From 7a06ffb854281a08dae8dc2c13669a3a43da1065 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 13 Oct 2021 17:22:17 +0200 Subject: [PATCH] BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch. --- src/cfgparse-listen.c | 57 ++++++++++++++++++++++++++++--------------- src/cfgparse.c | 11 ++++++--- src/http_act.c | 52 +++++++++++++++++++++++++++++---------- src/http_htx.c | 12 +++++---- src/http_rules.c | 10 +++++--- src/vars.c | 22 +++++++++++++---- 6 files changed, 114 insertions(+), 50 deletions(-) diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c index 9dbf7ed980..5deec5e6bd 100644 --- a/src/cfgparse-listen.c +++ b/src/cfgparse-listen.c @@ -1275,6 +1275,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) } else if (strcmp(args[0], "http-request") == 0) { /* request access control: allow/deny/auth */ struct act_rule *rule; + int where = 0; if ((curproxy->cap & PR_CAP_DEF) && strlen(curproxy->id) == 0) { ha_alert("parsing [%s:%d] : '%s' not allowed in anonymous 'defaults' section.\n", file, linenum, args[0]); @@ -1298,14 +1299,18 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) } err_code |= warnif_misplaced_http_req(curproxy, file, linenum, args[0]); - err_code |= warnif_cond_conflicts(rule->cond, - (curproxy->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR, - file, linenum); + + if (curproxy->cap & PR_CAP_FE) + where |= SMP_VAL_FE_HRQ_HDR; + if (curproxy->cap & PR_CAP_BE) + where |= SMP_VAL_BE_HRQ_HDR; + err_code |= warnif_cond_conflicts(rule->cond, where, file, linenum); LIST_APPEND(&curproxy->http_req_rules, &rule->list); } else if (strcmp(args[0], "http-response") == 0) { /* response access control */ struct act_rule *rule; + int where = 0; if ((curproxy->cap & PR_CAP_DEF) && strlen(curproxy->id) == 0) { ha_alert("parsing [%s:%d] : '%s' not allowed in anonymous 'defaults' section.\n", file, linenum, args[0]); @@ -1328,15 +1333,17 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) goto out; } - err_code |= warnif_cond_conflicts(rule->cond, - (curproxy->cap & PR_CAP_BE) ? SMP_VAL_BE_HRS_HDR : SMP_VAL_FE_HRS_HDR, - file, linenum); + if (curproxy->cap & PR_CAP_FE) + where |= SMP_VAL_FE_HRS_HDR; + if (curproxy->cap & PR_CAP_BE) + where |= SMP_VAL_BE_HRS_HDR; + err_code |= warnif_cond_conflicts(rule->cond, where, file, linenum); LIST_APPEND(&curproxy->http_res_rules, &rule->list); } else if (strcmp(args[0], "http-after-response") == 0) { struct act_rule *rule; - + int where = 0; if ((curproxy->cap & PR_CAP_DEF) && strlen(curproxy->id) == 0) { ha_alert("parsing [%s:%d] : '%s' not allowed in anonymous 'defaults' section.\n", file, linenum, args[0]); err_code |= ERR_ALERT | ERR_FATAL; @@ -1358,9 +1365,11 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) goto out; } - err_code |= warnif_cond_conflicts(rule->cond, - (curproxy->cap & PR_CAP_BE) ? SMP_VAL_BE_HRS_HDR : SMP_VAL_FE_HRS_HDR, - file, linenum); + if (curproxy->cap & PR_CAP_FE) + where |= SMP_VAL_FE_HRS_HDR; + if (curproxy->cap & PR_CAP_BE) + where |= SMP_VAL_BE_HRS_HDR; + err_code |= warnif_cond_conflicts(rule->cond, where, file, linenum); LIST_APPEND(&curproxy->http_after_res_rules, &rule->list); } @@ -1392,6 +1401,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) } else if (strcmp(args[0], "redirect") == 0) { struct redirect_rule *rule; + int where = 0; if (curproxy->cap & PR_CAP_DEF) { ha_alert("parsing [%s:%d] : '%s' not allowed in 'defaults' section.