------------------------------------------------------------
revno: 13113
revision-id: squid3@treenet.co.nz-20140406043932-8ic7b6cnpe4zk9m1
parent: squid3@treenet.co.nz-20140406043708-kxyf4lhp040gdxv1
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.4
timestamp: Sat 2014-04-05 22:39:32 -0600
message:
  Basic auth cache and SslBump fix
  
  This patch fixes the following bug:
   1) A user sends a CONNECT request with valid credentials
   2) Squid checks the credentials and adds the user to the user cache
   3) The same user sends a CONNECT request with invalid credentials
   4) Squid overwrites the entry in the user cache and denies the second
      CONNECT request
   5) The user sends a GET request on the first SSL connection which is
      established by now
   6) Squid knows that it does not need to check the credentials on the
      bumped connection but still somehow checks again whether the user is
      successfully authenticated
   7) Due to the second CONNECT request the user is regarded as not
      successfully authenticated
   8) Squid denies the GET request of the first SSL connection with 403
      ERR_CACHE_ACCESS_DENIED
  
  On proxies with Basic authentication and SSL bumping, this can be used
  to prevent a legitimate user from making any HTTPS requests
  
  This is a Measurement Factory project
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20140406043932-8ic7b6cnpe4zk9m1
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# testament_sha1: 3b1a2d5039c27da2e595295919fcaeac5273c1ed
# timestamp: 2014-04-06 04:42:56 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# base_revision_id: squid3@treenet.co.nz-20140406043708-\
#   kxyf4lhp040gdxv1
# 
# Begin patch
=== modified file 'src/auth/AclProxyAuth.cc'
--- src/auth/AclProxyAuth.cc	2013-05-26 01:08:42 +0000
+++ src/auth/AclProxyAuth.cc	2014-04-06 04:39:32 +0000
@@ -189,6 +189,8 @@
 ACLProxyAuth::matchProxyAuth(ACLChecklist *cl)
 {
     ACLFilledChecklist *checklist = Filled(cl);
+    if (checklist->request->flags.sslBumped)
+        return 1; // AuthenticateAcl() already handled this bumped request
     if (!authenticateUserAuthenticated(Filled(checklist)->auth_user_request)) {
         return 0;
     }