Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package squid for openSUSE:Factory checked in at 2026-06-19 16:30:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/squid (Old) and /work/SRC/openSUSE:Factory/.squid.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "squid" Fri Jun 19 16:30:30 2026 rev:126 rq:1360283 version:7.6 Changes: -------- --- /work/SRC/openSUSE:Factory/squid/squid.changes 2026-03-06 18:16:32.731054130 +0100 +++ /work/SRC/openSUSE:Factory/.squid.new.1956/squid.changes 2026-06-19 17:22:59.425407307 +0200 @@ -1,0 +2,26 @@ +Wed Jun 17 06:05:42 UTC 2026 - Martin Pluskal <[email protected]> + +- Update to 7.6: + * HTTP/1.1: Transfer-Encoding:identity is now prohibited + * Harden peerDigestSwapInMask against an invalid cache digest + reply + * Fix parsing of legacy url_rewrite_program responses + * Fix handling of truncated legacy errorpage %codes + * Honor reply_header_max_size for received FTP control responses + * Improve parsing of certain FTP directory listing formats + * Support the Nettle 4.0 md5_digest API + * Reject excessively large FTP control replies +- Drop old_nettle_compat.patch: it was only applied on + suse_version < 1500 (EOL distros) and no longer applies to the + current sources + +------------------------------------------------------------------- +Tue May 05 10:51:15 UTC 2026 - Adam Majer <[email protected]> + +- Update to version 7.5: + - ICP: Fix HttpRequest lifetime for ICP v3 queries (#2377) + - ICP: Fix validation of packet sizes and URLs (#2220) + - Do not escape malformed URI twice when sending ICP errors (#2374) + - Bug 5501: Squid may exit when ACLs decode an invalid URI (#2145) + +------------------------------------------------------------------- @@ -32 +58 @@ -- Update to 7.3 +- Update to 7.3 (bsc#1250627, CVE-2025-59362, bsc#1250223) Old: ---- old_nettle_compat.patch squid-7.4.tar.xz squid-7.4.tar.xz.asc New: ---- squid-7.6.tar.xz squid-7.6.tar.xz.asc ----------(Old B)---------- Old: * Reject excessively large FTP control replies - Drop old_nettle_compat.patch: it was only applied on suse_version < 1500 (EOL distros) and no longer applies to the ----------(Old E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ squid.spec ++++++ --- /var/tmp/diff_new_pack.Z7X3c6/_old 2026-06-19 17:23:01.645483825 +0200 +++ /var/tmp/diff_new_pack.Z7X3c6/_new 2026-06-19 17:23:01.649483963 +0200 @@ -24,14 +24,14 @@ %define squidhelperdir %{_sbindir} %endif Name: squid -Version: 7.4 +Version: 7.6 Release: 0 Summary: Caching and forwarding HTTP web proxy License: GPL-2.0-or-later Group: Productivity/Networking/Web/Proxy URL: http://www.squid-cache.org -Source0: https://github.com/squid-cache/squid/releases/download/SQUID_7_4/squid-7.4.tar.xz -Source1: https://github.com/squid-cache/squid/releases/download/SQUID_7_4/squid-7.4.tar.xz.asc +Source0: https://github.com/squid-cache/squid/releases/download/SQUID_7_6/squid-7.6.tar.xz +Source1: https://github.com/squid-cache/squid/releases/download/SQUID_7_6/squid-7.6.tar.xz.asc Source5: pam.squid Source6: unsquid.pl Source7: %{name}.logrotate @@ -46,7 +46,6 @@ Source16: initialize_cache_if_needed.sh Source17: tmpfilesdir.squid.conf Patch1: missing_installs.patch -Patch2: old_nettle_compat.patch Patch3: harden_squid.service.patch BuildRequires: cppunit-devel BuildRequires: expat @@ -108,9 +107,6 @@ # upstream patches after RELEASE perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"` %patch -P 1 -p1 -%if 0%{?suse_version} < 1500 -%patch -P 2 -p1 -%endif %build autoreconf -fi @@ -318,7 +314,7 @@ %ghost %dir %{_rundir}/%{name} %license COPYING %doc ChangeLog CONTRIBUTORS CREDITS -%doc QUICKSTART README RELEASENOTES.html SPONSORS* +%doc QUICKSTART README SPONSORS %doc README.kerberos %doc doc/contrib doc/scripts %doc doc/debug-sections.txt src/%{name}.conf.default @@ -392,7 +388,7 @@ %{squidhelperdir}/negotiate_kerberos_auth_test %{squidhelperdir}/negotiate_wrapper_auth %{squidhelperdir}/ntlm_fake_auth -%{squidhelperdir}/pinger +%verify(not caps) %attr(0750, root, squid) %{squidhelperdir}/pinger %{squidhelperdir}/security_fake_certverify %{squidhelperdir}/security_file_certgen %{squidhelperdir}/storeid_file_rewrite ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.Z7X3c6/_old 2026-06-19 17:23:01.721486444 +0200 +++ /var/tmp/diff_new_pack.Z7X3c6/_new 2026-06-19 17:23:01.721486444 +0200 @@ -1,5 +1,5 @@ -mtime: 1772638947 -commit: ec876e9f125ba3dca02d0a91a20dfb918317810f7ec4f6fced3f872a7c530bd3 +mtime: 1781798856 +commit: 2289f0c4b6c461d593b0447c9e3afc7e772c96f8d340b1a16ad28c8c4cd59df0 url: https://src.opensuse.org/adamm/squid revision: factory ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-18 18:07:36.000000000 +0200 @@ -0,0 +1,4 @@ +*.obscpio +*.osc +_build.* +.pbuild ++++++ squid-7.4.tar.xz -> squid-7.6.tar.xz ++++++ ++++ 1653 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/CONTRIBUTORS new/squid-7.6/CONTRIBUTORS --- old/squid-7.4/CONTRIBUTORS 2026-01-20 22:45:19.000000000 +0100 +++ new/squid-7.6/CONTRIBUTORS 2026-05-31 17:50:29.000000000 +0200 @@ -438,6 +438,7 @@ Regents of the University of California (UCSD) Reinhard Posmyk <[email protected]> Reinhard Sojka <[email protected]> + Renaud Metrich <[email protected]> Rene Geile <[email protected]> Reuben Farrelly <[email protected]> Ricardo Ferreira Ribeiro <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/COPYING new/squid-7.6/COPYING --- old/squid-7.4/COPYING 2025-02-11 22:59:17.000000000 +0100 +++ new/squid-7.6/COPYING 2026-04-20 10:41:18.000000000 +0200 @@ -2,7 +2,7 @@ Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + <https://fsf.org/> Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. @@ -304,8 +304,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + with this program; if not, see <https://www.gnu.org/licenses/>. Also add information on how to contact you by electronic and paper mail. @@ -329,8 +328,8 @@ Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. - <signature of Ty Coon>, 1 April 1989 - Ty Coon, President of Vice + <signature of Moe Ghoul>, 1 April 1989 + Moe Ghoul, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/CREDITS new/squid-7.6/CREDITS --- old/squid-7.4/CREDITS 2025-10-15 22:31:05.000000000 +0200 +++ new/squid-7.6/CREDITS 2026-04-20 10:41:18.000000000 +0200 @@ -772,11 +772,7 @@ GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public -License along with GNU Libltdl; see the file COPYING.LIB. If not, a -copy can be downloaded from http://www.gnu.org/licenses/lgpl.html, -or obtained by writing to the Free Software Foundation, Inc., -51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - +License along with GNU Libltdl. If not, see <https://www.gnu.org/licenses/>. ============================================================================== diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/ChangeLog new/squid-7.6/ChangeLog --- old/squid-7.4/ChangeLog 2026-01-20 22:45:19.000000000 +0100 +++ new/squid-7.6/ChangeLog 2026-06-08 09:37:04.000000000 +0200 @@ -1,3 +1,24 @@ +Changes in squid-7.6 (08 Jun 2026): + + - HTTP/1.1: Transfer-Encoding:identity is prohibited + - Harden peerDigestSwapInMask against invalid cache digest