\n", file, linenum, args[0]); @@ -1408,9 +1418,12 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) LIST_APPEND(&curproxy->redirect_rules, &rule->list); err_code |= warnif_misplaced_redirect(curproxy, file, linenum, args[0]); - err_code |= warnif_cond_conflicts(rule->cond, - (curproxy->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR, - file, linenum); + + if (curproxy->cap & PR_CAP_FE) + where |= SMP_VAL_FE_HRQ_HDR; + if (curproxy->cap & PR_CAP_BE) + where |= SMP_VAL_BE_HRQ_HDR; + err_code |= warnif_cond_conflicts(rule->cond, where, file, linenum); } else if (strcmp(args[0], "use_backend") == 0) { struct switching_rule *rule; @@ -1751,6 +1764,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) goto stats_error_parsing; } else if (strcmp(args[1], "admin") == 0) { struct stats_admin_rule *rule; + int where = 0; if (curproxy->cap & PR_CAP_DEF) { ha_alert("parsing [%s:%d]: '%s %s' not allowed in 'defaults' section.\n", file, linenum, args[0], args[1]); @@ -1774,9 +1788,11 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) goto out; } - err_code |= warnif_cond_conflicts(cond, - (curproxy->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR, - file, linenum); + if (curproxy->cap & PR_CAP_FE) + where |= SMP_VAL_FE_HRQ_HDR; + if (curproxy->cap & PR_CAP_BE) + where |= SMP_VAL_BE_HRQ_HDR; + err_code |= warnif_cond_conflicts(cond, where, file, linenum); rule = calloc(1, sizeof(*rule)); if (!rule) { @@ -1827,6 +1843,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) goto alloc_error; } else if (strcmp(args[1], "http-request") == 0) { /* request access control: allow/deny/auth */ struct act_rule *rule; + int where = 0; if (curproxy->cap & PR_CAP_DEF) { ha_alert("parsing [%s:%d]: '%s' not allowed in 'defaults' section.\n", file, linenum, args[0]); @@ -1851,9 +1868,11 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) goto out; } - err_code |= warnif_cond_conflicts(rule->cond, - (curproxy->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR, - file, linenum); + if (curproxy->cap & PR_CAP_FE) + where |= SMP_VAL_FE_HRQ_HDR; + if (curproxy->cap & PR_CAP_BE) + where |= SMP_VAL_BE_HRQ_HDR; + err_code |= warnif_cond_conflicts(rule->cond, where, file, linenum); LIST_APPEND(&curproxy->uri_auth->http_req_rules, &rule->list); } else if (strcmp(args[1], "auth") == 0) { diff --git a/src/cfgparse.c b/src/cfgparse.c index 00faeac830..f013928f61 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -3201,15 +3201,18 @@ int check_config_validity() } if (curproxy->conf.uniqueid_format_string) { + int where = 0; + curproxy->conf.args.ctx = ARGC_UIF; curproxy->conf.args.file = curproxy->conf.uif_file; curproxy->conf.args.line = curproxy->conf.uif_line; err = NULL; + if (curproxy->cap & PR_CAP_FE) + where |= SMP_VAL_FE_HRQ_HDR; + if (curproxy->cap & PR_CAP_BE) + where |= SMP_VAL_BE_HRQ_HDR; if (!parse_logformat_string(curproxy->conf.uniqueid_format_string, curproxy, &curproxy->format_unique_id, - LOG_OPT_HTTP|LOG_OPT_MERGE_SPACES, - (curproxy->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR - : SMP_VAL_BE_HRQ_HDR, - &err)) { + LOG_OPT_HTTP|LOG_OPT_MERGE_SPACES, where, &err)) { ha_alert("Parsing [%s:%d]: failed to parse unique-id : %s.\n", curproxy->conf.uif_file, curproxy->conf.uif_line, err); free(err); diff --git a/src/http_act.c b/src/http_act.c index 1e2bbdb5ff..10cf243acb 100644 --- a/src/http_act.c +++ b/src/http_act.c @@ -154,6 +154,7 @@ static enum act_parse_ret parse_set_req_line(const char **args, int *orig_arg, s struct act_rule *rule, char **err) { int cur_arg = *orig_arg; + int cap = 0; switch (args[0][4]) { case 'm' : @@ -186,8 +187,11 @@ static enum act_parse_ret parse_set_req_line(const char **args, int *orig_arg, s LIST_INIT(&rule->arg.http.fmt); px->conf.args.ctx = ARGC_HRQ; - if (!parse_logformat_string(args[cur_arg], px, &rule->arg.http.fmt, LOG_OPT_HTTP, - (px->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR, err)) { + if (px->cap & PR_CAP_FE) + cap |= SMP_VAL_FE_HRQ_HDR; + if (px->cap & PR_CAP_BE) + cap |= SMP_VAL_BE_HRQ_HDR; + if (!parse_logformat_string(args[cur_arg], px, &rule->arg.http.fmt, LOG_OPT_HTTP, cap, err)) { return ACT_RET_PRS_ERR; } @@ -588,6 +592,7 @@ static enum act_parse_ret parse_replace_uri(const char **args, int *orig_arg, st struct act_rule *rule, char **err) { int cur_arg = *orig_arg; + int cap = 0; char *error = NULL; switch (args[0][8]) { @@ -622,8 +627,11 @@ static enum act_parse_ret parse_replace_uri(const char **args, int *orig_arg, st LIST_INIT(&rule->arg.http.fmt); px->conf.args.ctx = ARGC_HRQ; - if (!parse_logformat_string(args[cur_arg + 1], px, &rule->arg.http.fmt, LOG_OPT_HTTP, - (px->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR, err)) { + if (px->cap & PR_CAP_FE) + cap |= SMP_VAL_FE_HRQ_HDR; + if (px->cap & PR_CAP_BE) + cap |= SMP_VAL_BE_HRQ_HDR; + if (!parse_logformat_string(args[cur_arg + 1], px, &rule->arg.http.fmt, LOG_OPT_HTTP, cap, err)) { regex_free(rule->arg.http.re); return ACT_RET_PRS_ERR; } @@ -1478,7 +1486,7 @@ static enum act_return http_action_set_header(struct act_rule *rule, struct prox static enum act_parse_ret parse_http_set_header(const char **args, int *orig_arg, struct proxy *px, struct act_rule *rule, char **err) { - int cap, cur_arg; + int cap = 0, cur_arg; if (args[*orig_arg-1][0] == 'e') { rule->action = ACT_CUSTOM; @@ -1506,11 +1514,17 @@ static enum act_parse_ret parse_http_set_header(const char **args, int *orig_arg if (rule->from == ACT_F_HTTP_REQ) { px->conf.args.ctx = ARGC_HRQ; - cap = (px->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR; + if (px->cap & PR_CAP_FE) + cap |= SMP_VAL_FE_HRQ_HDR; + if (px->cap & PR_CAP_BE) + cap |= SMP_VAL_BE_HRQ_HDR; } else{ px->conf.args.ctx = ARGC_HRS; - cap = (px->cap & PR_CAP_BE) ? SMP_VAL_BE_HRS_HDR : SMP_VAL_FE_HRS_HDR; + if (px->cap & PR_CAP_FE) + cap |= SMP_VAL_FE_HRS_HDR; + if (px->cap & PR_CAP_BE) + cap |= SMP_VAL_BE_HRS_HDR; } cur_arg++; @@ -1588,7 +1602,7 @@ static enum act_return http_action_replace_header(struct act_rule *rule, struct static enum act_parse_ret parse_http_replace_header(const char **args, int *orig_arg, struct proxy *px, struct act_rule *rule, char **err) { - int cap, cur_arg; + int cap = 0, cur_arg; if (args[*orig_arg-1][8] == 'h') rule->action = 0; // replace-header @@ -1615,11 +1629,17 @@ static enum act_parse_ret parse_http_replace_header(const char **args, int *orig if (rule->from == ACT_F_HTTP_REQ) { px->conf.args.ctx = ARGC_HRQ; - cap = (px->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR; + if (px->cap & PR_CAP_FE) + cap |= SMP_VAL_FE_HRQ_HDR; + if (px->cap & PR_CAP_BE) + cap |= SMP_VAL_BE_HRQ_HDR; } else{ px->conf.args.ctx = ARGC_HRS; - cap = (px->cap & PR_CAP_BE) ? SMP_VAL_BE_HRS_HDR : SMP_VAL_FE_HRS_HDR; + if (px->cap & PR_CAP_FE) + cap |= SMP_VAL_FE_HRS_HDR; + if (px->cap & PR_CAP_BE) + cap |= SMP_VAL_BE_HRS_HDR; } cur_arg++; @@ -1900,7 +1920,7 @@ static void release_http_map(struct act_rule *rule) static enum act_parse_ret parse_http_set_map(const char **args, int *orig_arg, struct proxy *px, struct act_rule *rule, char **err) { - int cap, cur_arg; + int cap = 0, cur_arg; if (args[*orig_arg-1][0] == 'a') // add-acl rule->action = 0; @@ -1937,11 +1957,17 @@ static enum act_parse_ret parse_http_set_map(const char **args, int *orig_arg, s if (rule->from == ACT_F_HTTP_REQ) { px->conf.args.ctx = ARGC_HRQ; - cap = (px->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR; + if (px->cap & PR_CAP_FE) + cap |= SMP_VAL_FE_HRQ_HDR; + if (px->cap & PR_CAP_BE) + cap |= SMP_VAL_BE_HRQ_HDR; } else{ px->conf.args.ctx = ARGC_HRS; - cap = (px->cap & PR_CAP_BE) ? SMP_VAL_BE_HRS_HDR : SMP_VAL_FE_HRS_HDR; + if (px->cap & PR_CAP_FE) + cap |= SMP_VAL_FE_HRS_HDR; + if (px->cap & PR_CAP_BE) + cap |= SMP_VAL_BE_HRS_HDR; } /* key pattern */ diff --git a/src/http_htx.c b/src/http_htx.c index bbbac4a90d..484b424862 100644 --- a/src/http_htx.c +++ b/src/http_htx.c @@ -1392,7 +1392,7 @@ struct http_reply *http_parse_http_reply(const char **args, int *orig_arg, struc struct stat stat; const char *act_arg = NULL; char *obj = NULL; - int cur_arg, cap, objlen = 0, fd = -1; + int cur_arg, cap = 0, objlen = 0, fd = -1; reply = calloc(1, sizeof(*reply)); @@ -1406,10 +1406,12 @@ struct http_reply *http_parse_http_reply(const char **args, int *orig_arg, struc if (px->conf.args.ctx == ARGC_HERR) cap = (SMP_VAL_REQUEST | SMP_VAL_RESPONSE); - else - cap = ((px->conf.args.ctx == ARGC_HRQ) - ? ((px->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR) - : ((px->cap & PR_CAP_BE) ? SMP_VAL_BE_HRS_HDR : SMP_VAL_FE_HRS_HDR)); + else { + if (px->cap & PR_CAP_FE) + cap |= ((px->conf.args.ctx == ARGC_HRQ) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_FE_HRS_HDR); + if (px->cap & PR_CAP_BE) + cap |= ((px->conf.args.ctx == ARGC_HRQ) ? SMP_VAL_BE_HRS_HDR : SMP_VAL_BE_HRS_HDR); + } cur_arg = *orig_arg; while (*args[cur_arg]) { diff --git a/src/http_rules.c b/src/http_rules.c index bcff27bde3..0d6e165912 100644 --- a/src/http_rules.c +++ b/src/http_rules.c @@ -423,17 +423,19 @@ struct redirect_rule *http_parse_redirect_rule(const char *file, int linenum, st } else { /* log-format based redirect rule */ + int cap = 0; /* Parse destination. Note that in the REDIRECT_TYPE_PREFIX case, * if prefix == "/", we don't want to add anything, otherwise it * makes it hard for the user to configure a self-redirection. */ curproxy->conf.args.ctx = ARGC_RDR; + if (curproxy->cap & PR_CAP_FE) + cap |= (dir ? SMP_VAL_FE_HRS_HDR : SMP_VAL_FE_HRQ_HDR); + if (curproxy->cap & PR_CAP_BE) + cap |= (dir ? SMP_VAL_BE_HRS_HDR : SMP_VAL_BE_HRQ_HDR); if (!(type == REDIRECT_TYPE_PREFIX && destination[0] == '/' && destination[1] == '\0')) { - if (!parse_logformat_string(destination, curproxy, &rule->rdr_fmt, LOG_OPT_HTTP, - dir ? (curproxy->cap & PR_CAP_FE) ? SMP_VAL_FE_HRS_HDR : SMP_VAL_BE_HRS_HDR - : (curproxy->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR, - errmsg)) { + if (!parse_logformat_string(destination, curproxy, &rule->rdr_fmt, LOG_OPT_HTTP, cap, errmsg)) { return NULL; } free(curproxy->conf.lfs_file); diff --git a/src/vars.c b/src/vars.c index 03b4bc7b65..999b05c85f 100644 --- a/src/vars.c +++ b/src/vars.c @@ -777,7 +777,7 @@ static enum act_parse_ret parse_store(const char **args, int *arg, struct proxy const char *var_name = args[*arg-1]; int var_len; const char *kw_name; - int flags, set_var = 0; /* 0=unset-var, 1=set-var, 2=set-var-fmt */ + int flags = 0, set_var = 0; /* 0=unset-var, 1=set-var, 2=set-var-fmt */ struct sample empty_smp = { }; if (strncmp(var_name, "set-var-fmt", 11) == 0) { @@ -832,19 +832,31 @@ static enum act_parse_ret parse_store(const char **args, int *arg, struct proxy px->conf.args.ctx = ARGC_TSE; break; case ACT_F_TCP_REQ_CNT: - flags = (px->cap & PR_CAP_FE) ? SMP_VAL_FE_REQ_CNT : SMP_VAL_BE_REQ_CNT; + if (px->cap & PR_CAP_FE) + flags |= SMP_VAL_FE_REQ_CNT; + if (px->cap & PR_CAP_BE) + flags |= SMP_VAL_BE_REQ_CNT; px->conf.args.ctx = ARGC_TRQ; break; case ACT_F_TCP_RES_CNT: - flags = (px->cap & PR_CAP_FE) ? SMP_VAL_FE_RES_CNT : SMP_VAL_BE_RES_CNT; + if (px->cap & PR_CAP_FE) + flags |= SMP_VAL_FE_RES_CNT; + if (px->cap & PR_CAP_BE) + flags |= SMP_VAL_BE_RES_CNT; px->conf.args.ctx = ARGC_TRS; break; case ACT_F_HTTP_REQ: - flags = (px->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR; + if (px->cap & PR_CAP_FE) + flags |= SMP_VAL_FE_HRQ_HDR; + if (px->cap & PR_CAP_BE) + flags |= SMP_VAL_BE_HRQ_HDR; px->conf.args.ctx = ARGC_HRQ; break; case ACT_F_HTTP_RES: - flags = (px->cap & PR_CAP_BE) ? SMP_VAL_BE_HRS_HDR : SMP_VAL_FE_HRS_HDR; + if (px->cap & PR_CAP_FE) + flags |= SMP_VAL_FE_HRS_HDR; + if (px->cap & PR_CAP_BE) + flags |= SMP_VAL_BE_HRS_HDR; px->conf.args.ctx = ARGC_HRS; break; case ACT_F_TCP_CHK: