhelperdir}/basic_getpwnam_auth
%{squidhelperdir}/basic_ldap_auth
%{squidhelperdir}/digest_edirectory_auth
%{squidhelperdir}/basic_ncsa_auth
%if 0%{?suse_version} < 1599
%{squidhelperdir}/basic_nis_auth
%endif
%{squidhelperdir}/basic_pam_auth
%{squidhelperdir}/basic_pop3_auth
%{squidhelperdir}/basic_radius_auth
%{squidhelperdir}/basic_sasl_auth
%{squidhelperdir}/basic_smb_auth
%{squidhelperdir}/basic_smb_auth.sh
%{squidhelperdir}/basic_smb_lm_auth
%{squidhelperdir}/cert_tool
%{squidhelperdir}/digest_file_auth
%{squidhelperdir}/digest_ldap_auth
%{squidhelperdir}/diskd
%{squidhelperdir}/ext_edirectory_userip_acl
%{squidhelperdir}/ext_file_userip_acl
%{squidhelperdir}/ext_kerberos_ldap_group_acl
%{squidhelperdir}/ext_ldap_group_acl
%{squidhelperdir}/ext_session_acl
%{squidhelperdir}/ext_unix_group_acl
%{squidhelperdir}/ext_wbinfo_group_acl
%{squidhelperdir}/helper-mux
%{squidhelperdir}/log_db_daemon
%{squidhelperdir}/log_file_daemon
%{squidhelperdir}/negotiate_kerberos_auth
%{squidhelperdir}/negotiate_kerberos_auth_test
%{squidhelperdir}/negotiate_wrapper_auth
%{squidhelperdir}/ntlm_fake_auth
%{squidhelperdir}/ntlm_smb_lm_auth
%{squidhelperdir}/pinger
%{squidhelperdir}/security_fake_certverify
%{squidhelperdir}/security_file_certgen
%{squidhelperdir}/storeid_file_rewrite
%{squidhelperdir}/unlinkd
%{squidhelperdir}/url_fake_rewrite
%{squidhelperdir}/url_fake_rewrite.sh
%{squidhelperdir}/url_lfs_rewrite
%{squidhelperdir}/ext_time_quota_acl
%{_sbindir}/squid
%{_sbindir}/rcsquid
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150300
%dir %{squidhelperdir}
%{squidhelperdir}/cachemgr.cgi
%else
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/cachemgr.cgi
%endif
%changelog

3
tmpfilesdir.squid.conf Normal file
View File

@ -0,0 +1,3 @@
# See tmpfiles.d(5) for details
d /run/squid 0700 squid root -

217
unsquid.pl Normal file
View File

@ -0,0 +1,217 @@
#!/usr/bin/perl -w
#
# unsquid v0.2 -- Squid object dumper.
# Copyright (C) 2000 Avatar <avatar@deva.net>.
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, 51 Franklin Street, Suite 500, Boston, MA 02110-1335, USA
#
# $Id: unsquid,v 1.4 2000/03/11 17:31:06 avatar Exp $
=pod
=head1 NAME
unsquid - dump Squid objects
=head1 SYNOPSIS
B<unsquid> S<[ B<-d>I<dir> ]>
S<[ B<-t>I<type> ]>
S<[ B<-fv> ]>
S<[ B<-Vh> ]>
=head1 DESCRIPTION
unsquid dumps Squid cache files specified on the command line into
directories reflecting their original URLs, hence preserving the
original site layouts for off-line browsing.
Typically usage is
find /usr/local/squid/cache/??/ -type f -print | \
xargs unsquid -t 'image/.*' -d /tmp
The command line options are explained below.
=over
=item B<-t>I<type> S<B<--type> I<dir>>
Dump only files matching the MIME type regex I<type>.
=item B<-f> B<--force>
Overwrite existing files. For security reason, this option is disabled
when run as root.
=item B<-v> B<--verbose>
Print the URLs of dumped objects.
=item B<-d>I<dir> S<B<--dest> I<dir>>
Dump the files inside I<dir>.
=item B<-V> B<--version>
Print the version number.
=item B<-h> B<--help>
Print a summary of command line options.
=back
=head1 AUTHOR
Avatar <F<avatar@deva.net>>
=cut
use POSIX;
use Getopt::Long;
use strict;
my $help = <<EOT;
Usage: $0 [OPTION]... FILE...
Dumps Squid objects.
-t, --type TYPE only dump objects matching the regex TYPE
-v, --verbose print dumped object urls
-f, --force overwrite existing files
-d, --dest DIR use DIR as the destination directory for dumping
-V, --version print the version string
-h, --help show this help
EOT
my ($type, $size, $force, $verbose, $showver, $showhelp);
my $destdir = ".";
my $defaultindex = "index.html";
Getopt::Long::Configure("no_ignore_case");
GetOptions("dest=s" => \$destdir,
"type=s" => \$type,
"verbose|v+" => \$verbose,
"force!" => \$force,
"version|V" => \$showver,
"help" => \$showhelp);
if ($showver) {
print <<EOT;
Unsquid version 0.2
Copyright (C) 2000 Avatar <avatar\@deva.net>.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE,
to the extent permitted by law.
EOT
exit;
}
if ($#ARGV < 0 or $showhelp) {
print $help;
exit;
}
if ($force and $< == 0) {
die "$0: root is not allowed to use the force option";
}
for (@ARGV) {
my ($url, $urllen);
# read 4 bytes from offset 56 as the length of the url
open(INFILE, "<$_") or die "$0: cannot open file $_ for reading: $!";
seek(INFILE, 56, SEEK_SET) or die "$0: cannot seek 56 bytes: $!";
read(INFILE, $urllen, 4) or die "$0: cannot read 4 bytes: $!";
$urllen = ord($urllen) - 1; # kill the last NUL
# read the url
read(INFILE, $url, $urllen);
# expand index urls
$url =~ s-/$-/$defaultindex-m;
# scan the contents
my ($seenheader);
while (<INFILE>) {
if ($seenheader) {
print OUTFILE;
next;
}
# if type is specified, do matching
if (/^Content-Type: /i and defined $type) {
m-[^:]*: (\w+/\w+)-;
last if $1 !~ /$type/;
next;
}
# at this point we must have matched the type
if (/^\r$/) {
$seenheader = 1;
makedir($url);
if (! defined $force and -e "$destdir/$url") {
warn "$0: file $destdir/$url exists, skipped";
last;
}
open(OUTFILE, ">$destdir/$url")
or die "$0: cannot open file $destdir/$url for writing: $!";
print "$url\n" if $verbose;
}
}
close(INFILE);
close(OUTFILE);
}
sub makedir {
my ($basename) = @_;
my $path = $destdir;
if (! -d $destdir) {
warn "$0: destination directory $destdir does not exist, making it";
mkdir $destdir, 0777 or die "$0: cannot mkdir $destdir: $!";
}
while( $basename =~ m-^([^/]*)/- ) {
$path .= "/".$1;
if (! -d $path) {
if (! mkdir $path, 0777) {
if (-f $path) {
# move the file in
open FILE, $path
or die "$0: cannot open $path for reading: $!";
undef $/;
my $buf = <FILE>;
$/ = "\n";
close FILE;
unlink $path;
mkdir $path, 0777
or die "$0: cannot make directory $path: $!";
open FILE, ">$path-redirect"
or die "$0: cannot open $path/$defaultindex for writing: $!";
print FILE $buf;
close FILE;
} else {
die "d$0: cannot mkdir $path: $!";
}
}
}
$basename = $';
}
}