reply + - Fix parsing of legacy url_rewrite_program responses + - Fix handling of truncated legacy errorpage %codes + - Do not treat tiny virgin response buffer space specially + - Honor reply_header_max_size for received FTP control responses + - Improve parsing of certain FTP directory listing formats + - Support Nettle 4.0 md5_digest API + - Reject excessively large FTP control replies + - .. and some cleanups + +Changes in squid-7.5 (12 Mar 2026): + + - Bug 5501: Squid may exit when ACLs decode an invalid URI + - ICP: Fix HttpRequest lifetime for ICP v3 queries + - ICP: Fix validation of packet sizes and URLs + - Do not escape malformed URI twice when sending ICP errors + - ... and some code, CI, and documentation cleanups + Changes in squid-7.4 (19 Jan 2026): - Do not create world-readable directories diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/RELEASENOTES.html new/squid-7.6/RELEASENOTES.html --- old/squid-7.4/RELEASENOTES.html 2026-01-20 22:47:10.000000000 +0100 +++ new/squid-7.6/RELEASENOTES.html 2026-06-08 10:37:47.000000000 +0200 @@ -3,10 +3,10 @@ <HEAD> <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.83"> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> - <TITLE>Squid 7.4 release notes</TITLE> + <TITLE>Squid 7.6 release notes</TITLE> </HEAD> <BODY> -<H1>Squid 7.4 release notes</H1> +<H1>Squid 7.6 release notes</H1> <H2>Squid Developers</H2> <P> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/compat/Makefile.am new/squid-7.6/compat/Makefile.am --- old/squid-7.4/compat/Makefile.am 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/compat/Makefile.am 2026-05-31 17:50:29.000000000 +0200 @@ -58,7 +58,6 @@ os/openbsd.h \ os/os2.h \ os/qnx.h \ - os/sgi.h \ os/solaris.h \ os/sunos.h \ osdetect.h \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/compat/compat.h new/squid-7.6/compat/compat.h --- old/squid-7.4/compat/compat.h 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/compat/compat.h 2026-05-31 17:50:29.000000000 +0200 @@ -74,7 +74,6 @@ #include "compat/os/openbsd.h" #include "compat/os/os2.h" #include "compat/os/qnx.h" -#include "compat/os/sgi.h" #include "compat/os/solaris.h" #include "compat/os/sunos.h" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/compat/fdsetsize.h new/squid-7.6/compat/fdsetsize.h --- old/squid-7.4/compat/fdsetsize.h 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/compat/fdsetsize.h 2026-05-31 17:50:29.000000000 +0200 @@ -17,9 +17,9 @@ /* * On some systems, FD_SETSIZE is set to something lower than the - * actual number of files which can be opened. IRIX is one case, - * NetBSD is another. So here we increase FD_SETSIZE to our - * configure-discovered maximum *before* any system includes. + * actual number of files which can be opened. NetBSD is one + * case. So here we increase FD_SETSIZE to our configure-discovered + * maximum *before* any system includes. */ #define CHANGE_FD_SETSIZE 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/compat/os/sgi.h new/squid-7.6/compat/os/sgi.h --- old/squid-7.4/compat/os/sgi.h 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/compat/os/sgi.h 1970-01-01 01:00:00.000000000 +0100 @@ -1,30 +0,0 @@ -/* - * Copyright (C) 1996-2026 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -#ifndef SQUID_COMPAT_OS_SGI_H -#define SQUID_COMPAT_OS_SGI_H - -#if _SQUID_SGI_ - -/**************************************************************************** - *--------------------------------------------------------------------------* - * DO *NOT* MAKE ANY CHANGES below here unless you know what you're doing...* - *--------------------------------------------------------------------------* - ****************************************************************************/ - -#if !defined(_SVR4_SOURCE) -#define _SVR4_SOURCE /* for tempnam(3) */ -#endif - -#if USE_ASYNC_IO -#define _ABI_SOURCE -#endif /* USE_ASYNC_IO */ - -#endif /* _SQUID_SGI_ */ -#endif /* SQUID_COMPAT_OS_SGI_H */ - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/compat/osdetect.h new/squid-7.6/compat/osdetect.h --- old/squid-7.4/compat/osdetect.h 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/compat/osdetect.h 2026-05-31 17:50:29.000000000 +0200 @@ -49,9 +49,6 @@ #elif defined(__FreeBSD_kernel__) /* GNU/kFreeBSD */ #define _SQUID_KFREEBSD_ 1 -#elif defined(__sgi__) || defined(sgi) || defined(__sgi) /* SGI */ -#define _SQUID_SGI_ 1 - #elif defined(__NetBSD__) #define _SQUID_NETBSD_ 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/configure.ac new/squid-7.6/configure.ac --- old/squid-7.4/configure.ac 2026-01-20 22:46:17.000000000 +0100 +++ new/squid-7.6/configure.ac 2026-06-08 10:34:42.000000000 +0200 @@ -5,7 +5,7 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_INIT([Squid Web Proxy],[7.4],[https://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[7.6],[https://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) @@ -288,19 +288,6 @@ ], [CFLAGS="$squid_cv_cc_option_wall $CFLAGS"] ) - ],[ - AS_CASE(["$host"], - [*mips-sgi-irix6.*],[ - # suggested by Rafael Seidl <[email protected]> - CFLAGS="$squid_cv_cc_option_optimize -OPT:Olimit=0:space=OFF \ - -woff 1009,1014,1110,1116,1183,1185,1188,1204,1230,1233,1355 \ - -Wl,-woff,85,-woff,84,-woff,134 \ - -nostdinc -I/usr/include -D_BSD_SIGNALS $CFLAGS" - CXXFLAGS="$squid_cv_cc_option_optimize -OPT:Olimit=0:space=OFF \ - -woff 1009,1014,1110,1116,1183,1185,1188,1204,1230,1233,1355 \ - -Wl,-woff,85,-woff,84,-woff,134 \ - -nostdinc -I/usr/include -D_BSD_SIGNALS $CXXFLAGS" - ]) ]) ]) @@ -1030,7 +1017,7 @@ SQUID_CHECK_LIB_WORKS(nettle,[ PKG_CHECK_MODULES([LIBNETTLE],[nettle >= 3.4],[ CPPFLAGS="$LIBNETTLE_CFLAGS $CPPFLAGS" - AC_CHECK_HEADERS(nettle/base64.h nettle/md5.h) + AC_CHECK_HEADERS(nettle/base64.h nettle/md5.h nettle/version.h) ],[:]) ]) @@ -2051,13 +2038,6 @@ dnl System-specific library modifications AH_TEMPLATE(GETTIMEOFDAY_NO_TZP,[Whether gettimeofday takes only one argument]) AS_CASE(["$host"], - [*-pc-sco3.2*],[ - # -lintl is needed on SCO version 3.2v4.2 for strftime() - # Robert Side <[email protected]> - # Mon, 18 Jan 1999 17:48:00 GMT - AC_CHECK_LIB(intl, strftime) - ], - [i386-*-solaris2.*],[ AS_IF([test "x$GCC" = "xyes"],[ AC_MSG_NOTICE([Removing -O for gcc on $host]) @@ -2065,14 +2045,6 @@ ]) ], - [*-sgi-irix*],[ - AC_MSG_NOTICE([Removing -lsocket for IRIX...]) - LIBS=`echo $LIBS | sed -e s/-lsocket//` - AC_MSG_NOTICE([Removing -lnsl for IRIX...]) - LIBS=`echo $LIBS | sed -e s/-lnsl//` - ac_cv_lib_nsl_main=no - ], - [*-ibm-aix*],[ SQUID_CC_REQUIRE_ARGUMENT([ac_cv_require_rtti],[-rtti],[[ #include <assert.h> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/contrib/Makefile.am new/squid-7.6/contrib/Makefile.am --- old/squid-7.4/contrib/Makefile.am 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/contrib/Makefile.am 2026-05-31 17:50:29.000000000 +0200 @@ -38,15 +38,6 @@ @echo "set SQUID=0 in /etc/init.d/squid to disable squid at startup" @echo "edit /etc/init.d/squid to change options" -install-irix6.2: - $(INSTALL_BIN) $(SQUID_RC) /etc/init.d/squid - $(INSTALL_FILE) $(SQUID_OPTIONS) /var/config/squid.options - -$(LN_S) ../init.d/squid /etc/rc2.d/S99squid - -$(LN_S) ../init.d/squid /etc/rc0.d/K01squid - /sbin/chkconfig -f squid on - @echo "use 'chkconfig squid off' to disable squid at startup" - @echo "edit /var/config/squid.options to change options" - install-osf3.2: $(INSTALL_BIN) $(SQUID_RC) /sbin/init.d/squid -$(LN_S) ../init.d/squid /sbin/rc2.d/S99squid diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/doc/release-notes/release-7.html new/squid-7.6/doc/release-notes/release-7.html --- old/squid-7.4/doc/release-notes/release-7.html 2026-01-20 22:47:10.000000000 +0100 +++ new/squid-7.6/doc/release-notes/release-7.html 2026-06-08 10:37:47.000000000 +0200 @@ -3,10 +3,10 @@ <HEAD> <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.83"> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> - <TITLE>Squid 7.4 release notes</TITLE> + <TITLE>Squid 7.6 release notes</TITLE> </HEAD> <BODY> -<H1>Squid 7.4 release notes</H1> +<H1>Squid 7.6 release notes</H1> <H2>Squid Developers</H2> <P> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/include/autoconf.h.in new/squid-7.6/include/autoconf.h.in --- old/squid-7.4/include/autoconf.h.in 2026-01-20 22:46:02.000000000 +0100 +++ new/squid-7.6/include/autoconf.h.in 2026-06-08 10:33:54.000000000 +0200 @@ -599,9 +599,6 @@ /* Define as 1 to enable 'heimdal-krb5' library support. */ #undef HAVE_LIBHEIMDAL_KRB5 -/* Define to 1 if you have the `intl' library (-lintl). */ -#undef HAVE_LIBINTL - /* Define as 1 to enable 'ldap' library support. */ #undef HAVE_LIBLDAP @@ -790,6 +787,9 @@ /* Define to 1 if you have the <nettle/md5.h> header file. */ #undef HAVE_NETTLE_MD5_H +/* Define to 1 if you have the <nettle/version.h> header file. */ +#undef HAVE_NETTLE_VERSION_H + /* Define to 1 if you have the <net/if_arp.h> header file. */ #undef HAVE_NET_IF_ARP_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/include/md5.h new/squid-7.6/include/md5.h --- old/squid-7.4/include/md5.h 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/include/md5.h 2026-05-31 17:50:29.000000000 +0200 @@ -12,11 +12,20 @@ #if HAVE_NETTLE_MD5_H #include <nettle/md5.h> +#if HAVE_NETTLE_VERSION_H +#include <nettle/version.h> +#endif + typedef struct md5_ctx SquidMD5_CTX; #define SquidMD5Init(c) md5_init((c)) #define SquidMD5Update(c,b,l) md5_update((c), (l), (const uint8_t *)(b)) + +#if NETTLE_VERSION_MAJOR >= 4 +#define SquidMD5Final(d,c) md5_digest((c), (uint8_t *)(d)) +#else #define SquidMD5Final(d,c) md5_digest((c), MD5_DIGEST_SIZE, (uint8_t *)(d)) +#endif #define SQUID_MD5_DIGEST_LENGTH MD5_DIGEST_SIZE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/scripts/icpserver.pl new/squid-7.6/scripts/icpserver.pl --- old/squid-7.4/scripts/icpserver.pl 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/scripts/icpserver.pl 2026-05-31 17:50:29.000000000 +0200 @@ -48,7 +48,6 @@ $whoami = (`uname -a`)[0]; $IP_ADD_MEMBERSHIP=5; $whoami =~ /SunOS [^\s]+ 5/ && ($IP_MULTICAST_TTL=19); - $whoami =~ /IRIX [^\s]+ 5/ && ($IP_MULTICAST_TTL=23); $whoami =~ /OSF1/ && ($IP_MULTICAST_TTL=12); # any more funnies ? diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/scripts/update-contributors.pl new/squid-7.6/scripts/update-contributors.pl --- old/squid-7.4/scripts/update-contributors.pl 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/scripts/update-contributors.pl 2026-04-20 10:41:18.000000000 +0200 @@ -134,9 +134,10 @@ sub isManuallyExcluded { my ($c) = @_; - return true if lc(contributorToString($c)) =~ /squidadm/; # a known bot - return true if lc(contributorToString($c)) =~ /[email protected]/; # a known bot - return false; + my $lowerCasedContributorGist = lc(contributorToString($c)); + return 1 if $lowerCasedContributorGist =~ /squidadm/; # a known bot + return 1 if $lowerCasedContributorGist =~ /copilot[@]users[.]noreply[.]github[.]com/; # a known bot + return 0; } sub contributorToString diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/HttpHeader.cc new/squid-7.6/src/HttpHeader.cc --- old/squid-7.4/src/HttpHeader.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/HttpHeader.cc 2026-06-04 19:50:10.000000000 +0200 @@ -509,8 +509,6 @@ if (rawTe.caseCmp("chunked") == 0) { ; // leave header present for chunked() method - } else if (rawTe.caseCmp("identity") == 0) { // deprecated. no coding - delById(Http::HdrType::TRANSFER_ENCODING); } else { // This also rejects multiple encodings until we support them properly. debugs(55, warnOnError, "WARNING: unsupported Transfer-Encoding used by client: " << rawTe); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/ICP.h new/squid-7.6/src/ICP.h --- old/squid-7.4/src/ICP.h 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/ICP.h 2026-04-20 10:41:18.000000000 +0200 @@ -89,11 +89,12 @@ extern Comm::ConnectionPointer icpOutgoingConn; extern Ip::Address theIcpPublicHostID; -/// \ingroup ServerProtocolICPAPI -HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from); +/// A URI extracted from the given raw packet buffer. +/// On errors, details the problem and returns nil. +const char *icpGetUrl(const Ip::Address &from, const char *, const icp_common_t &); /// \ingroup ServerProtocolICPAPI -bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request); +HttpRequestPointer icpGetRequest(const char *url, int reqnum, int fd, const Ip::Address &from); /// \ingroup ServerProtocolICPAPI void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from, AccessLogEntryPointer); @@ -102,7 +103,7 @@ icp_opcode icpGetCommonOpcode(); /// \ingroup ServerProtocolICPAPI -void icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd); +void icpDenyAccess(const Ip::Address &from, const char *url, int reqnum, int fd); /// \ingroup ServerProtocolICPAPI PF icpHandleUdp; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/SquidString.h new/squid-7.6/src/SquidString.h --- old/squid-7.4/src/SquidString.h 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/SquidString.h 2026-06-07 23:07:01.000000000 +0200 @@ -70,6 +70,10 @@ /// the useful content length is strictly less than this limit. static size_type SizeMaxXXX() { return SizeMax_; } + /// The size limit for input that is later fed to legacy processing/encoding + /// algorithms that grow the String without checking SizeMaxXXX(). + static size_type RawSizeMaxXXX() { return (SizeMaxXXX()+1)/3; } + size_type size() const { return len_; } /// variant of size() suited to be used for printf-alikes. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/acl/Url.cc new/squid-7.6/src/acl/Url.cc --- old/squid-7.4/src/acl/Url.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/acl/Url.cc 2026-04-20 10:41:18.000000000 +0200 @@ -20,8 +20,7 @@ const auto checklist = Filled(ch); // TODO: Consider refactoring so that effectiveRequestUri() returns decoded URI. - auto decodedUri = AnyP::Uri::Decode(checklist->request->effectiveRequestUri()); - const auto result = data->match(decodedUri.c_str()); - return result; + // XXX: c_str() truncates where %00 was decoded + return data->match(AnyP::Uri::DecodeOrDupe(checklist->request->effectiveRequestUri()).c_str()); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/acl/UrlLogin.cc new/squid-7.6/src/acl/UrlLogin.cc --- old/squid-7.4/src/acl/UrlLogin.