squid-2365

Version:

2.6.STABLE23

Bug link:

http://bugs.squid-cache.org/show_bug.cgi?id=2365

Symptom (Failure):
When using cachmgr.cgi to show the configuration, the “<” character in the config file was not quoted, but instead printed directly as is in the html, resulting that the browser treat it as a html tag!

How it is diagnosed:

We reproduced the failure.

1. Set up the squid cachemgr as described in:

http://wiki.squid-cache.org/SquidFaq/CacheManager

This requires to run an apache server on the same machine. So also set-up an Apache httpd server.

2. Also, needs to set password for config.

3. Then put cachemgr.cgi into apache’s cgi-bin folder, and access :

http://url-of-httpd:port/Squid/cgi-bin/cachemgr.cgi

Root Cause:

Some lines in the configuration file contains: “<”, which should be quoted when displaying in html.

The line caused trouble:

logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt

--- tools/cachemgr.c        25 Jun 2007 12:25:42 -0000        1.6

+++ tools/cachemgr.c        24 Jun 2008 22:23:34 -0000

@@ -363,7 +363,7 @@ error_html(const char *msg)

    printf("<HTML><HEAD><TITLE>Cache Manager Error</TITLE>\n");

    printf("<STYLE type=\"text/css\"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}--></STYLE></HEAD>\n");

    printf("<BODY><H1>Cache Manager Error</H1>\n");

-   printf("<P>\n%s</P>\n", msg);

+   printf("<P>\n%s</P>\n", html_quote(msg));

    print_trailer();

}

@@ -459,7 +459,7 @@ munge_other_line(const char *buf, cachem

    if (!strchr(buf, '\t') || *buf == '\t') {

        /* nope, just text */

        snprintf(html, sizeof(html), "%s%s",

-        table_line_num ? "</table>\n<pre>" : "", buf);

+        table_line_num ? "</table>\n<pre>" : "", html_quote(buf));

        table_line_num = 0;

        return html;

    }

@@ -487,7 +487,7 @@ munge_other_line(const char *buf, cachem

        l += snprintf(html + l, sizeof(html) - l, "<%s colspan=\"%d\" align=\"%s\">%s</%s>",

            ttag, column_span,

            is_header ? "center" : is_number(cell) ? "right" : "left",

-            cell, ttag);

+            html_quote(cell), ttag);

    }

    xfree(buf_copy);

    /* record ends */

Is there any log message?:

No.

Can developers or Errlog anticipate the error?

No. It is simply wrong computation! Result not used in conditions.