On 14/09/2012 10:16 a.m., Alex Rousskov wrote:
> Hello,
>
> As you know, most old squid.conf options cannot handle spaces in
> parameter values as they do not support quoted strings or other ways of
> escaping the space separator. A few new options, support quoted strings,
> but many old ones do not. This is not going to be pretty because there
> is no backward compatible way to introduce quoted strings (or
> equivalent) that would work for every option. This email focuses on ACLs.
>
> A good specific example is user_cert and ca_cert ACLs that are supposed
> to match on various certificate attributes. In many, if not most, cases,
> attributes like Organization Name and Common Name contain spaces. For
> example:
>
> O: Google Inc
> O: Thawte Consulting (Pty) Ltd.
> CN: Thawte SGC CA
>
> All of the above cannot be matched using user_cert and ca_cert ACLs.
>
> I see a few reasonable ways to address this (see below for a list). They
> all revolve around introducing support for "quoted strings" in ACL
> values[1]. For loading files, they could all use file:"/path/name.ext"
> syntax.
>
> Each approach differs in how it addresses backward compatibility:
>
>
> 0) Screw backward compatibility and just start interpreting "quoted
> strings" in ACL values as such. We can minimize breakage by detecting
> unusual patterns such as quotes"in"the"middle and
> "/quotes/without/any/spaces", treating them as the old parser would
> (with a warning). We can also refuse to honor more than one value per
> ACL when a value is quoted. Very few old configurations will be broken
> by this, but I bet there will be some!
>
> # this will work OK
> acl badOne1 user_cert CN "Bad Guy"
>
> # this will also work as before, with a warning
> acl badOnes user_cert CN "/var/share/bad.guys"
>
> # this will be silently broken
> acl badOnes user_cert CN "/var/share/my bad guys list"
>
> # new file loading syntax required here:
> acl badOnes user_cert CN file:"/var/share/my bad guys list"
I vote for this, with a few more changes that will reduce the breakages.
IMO, the above final line should be invalid. "" should delimit one item,
be that a value with spaces or a whole file: URI with spaces. ie:
acl badOnes user_cert CN "file:/var/share/my bad guys list"
This can be done in stages to remove problems.
0a) add file: schema support and upgrade-warn on all "" entries. (3.3?)
stat() on the quoted entry can be used to verify it is a file and
assume a value if not. Don't bother with pattern checks we won't get
those reliable enough. stat() can do it.
0b) drop default assumption that "" is a file entirely (3.x?)
Amos
Received on Fri Sep 14 2012 - 11:41:15 MDT
This archive was generated by hypermail 2.2.0 : Fri Sep 14 2012 - 12:00:06 MDT