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/acl/UrlLogin.cc 2026-04-20 10:41:18.000000000 +0200 @@ -24,7 +24,7 @@ return 0; // nothing can match } - auto decodedUserInfo = AnyP::Uri::Decode(checklist->request->url.userInfo()); - return data->match(decodedUserInfo.c_str()); + // XXX: c_str() truncates where %00 was decoded + return data->match(AnyP::Uri::DecodeOrDupe(checklist->request->url.userInfo()).c_str()); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/acl/external/SQL_session/ext_sql_session_acl.8 new/squid-7.6/src/acl/external/SQL_session/ext_sql_session_acl.8 --- old/squid-7.4/src/acl/external/SQL_session/ext_sql_session_acl.8 2026-01-20 22:48:33.000000000 +0100 +++ new/squid-7.6/src/acl/external/SQL_session/ext_sql_session_acl.8 2026-06-08 10:46:28.000000000 +0200 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 8" -.TH EXT_SQL_SESSION_ACL 8 2026-01-20 "perl v5.38.2" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 8 2026-06-08 "perl v5.38.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/acl/external/delayer/ext_delayer_acl.8 new/squid-7.6/src/acl/external/delayer/ext_delayer_acl.8 --- old/squid-7.4/src/acl/external/delayer/ext_delayer_acl.8 2026-01-20 22:48:33.000000000 +0100 +++ new/squid-7.6/src/acl/external/delayer/ext_delayer_acl.8 2026-06-08 10:46:25.000000000 +0200 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 8" -.TH EXT_DELAYER_ACL 8 2026-01-20 "perl v5.38.2" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 8 2026-06-08 "perl v5.38.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 new/squid-7.6/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 --- old/squid-7.4/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 2026-01-20 22:48:33.000000000 +0100 +++ new/squid-7.6/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 2026-06-08 10:46:26.000000000 +0200 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "EXT_KERBEROS_SID_GROUP_ACL 8" -.TH EXT_KERBEROS_SID_GROUP_ACL 8 2026-01-20 "perl v5.38.2" "User Contributed Perl Documentation" +.TH EXT_KERBEROS_SID_GROUP_ACL 8 2026-06-08 "perl v5.38.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 new/squid-7.6/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 --- old/squid-7.4/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2026-01-20 22:48:34.000000000 +0100 +++ new/squid-7.6/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2026-06-08 10:46:29.000000000 +0200 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 8" -.TH EXT_WBINFO_GROUP_ACL 8 2026-01-20 "perl v5.38.2" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 8 2026-06-08 "perl v5.38.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/anyp/Uri.cc new/squid-7.6/src/anyp/Uri.cc --- old/squid-7.4/src/anyp/Uri.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/anyp/Uri.cc 2026-04-20 10:41:19.000000000 +0200 @@ -82,7 +82,7 @@ return output; } -SBuf +std::optional<SBuf> AnyP::Uri::Decode(const SBuf &buf) { SBuf output; @@ -95,16 +95,28 @@ // we are either at '%' or at end of input if (tok.skip('%')) { + const auto rawBytesAfterPercent = tok.remaining(); int64_t hex1 = 0, hex2 = 0; - if (tok.int64(hex1, 16, false, 1) && tok.int64(hex2, 16, false, 1)) + if (tok.int64(hex1, 16, false, 1) && tok.int64(hex2, 16, false, 1)) { output.append(static_cast<char>((hex1 << 4) | hex2)); - else - throw TextException("invalid pct-encoded triplet", Here()); + } else { + // see TestUri::testEncoding() for invalid pct-encoding sequence examples + debugs(23, 3, "invalid pct-encoding sequence starting at %" << rawBytesAfterPercent); + return std::nullopt; + } } } return output; } +SBuf +AnyP::Uri::DecodeOrDupe(const SBuf &input) +{ + if (const auto decoded = Decode(input)) + return *decoded; + return input; +} + const SBuf & AnyP::Uri::Asterisk() { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/anyp/Uri.h new/squid-7.6/src/anyp/Uri.h --- old/squid-7.4/src/anyp/Uri.h 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/anyp/Uri.h 2026-04-20 10:41:19.000000000 +0200 @@ -119,7 +119,15 @@ static SBuf Encode(const SBuf &, const CharacterSet &expected); /// %-decode the given buffer - static SBuf Decode(const SBuf &); + /// \retval std::nullopt on decoding failures + /// \sa DecodeOrDupe() + static std::optional<SBuf> Decode(const SBuf &); + + /// %-decode the given buffer + /// \retval decoded input if input obeys RFC 3986 Percent-Encoding rules + /// \retval an input copy if input violates RFC 3986 Percent-Encoding rules + /// \sa Decode() + static SBuf DecodeOrDupe(const SBuf &input); /** * The authority-form URI for currently stored values. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/auth/basic/DB/basic_db_auth.8 new/squid-7.6/src/auth/basic/DB/basic_db_auth.8 --- old/squid-7.4/src/auth/basic/DB/basic_db_auth.8 2026-01-20 22:48:35.000000000 +0100 +++ new/squid-7.6/src/auth/basic/DB/basic_db_auth.8 2026-06-08 10:46:35.000000000 +0200 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 8" -.TH BASIC_DB_AUTH 8 2026-01-20 "perl v5.38.2" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 8 2026-06-08 "perl v5.38.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/auth/basic/POP3/basic_pop3_auth.8 new/squid-7.6/src/auth/basic/POP3/basic_pop3_auth.8 --- old/squid-7.4/src/auth/basic/POP3/basic_pop3_auth.8 2026-01-20 22:48:36.000000000 +0100 +++ new/squid-7.6/src/auth/basic/POP3/basic_pop3_auth.8 2026-06-08 10:46:37.000000000 +0200 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 8" -.TH BASIC_POP3_AUTH 8 2026-01-20 "perl v5.38.2" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 8 2026-06-08 "perl v5.38.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/cache_cf.cc new/squid-7.6/src/cache_cf.cc --- old/squid-7.4/src/cache_cf.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/cache_cf.cc 2026-06-07 23:07:01.000000000 +0200 @@ -1010,7 +1010,7 @@ // Warn about the dangers of exceeding String limits when manipulating HTTP // headers. Technically, we do not concatenate _requests_, so we could relax // their check, but we keep the two checks the same for simplicity sake. - const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3; + const auto safeRawHeaderValueSizeMax = String::RawSizeMaxXXX(); // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax) debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax << diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/cf.data.pre new/squid-7.6/src/cf.data.pre --- old/squid-7.4/src/cf.data.pre 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/cf.data.pre 2026-04-20 10:41:19.000000000 +0200 @@ -1256,8 +1256,29 @@ acl aclname url_regex [-i] ^http:// ... # POSIX extended regex matching on whole URL [fast] + # + # If request URL contains only valid pct-encoded triplets (RFC 3986), + # all of them are decoded before matching (e.g., `%25` triplet is + # replaced with a single `%` character). If request URL contains at + # least one `%` character that does not start a valid pct-encoded + # triplet (e.g., `%%`, `%X`, or `%2Y`), then the URL is not decoded at + # all (i.e. the raw request URL is used for matching). + # + # If a request URL is decoded as described above, then all request URL + # characters starting with the decoded `%00` pct-encoded triplet (if + # any) are ignored during matching. There is currently no way to match + # that triplet itself in a correctly percent-encoded URL. + # + # ACL parameters are not decoded. + acl aclname urllogin [-i] [^a-zA-Z0-9] ... - # POSIX extended regex matching on URL login field + # POSIX extended regex matching on URL login field [fast] + # + # This ACL does not match requests with a URL that lacks a login field. + # + # This ACL handles RFC 3986 pct-encoded triplets in the login field as + # url_regex ACL handles those triplets in the entire request URL. + acl aclname urlpath_regex [-i] \.gif$ ... # POSIX extended regex matching on URL path [fast] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/clients/FtpClient.cc new/squid-7.6/src/clients/FtpClient.cc --- old/squid-7.4/src/clients/FtpClient.