File SQUID-2019_4.patch of Package squid.15550
ported from:
commit e1e861eb9a04137fe81decd1c9370b13c6f18a18
Author: Amos Jeffries <yadij@users.noreply.github.com>
Date: 2019-05-16 15:22:54 +0000
RFC 7230 forbids generation of userinfo subcomponent of https URL (#405)
commit 2d3a615ea3440fae6dbe66277a95e6264c586c6b
Author: Amos Jeffries <yadij@users.noreply.github.com>
Date: 2019-06-23 15:15:56 +0000
Remove userinfo support from old protocols (#419)
RFC 1738 defines the URL schemes for gopher and wais as not
having the userinfo@ segment.
coap, coaps, whois and cache_object also do not use this segment.
For these cases we can obey the RFC7230 requirement to ignore the
segment when producing normalized absolute URL.
Of the supported protocols only FTP requires userinfo, and because
we cannot be certain for unknown protocols allow it as well.
Index: squid-3.5.21/src/url.cc
===================================================================
--- squid-3.5.21.orig/src/url.cc
+++ squid-3.5.21/src/url.cc
@@ -793,20 +793,25 @@ urlMakeAbsolute(const HttpRequest * req,
}
size_t urllen;
+ const bool allowUserInfo = req->url.getScheme() == AnyP::PROTO_FTP ||
+ req->url.getScheme() == AnyP::PROTO_UNKNOWN;
+ const char *login_data = "";
+ if (allowUserInfo && *req->login)
+ login_data = req->login;
if (req->port != urlDefaultPort(req->url.getScheme())) {
urllen = snprintf(urlbuf, MAX_URL, "%s://%s%s%s:%d",
req->url.getScheme().c_str(),
- req->login,
- *req->login ? "@" : null_string,
+ login_data,
+ *login_data ? "@" : null_string,
req->GetHost(),
req->port
);
} else {
urllen = snprintf(urlbuf, MAX_URL, "%s://%s%s%s",
req->url.getScheme().c_str(),
- req->login,
- *req->login ? "@" : null_string,
+ login_data,
+ *login_data ? "@" : null_string,
req->GetHost()
);
}