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/clients/FtpClient.cc 2026-06-07 23:07:01.000000000 +0200 @@ -142,7 +142,8 @@ last_reply(nullptr), replycode(0) { - buf = static_cast<char*>(memAllocBuf(4096, &size)); + // min() limits the initial read size when Config.maxReplyHeaderSize is huge + buf = static_cast<char*>(memAllocBuf(min(size_t(4096), Config.maxReplyHeaderSize), &size)); } Ftp::CtrlChannel::~CtrlChannel() @@ -344,6 +345,20 @@ commUnsetConnTimeout(data.conn); } + const auto maxSize = min(Config.maxReplyHeaderSize, std::numeric_limits<decltype(ctrl.size)>::max()); + if (ctrl.offset >= maxSize) { + debugs(9, 2, "FTP control reply size will exceed " << maxSize << "; reply_header_max_size=" << Config.maxReplyHeaderSize); + failed(ERR_FTP_FAILURE, 0); + return; + } + + if (ctrl.offset == ctrl.size) { + const auto newSize = (ctrl.size <= maxSize/2) ? (ctrl.size*2) : maxSize; + Assure(newSize > ctrl.size); + ctrl.buf = static_cast<char*>(memReallocBuf(ctrl.buf, newSize, &ctrl.size)); + Assure(ctrl.offset < ctrl.size); + } + const time_t tout = shortenReadTimeout ? min(Config.Timeout.connect, Config.Timeout.read): Config.Timeout.read; @@ -355,7 +370,13 @@ typedef CommCbMemFunT<Client, CommIoCbParams> Dialer; AsyncCall::Pointer reader = JobCallback(9, 5, Dialer, this, Ftp::Client::readControlReply); - comm_read(ctrl.conn, ctrl.buf + ctrl.offset, ctrl.size - ctrl.offset, reader); + // Do not accumulate more than Config.maxReplyHeaderSize bytes, + // even if we happened to have enough buffer space to do so. + const auto maxOffset = min(ctrl.size, Config.maxReplyHeaderSize); + Assure(maxOffset > ctrl.offset); // we can make progress (and no underflows) + Assure(maxOffset <= ctrl.size); // paranoid: we will not read beyond our buffer space + const auto maxReadSize = maxOffset - ctrl.offset; + comm_read(ctrl.conn, ctrl.buf + ctrl.offset, maxReadSize, reader); } } @@ -423,15 +444,15 @@ size_t bytes_used = 0; wordlistDestroy(&ctrl.message); - - if (!parseControlReply(bytes_used)) { - /* didn't get complete reply yet */ - - if (ctrl.offset == ctrl.size) { - ctrl.buf = static_cast<char*>(memReallocBuf(ctrl.buf, ctrl.size << 1, &ctrl.size)); + try { + if (!parseControlReply(bytes_used)) { + /* didn't get complete reply yet */ + scheduleReadControlReply(0); + return; } - - scheduleReadControlReply(0); + } catch (...) { + debugs(9, 2, "ERROR: Cannot parse control reply: " << CurrentException); + failed(ERR_FTP_FAILURE, 0); return; } @@ -930,7 +951,7 @@ debugs(9, 9, "FTP may read up to " << read_sz << " bytes"); - if (read_sz < 2) // see http.cc + if (!read_sz) return; data.read_pending = true; @@ -1104,11 +1125,12 @@ Ftp::Client::parseControlReply(size_t &bytesUsed) { char *s; - char *sbuf; char *end; int usable; int complete = 0; wordlist *head = nullptr; + auto headDeleter = [](wordlist *h) { wordlistDestroy(&h); }; + auto headGuard = std::unique_ptr<wordlist, decltype(headDeleter)>(head, headDeleter); wordlist *list; wordlist **tail = &head; size_t linelen; @@ -1117,7 +1139,8 @@ * We need a NULL-terminated buffer for scanning, ick */ const size_t len = ctrl.offset; - sbuf = (char *)xmalloc(len + 1); + const auto sbufOwner = std::unique_ptr<void, decltype(&xfree)>(xmalloc(len + 1), xfree); + const auto sbuf = static_cast<char*>(sbufOwner.get()); xstrncpy(sbuf, ctrl.buf, len + 1); end = sbuf + len - 1; @@ -1130,7 +1153,6 @@ if (usable == 0) { debugs(9, 3, "didn't find end of line"); - safe_free(sbuf); return false; } @@ -1139,6 +1161,9 @@ s = sbuf; s += strspn(s, crlf); + // cumulative length of parsed control reply lines added to the list + size_t replyLength = 0; + for (; s < end; s += strcspn(s, crlf), s += strspn(s, crlf)) { if (complete) break; @@ -1146,14 +1171,20 @@ debugs(9, 5, "s = {" << s << "}"); linelen = strcspn(s, crlf) + 1; + replyLength += linelen; if (linelen < 2) break; + if (replyLength > String::RawSizeMaxXXX()) + throw TextException(ToSBuf("control reply too long: ", replyLength, " exceeds safe limit of ", String::RawSizeMaxXXX(), " bytes"), Here()); + if (linelen > 3) complete = (*s >= '0' && *s <= '9' && *(s + 3) == ' '); list = new wordlist(); + if (!headGuard) + headGuard.reset(list); list->key = (char *)xmalloc(linelen); @@ -1175,14 +1206,12 @@ } bytesUsed = static_cast<size_t>(s - sbuf); - safe_free(sbuf); if (!complete) { - wordlistDestroy(&head); return false; } - ctrl.message = head; + ctrl.message = headGuard.release(); assert(ctrl.replycode >= 0); assert(ctrl.last_reply); assert(ctrl.message); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/clients/FtpGateway.cc new/squid-7.6/src/clients/FtpGateway.cc --- old/squid-7.4/src/clients/FtpGateway.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/clients/FtpGateway.cc 2026-05-31 17:50:29.000000000 +0200 @@ -141,6 +141,7 @@ int checkAuth(const HttpHeader * req_hdr); void checkUrlpath(); + std::optional<SBuf> decodedRequestUriPath() const; void buildTitleUrl(); void writeReplyBody(const char *, size_t len); void completeForwarding() override; @@ -622,7 +623,7 @@ // point after tokens[i+2] : copyFrom = buf + tokens[i + 2].pos + strlen(tokens[i + 2].token); if (flags.skip_whitespace) { - while (strchr(w_space, *copyFrom)) + while (*copyFrom && strchr(w_space, *copyFrom)) ++copyFrom; } else { /* Handle the following four formats: @@ -633,7 +634,7 @@ * Assuming a single space between date and filename * suggested by: [email protected] and * Mike Battersby <[email protected]> */ - if (strchr(w_space, *copyFrom)) + if (*copyFrom && strchr(w_space, *copyFrom)) ++copyFrom; } @@ -2300,10 +2301,18 @@ ftpState->serverComplete(); } +/// absolute request URI path after successful decoding of all pct-encoding sequences +std::optional<SBuf> +Ftp::Gateway::decodedRequestUriPath() const +{ + return AnyP::Uri::Decode(request->url.path()); +} + +/// \prec !ftpState->flags.try_slash_hack +/// \prec ftpState->decodedRequestUriPath() static void ftpTrySlashHack(Ftp::Gateway * ftpState) { - char *path; ftpState->flags.try_slash_hack = 1; /* Free old paths */ @@ -2312,14 +2321,10 @@ if (ftpState->pathcomps) wordlistDestroy(&ftpState->pathcomps); + /* Build the new path */ + // XXX: Conversion to c-string effectively truncates where %00 was decoded safe_free(ftpState->filepath); - - /* Build the new path (urlpath begins with /) */ - path = SBufToCstring(ftpState->request->url.path()); - - rfc1738_unescape(path); - - ftpState->filepath = path; + ftpState->filepath = SBufToCstring(ftpState->decodedRequestUriPath().value()); /* And off we go */ ftpGetFile(ftpState); @@ -2374,13 +2379,15 @@ " reply code " << code << "flags(" << (ftpState->flags.isdir?"IS_DIR,":"") << (ftpState->flags.try_slash_hack?"TRY_SLASH_HACK":"") << "), " << + "decodable_filepath=" << bool(ftpState->decodedRequestUriPath()) << ' ' << "mdtm=" << ftpState->mdtm << ", size=" << ftpState->theSize << "slashhack=" << (slashHack? "T":"F")); /* Try the / hack to support "Netscape" FTP URL's for retrieving files */ if (!ftpState->flags.isdir && /* Not a directory */ !ftpState->flags.try_slash_hack && !slashHack && /* Not doing slash hack */ - ftpState->mdtm <= 0 && ftpState->theSize < 0) { /* Not known as a file */ + ftpState->mdtm <= 0 && ftpState->theSize < 0 && /* Not known as a file */ + ftpState->decodedRequestUriPath()) { switch (ftpState->state) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/errorpage.cc new/squid-7.6/src/errorpage.cc --- old/squid-7.4/src/errorpage.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/errorpage.cc 2026-05-31 17:50:29.000000000 +0200 @@ -958,7 +958,8 @@ const auto &building_deny_info_url = build.building_deny_info_url; // a change reduction hack - const auto letter = build.input[1]; + Assure(*build.input == '%'); + const auto letter = build.input[1]; // may be the terminating NUL switch (letter) { @@ -1261,6 +1262,17 @@ p = "%"; break; + case '\0': + // XXX: Partially duplicates error handling code of the `default:` case. + // TODO: Refactor bypassBuildErrorXXX() to accept `build` and determine the source of the error. + if (building_deny_info_url) + bypassBuildErrorXXX("Bare % at the end of deny_info", build.input); + else + bypassBuildErrorXXX("Bare % at the end of error page", build.input); + p = "%"; + do_quote = 0; + break; + default: if (building_deny_info_url) bypassBuildErrorXXX("Unsupported deny_info %code", build.input); @@ -1268,6 +1280,7 @@ bypassBuildErrorXXX("Unsupported error page %code", build.input); // else too many "font-size: 100%;" template errors to report + Assure(build.input[1]); mb.append(build.input, 2); do_quote = 0; break; @@ -1278,7 +1291,8 @@ assert(p); - debugs(4, 3, "%" << letter << " --> '" << p << "'" ); + // TODO: Add an I/O manipulator to report non-printable chars better. + debugs(4, 3, "%" << (letter ? letter : '?') << " --> '" << p << "'" ); if (do_quote) p = html_quote(p); @@ -1288,7 +1302,9 @@ // TODO: Optimize by replacing mb with direct build.output usage. build.output.append(p, strlen(p)); - build.input += 2; + ++build.input; // skip the parsed % character + if (letter) + ++build.input; // when it was present, skip the parsed letter after % } void diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/http/url_rewriters/LFS/url_lfs_rewrite.8 new/squid-7.6/src/http/url_rewriters/LFS/url_lfs_rewrite.8 --- old/squid-7.4/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2026-01-20 22:48:37.000000000 +0100 +++ new/squid-7.6/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2026-06-08 10:46:43.000000000 +0200 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "URL_LFS_REWRITE 8" -.TH URL_LFS_REWRITE 8 2026-01-20 "perl v5.38.2" "User Contributed Perl Documentation" +.TH URL_LFS_REWRITE 8 2026-06-08 "perl v5.38.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/http.cc new/squid-7.6/src/http.cc --- old/squid-7.4/src/http.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/http.cc 2026-04-20 10:41:19.000000000 +0200 @@ -1699,7 +1699,7 @@ // how much we want to read const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), maxReadSize); - if (read_size < 2) { + if (!read_size) { debugs(11, 7, "will not read up to " << read_size << " into buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection); return 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/icp_v2.cc new/squid-7.6/src/icp_v2.cc --- old/squid-7.4/src/icp_v2.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/icp_v2.cc 2026-04-20 10:41:19.000000000 +0200 @@ -425,7 +425,7 @@ } void -icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd) +icpDenyAccess(const Ip::Address &from, const char * const url, const int reqnum, const int fd) { if (clientdbCutoffDenied(from)) { /* @@ -438,8 +438,9 @@ } } -bool -icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request) +/// icpGetRequest() helper that determines whether squid.conf allows the given ICP query +static bool +icpAccessAllowed(const Ip::Address &from, HttpRequest * icp_request) { if (!Config.accessList.icp) { debugs(12, 2, "Access Denied due to lack of ICP access rules."); @@ -457,44 +458,79 @@ return false; } -HttpRequest * -icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from) +const char * +icpGetUrl(const Ip::Address &from, const char * const buf, const icp_common_t &header) +{ + const auto receivedPacketSize = static_cast<size_t>(header.length); + const auto payloadOffset = sizeof(header); + + // Query payload contains a "Requester Host Address" followed by a URL. + // Payload of other ICP packets (with opcode that we recognize) is a URL. + const auto urlOffset = payloadOffset + ((header.opcode == ICP_QUERY) ? sizeof(uint32_t) : 0); + + // A URL field cannot be empty because it includes a terminating NUL char. + // Ensure that the packet has at least one URL field byte. + if (urlOffset >= receivedPacketSize) { + debugs(12, 3, "too small packet from " << from << ": " << urlOffset << " >= " << receivedPacketSize); + return nullptr; + } + + // All ICP packets (with opcode that we recognize) _end_ with a URL field. + // RFC 2186 requires all URLs to be "Null-Terminated". + if (buf[receivedPacketSize - 1] != '\0') { + debugs(12, 3, "unterminated URL or trailing garbage from " << from); + return nullptr; + } + + const auto url = buf + urlOffset; // a possibly empty c-string + if (urlOffset + strlen(url) + 1 != receivedPacketSize) { + debugs(12, 3, "URL with an embedded NUL or trailing garbage from " << from); + return nullptr; + } + + return url; +} + +HttpRequest::Pointer +icpGetRequest(const char * const url, const int reqnum, const int fd, const Ip::Address &from) { if (strpbrk(url, w_space)) { - url = rfc1738_escape(url); icpCreateAndSend(ICP_ERR, 0, rfc1738_escape(url), reqnum, 0, fd, from, nullptr); return nullptr; } const auto mx = MasterXaction::MakePortless<XactionInitiator::initIcp>(); - auto *result = HttpRequest::FromUrlXXX(url, mx); - if (!result) - icpCreateAndSend(ICP_ERR, 0, url, reqnum, 0, fd, from, nullptr); + if (const HttpRequest::Pointer request = HttpRequest::FromUrlXXX(url, mx)) { + if (!icpAccessAllowed(from, request.getRaw())) { + icpDenyAccess(from, url, reqnum, fd); + return nullptr; + } - return result; + return request; + } + icpCreateAndSend(ICP_ERR, 0, url, reqnum, 0, fd, from, nullptr); + return nullptr; } static void -doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header) +doV2Query(const int fd, Ip::Address &from, const char * const buf, icp_common_t header) { int rtt = 0; int src_rtt = 0; uint32_t flags = 0; - /* We have a valid packet */ - char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t); - HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from); - if (!icp_request) + const auto url = icpGetUrl(from, buf, header); + if (!url) { + icpCreateAndSend(ICP_ERR, 0, "", header.reqnum, 0, fd, from, nullptr); return; + } - HTTPMSGLOCK(icp_request); + const auto icp_request = icpGetRequest(url, header.reqnum, fd, from); - if (!icpAccessAllowed(from, icp_request)) { - icpDenyAccess(from, url, header.reqnum, fd); - HTTPMSGUNLOCK(icp_request); + if (!icp_request) return; - } + #if USE_ICMP if (header.flags & ICP_FLAG_SRC_RTT) { rtt = netdbHostRtt(icp_request->url.host()); @@ -507,7 +543,7 @@ #endif /* USE_ICMP */ /* The peer is allowed to use this cache */ - ICP2State state(header, icp_request); + ICP2State state(header, icp_request.getRaw()); state.fd = fd; state.from = from; state.url = xstrdup(url); @@ -536,8 +572,6 @@ } icpCreateAndSend(codeToSend, flags, url, header.reqnum, src_rtt, fd, from, state.al); - - HTTPMSGUNLOCK(icp_request); } void @@ -549,7 +583,9 @@ neighbors_do_private_keys = 0; } - char *url = buf + sizeof(icp_common_t); + const auto url = icpGetUrl(from, buf, *this); + if (!url) + return; debugs(12, 3, "icpHandleIcpV2: " << icp_opcode_str[opcode] << " from " << from << " for '" << url << "'"); const cache_key *key = icpGetCacheKey(url, (int) reqnum); @@ -661,7 +697,10 @@ icp_version = (int) buf[1]; /* cheat! */ - if (icpOutgoingConn->local == from) + // XXX: The IP equality comparison below ignores port differences but + // should not. It also fails to detect loops when `local` is a wildcard + // address (e.g., [::]:3130) because `from` address is never a wildcard. + if (icpOutgoingConn && icpOutgoingConn->local == from) // ignore ICP packets which loop back (multicast usually) debugs(12, 4, "icpHandleUdp: Ignoring UDP packet sent by myself"); else if (icp_version == ICP_VERSION_2) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/icp_v3.cc new/squid-7.6/src/icp_v3.cc --- old/squid-7.4/src/icp_v3.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/icp_v3.cc 2026-04-20 10:41:19.000000000 +0200 @@ -32,23 +32,21 @@ /// \ingroup ServerProtocolICPInternal3 static void -doV3Query(int fd, Ip::Address &from, char *buf, icp_common_t header) +doV3Query(int fd, Ip::Address &from, const char * const buf, icp_common_t header) { - /* We have a valid packet */ - char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t); - HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from); - - if (!icp_request) + const auto url = icpGetUrl(from, buf, header); + if (!url) { + icpCreateAndSend(ICP_ERR, 0, "", header.reqnum, 0, fd, from, nullptr); return; + } - if (!icpAccessAllowed(from, icp_request)) { - icpDenyAccess (from, url, header.reqnum, fd); - delete icp_request; + const auto icp_request = icpGetRequest(url, header.reqnum, fd, from); + + if (!icp_request) return; - } /* The peer is allowed to use this cache */ - ICP3State state(header, icp_request); + ICP3State state(header, icp_request.getRaw()); state.fd = fd; state.from = from; state.url = xstrdup(url); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/log/DB/log_db_daemon.8 new/squid-7.6/src/log/DB/log_db_daemon.8 --- old/squid-7.4/src/log/DB/log_db_daemon.8 2026-01-20 22:48:38.000000000 +0100 +++ new/squid-7.6/src/log/DB/log_db_daemon.8 2026-06-08 10:46:45.000000000 +0200 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 8" -.TH LOG_DB_DAEMON 8 2026-01-20 "perl v5.38.2" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 8 2026-06-08 "perl v5.38.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/peer_digest.cc new/squid-7.6/src/peer_digest.cc --- old/squid-7.4/src/peer_digest.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/peer_digest.cc 2026-06-04 22:57:25.000000000 +0200 @@ -558,6 +558,12 @@ * NOTENOTENOTENOTENOTE: buf doesn't point to pd->cd->mask anymore! * we need to do the copy ourselves! */ + Assure(size >= 0); + Assure(pd->cd->mask_size >= fetch->mask_offset); + if (static_cast<size_t>(size) > pd->cd->mask_size - fetch->mask_offset) { + finishAndDeleteFetch(fetch, "peer digest mask data too large", true); + return -1; + } memcpy(pd->cd->mask + fetch->mask_offset, buf, size); /* NOTE! buf points to the middle of pd->cd->mask! */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/redirect.cc new/squid-7.6/src/redirect.cc --- old/squid-7.4/src/redirect.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/redirect.cc 2026-05-31 17:50:29.000000000 +0200 @@ -110,8 +110,9 @@ // parse it into status=, url= and rewrite-url= keys if (replySize) { MemBuf replyBuffer; - replyBuffer.init(replySize, replySize); - replyBuffer.append(reply.other().content(), reply.other().contentSize()); + replyBuffer.init(replySize + 1, replySize + 1); // with space for 0-terminator added by append() + Assure(replySize <= size_t(reply.other().contentSize())); + replyBuffer.append(reply.other().content(), replySize); char * result = replyBuffer.content(); Helper::Reply newReply; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/security/cert_validators/fake/security_fake_certverify.8 new/squid-7.6/src/security/cert_validators/fake/security_fake_certverify.8 --- old/squid-7.4/src/security/cert_validators/fake/security_fake_certverify.8 2026-01-20 22:48:39.000000000 +0100 +++ new/squid-7.6/src/security/cert_validators/fake/security_fake_certverify.8 2026-06-08 10:46:49.000000000 +0200 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "SECURITY_FAKE_CERTVERIFY 8" -.TH SECURITY_FAKE_CERTVERIFY 8 2026-01-20 "perl v5.38.2" "User Contributed Perl Documentation" +.TH SECURITY_FAKE_CERTVERIFY 8 2026-06-08 "perl v5.38.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/store/id_rewriters/file/storeid_file_rewrite.8 new/squid-7.6/src/store/id_rewriters/file/storeid_file_rewrite.8 --- old/squid-7.4/src/store/id_rewriters/file/storeid_file_rewrite.8 2026-01-20 22:48:35.000000000 +0100 +++ new/squid-7.6/src/store/id_rewriters/file/storeid_file_rewrite.8 2026-06-08 10:46:32.000000000 +0200 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "STOREID_FILE_REWRITE 8" -.TH STOREID_FILE_REWRITE 8 2026-01-20 "perl v5.38.2" "User Contributed Perl Documentation" +.TH STOREID_FILE_REWRITE 8 2026-06-08 "perl v5.38.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/tests/stub_fd.cc new/squid-7.6/src/tests/stub_fd.cc --- old/squid-7.4/src/tests/stub_fd.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/tests/stub_fd.cc 2026-04-20 10:41:19.000000000 +0200 @@ -7,18 +7,33 @@ */ #include "squid.h" -#include "fd.h" -#include "fde.h" #define STUB_API "fd.cc" #include "tests/STUB.h" -fde *fde::Table = nullptr; - -int fdNFree(void) STUB_RETVAL(-1) -void fd_open(int, unsigned int, const char *) STUB +#include "fd.h" void fd_close(int) STUB -void fd_bytes(int, int, IoDirection) STUB +void fd_open(int, unsigned int, const char *) STUB void fd_note(int, const char *) STUB +void fd_bytes(int, int, IoDirection) STUB +void fdDumpOpen() STUB +int fdUsageHigh() STUB void fdAdjustReserved() STUB +int default_read_method(int, char *, int) STUB_RETVAL(0) +int default_write_method(int, const char *, int) STUB_RETVAL(0) + +// XXX: global. keep in sync with fd.cc +const char *fdTypeStr[] = { + "None", + "Log", + "File", + "Socket", + "Pipe", + "MsgHdr", + "Unknown" +}; +// XXX: should be in stub_fde.cc +#include "fde.h" +fde *fde::Table = nullptr; +int fdNFree(void) STUB_RETVAL(-1) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/tests/stub_icp.cc new/squid-7.6/src/tests/stub_icp.cc --- old/squid-7.4/src/tests/stub_icp.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/tests/stub_icp.cc 2026-04-20 10:41:19.000000000 +0200 @@ -9,6 +9,7 @@ #include "squid.h" #include "AccessLogEntry.h" #include "comm/Connection.h" +#include "HttpRequest.h" #include "ICP.h" #define STUB_API "icp_*.cc" @@ -29,11 +30,11 @@ Comm::ConnectionPointer icpOutgoingConn; Ip::Address theIcpPublicHostID; -HttpRequest* icpGetRequest(char *, int, int, Ip::Address &) STUB_RETVAL(nullptr) -bool icpAccessAllowed(Ip::Address &, HttpRequest *) STUB_RETVAL(false) +const char *icpGetUrl(const Ip::Address &, const char *, const icp_common_t &) STUB_RETVAL(nullptr) +HttpRequest::Pointer icpGetRequest(const char *, int, int, const Ip::Address &) STUB_RETVAL(nullptr) void icpCreateAndSend(icp_opcode, int, char const *, int, int, int, const Ip::Address &, AccessLogEntryPointer) STUB icp_opcode icpGetCommonOpcode() STUB_RETVAL(ICP_INVALID) -void icpDenyAccess(Ip::Address &, char *, int, int) STUB +void icpDenyAccess(const Ip::Address &, const char *, int, int) STUB void icpHandleIcpV3(int, Ip::Address &, char *, int) STUB void icpConnectionShutdown(void) STUB int icpSetCacheKey(const cache_key *) STUB_RETVAL(0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/tests/testURL.cc new/squid-7.6/src/tests/testURL.cc --- old/squid-7.4/src/tests/testURL.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/tests/testURL.cc 2026-04-20 10:41:19.000000000 +0200 @@ -104,7 +104,9 @@ }; for (const auto &testCase: basicTestCases) { - CPPUNIT_ASSERT_EQUAL(testCase.first, AnyP::Uri::Decode(testCase.second)); + const auto decoded = AnyP::Uri::Decode(testCase.second); + CPPUNIT_ASSERT(decoded); + CPPUNIT_ASSERT_EQUAL(testCase.first, *decoded); CPPUNIT_ASSERT_EQUAL(testCase.second, AnyP::Uri::Encode(testCase.first, CharacterSet::RFC3986_UNRESERVED())); }; @@ -112,6 +114,7 @@ SBuf("%"), SBuf("%%"), SBuf("%%%"), + SBuf("%0"), SBuf("%1"), SBuf("%1Z"), SBuf("%1\000", 2), @@ -122,10 +125,11 @@ for (const auto &invalidEncoding: invalidEncodings) { // test various input positions of an invalid escape sequence - CPPUNIT_ASSERT_THROW(AnyP::Uri::Decode(invalidEncoding), TextException); - CPPUNIT_ASSERT_THROW(AnyP::Uri::Decode(ToSBuf("word", invalidEncoding)), TextException); - CPPUNIT_ASSERT_THROW(AnyP::Uri::Decode(ToSBuf(invalidEncoding, "word")), TextException); - CPPUNIT_ASSERT_THROW(AnyP::Uri::Decode(ToSBuf("word", invalidEncoding, "word")), TextException); + CPPUNIT_ASSERT(!AnyP::Uri::Decode(invalidEncoding)); + CPPUNIT_ASSERT(!AnyP::Uri::Decode(ToSBuf("word", invalidEncoding))); + CPPUNIT_ASSERT(!AnyP::Uri::Decode(ToSBuf(invalidEncoding, "word"))); + CPPUNIT_ASSERT(!AnyP::Uri::Decode(ToSBuf("word", invalidEncoding, "word"))); + CPPUNIT_ASSERT_EQUAL(invalidEncoding, AnyP::Uri::DecodeOrDupe(invalidEncoding)); }; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/time/rfc1123.cc new/squid-7.6/src/time/rfc1123.cc --- old/squid-7.4/src/time/rfc1123.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/time/rfc1123.cc 2026-05-31 17:50:29.000000000 +0200 @@ -179,7 +179,7 @@ t = mktime(tm); if (t != -1) { time_t dst = 0; -#if !(defined(_TIMEZONE) || defined(_timezone) || _SQUID_AIX_ || _SQUID_WINDOWS_ || _SQUID_SGI_) +#if !(defined(_TIMEZONE) || defined(_timezone) || _SQUID_AIX_ || _SQUID_WINDOWS_) extern long timezone; #endif /* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/src/tools.cc new/squid-7.6/src/tools.cc --- old/squid-7.4/src/tools.cc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/src/tools.cc 2026-05-31 17:50:29.000000000 +0200 @@ -252,10 +252,7 @@ rusage_maxrss(struct rusage *r) { -#if _SQUID_SGI_ && _ABIAPI - return r->ru_pad[0]; -#elif _SQUID_SGI_|| _SQUID_OSF_ || _SQUID_AIX_ || defined(BSD4_4) - +#if _SQUID_OSF_ || _SQUID_AIX_ || defined(BSD4_4) return r->ru_maxrss; #elif defined(HAVE_GETPAGESIZE) && HAVE_GETPAGESIZE != 0 @@ -273,12 +270,7 @@ rusage_pagefaults(struct rusage *r) { -#if _SQUID_SGI_ && _ABIAPI - return r->ru_pad[5]; -#else - return r->ru_majflt; -#endif } /// Make the process traceable if possible. Call setTraceability() instead! diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/tools/helper-mux/helper-mux.8 new/squid-7.6/tools/helper-mux/helper-mux.8 --- old/squid-7.4/tools/helper-mux/helper-mux.8 2026-01-20 22:48:39.000000000 +0100 +++ new/squid-7.6/tools/helper-mux/helper-mux.8 2026-06-08 10:46:52.000000000 +0200 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "HELPER-MUX 8" -.TH HELPER-MUX 8 2026-01-20 "perl v5.38.2" "User Contributed Perl Documentation" +.TH HELPER-MUX 8 2026-06-08 "perl v5.38.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/squid-7.4/tools/sysvinit/squid.rc new/squid-7.6/tools/sysvinit/squid.rc --- old/squid-7.4/tools/sysvinit/squid.rc 2026-01-20 22:44:51.000000000 +0100 +++ new/squid-7.6/tools/sysvinit/squid.rc 2026-05-31 17:50:29.000000000 +0200 @@ -18,18 +18,8 @@ config() { - # SGI IRIX 6.2 - if [ -f /sbin/chkconfig ] - then if /sbin/chkconfig squid - then if [ -f /var/config/squid.options ] - then . /var/config/squid.options - fi - SQUID=1 - else SQUID=0 - fi - # Digital UNIX - elif [ -f /usr/sbin/rcmgr ] + if [ -f /usr/sbin/rcmgr ] then SQUID=`/usr/sbin/rcmgr get SQUID 0` SQUID_OPTIONS=`/usr/sbin/rcmgr get SQUID_OPTIONS "-s"` SQUID_RESPAWN=`/usr/sbin/rcmgr get SQUID_RESPAWN 1` ++++++ squid-7.4.tar.xz.asc -> squid-7.6.tar.xz.asc ++++++ --- /work/SRC/openSUSE:Factory/squid/squid-7.4.tar.xz.asc 2026-03-06 18:16:32.667051462 +0100 +++ /work/SRC/openSUSE:Factory/.squid.new.1956/squid-7.6.tar.xz.asc 2026-06-19 17:22:59.369405377 +0200 @@ -1,18 +1,17 @@ -File : squid-7.4.tar.xz -Date : Tue, 20 Jan 2026 21:45:55 +0000 -Size : 2441824 -MD5 : 6744b320a37ff162861b2cc0c04f4528 -SHA1 : 0594cf35b85bd2b830c5bc6bb1b5352e60525703 -SHA256 : e31976edd755c295bd5842a349c9c7dad16a683d066337cc09033c1302b4fed4 +File : squid-7.6.tar.xz +Date : Mon, 08 Jun 2026 08:33:32 +0000 +Size : 2436896 +MD5 : 5923f155668e83a20f696c90a0efdd66 +SHA1 : abf10758e1676c24d720f14cd11dd1c8b0502988 +SHA256 : 852178fdc37c5b0786a934fc990c7d2fffc82acf19b2284be209b96431d25992 Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 <[email protected]> -Fingerprint: 29B4 B1F7 CE03 D1B1 DED2 2F30 28F8 5029 FEF6 E865 -sub cv25519 2021-05-15 [E] +Fingerprint: Keyring : http://www.squid-cache.org/pgp.asc Keyserver: keyserver.ubuntu.com -----BEGIN PGP SIGNATURE----- -iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCaW/4TwAKCRAo+FAp/vbo -ZexsAQDX7iY7sOuslBuqIPQwkFvGssqKOx8ZqVSkQBmj/f/srAEAwJi3W62+HGSC -T+QcND/nbDZ6eofX/1lKSe5luBeE1AA= -=Jdg5 +iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCaiaCGgAKCRAo+FAp/vbo +ZcSuAP9NubH6WBPiSAN6aVMY/b6+c9oTG/hqXm2ouoq9r92YTgEAggDii9Zti6Du +6aQ5mWmr1EfAXTMbWLfEvyKEVpb7yAo= +=Gu/S -----END PGP SIGNATURE-----
