{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":24519987,"defaultBranch":"master","name":"squid","ownerLogin":"squid-cache","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2014-09-27T00:59:40.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/363029?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1726435201.0","currentOid":""},"activityList":{"items":[{"before":"fdc5bf76a3ce83fee72e6b871f0df30504b342df","after":"0bbb86f5fd909148e78eca199e5134581338e58e","ref":"refs/heads/auto","pushedAt":"2024-09-20T22:36:03.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Bug 5428: Warn if pkg-config is not found (#1902)\n\nSquid builds without pkg-config, but results are likely to surprise\nadministrators because many optional features will not be\ndefault-enabled despite properly installed libraries.","shortMessageHtmlLink":"Bug 5428: Warn if pkg-config is not found (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2532196399\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1902\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1902/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1902\">#1902</a>)"}},{"before":"84f5cdd658e3e8362ef5a38958ac3a4b3055e763","after":"fdc5bf76a3ce83fee72e6b871f0df30504b342df","ref":"refs/heads/master","pushedAt":"2024-09-20T22:25:17.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Use ERR_ACCESS_DENIED for HTTP 403 (Forbidden) errors (#1899)\n\n... when request authentication fails. Do not use\nERR_CACHE_ACCESS_DENIED for those \"permanent\" errors.\n\nDefault ERR_CACHE_ACCESS_DENIED is meant for cases where the user is\nlikely to eventually gain access (e.g., by supplying credentials). Its\ndefault text says \"not currently allowed... until you have authenticated\nyourself\". When the error page was added in 1998 commit cb69b4c7 it was\nonly used for HTTP 407 errors. The same logic was preserved when that\ncode was refactored in 1999 commit 1cfdbcf0, but exceptions started to\ncreep in, perhaps accidentally, since 2011 when HTTP 403 case was added\nin commit 2f1431ea that introduced USE_AUTH macro. 2011 commit 21512911\nadded a similar \"not possible to authenticate\" SslBump case.\n\nOther HTTP 403 (Forbidden) cases already use ERR_ACCESS_DENIED or a\nsimilar \"permanent\" error (e.g., ERR_FORWARDING_DENIED or ERR_TOO_BIG).\n\nIt is still possible to customize the returned error page via deny_info.","shortMessageHtmlLink":"Use ERR_ACCESS_DENIED for HTTP 403 (Forbidden) errors (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2517334012\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1899\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1899/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1899\">#1899</a>)"}},{"before":"5b8668e65bbce545434af46cda2ea1c15bf34bc9","after":"fdc5bf76a3ce83fee72e6b871f0df30504b342df","ref":"refs/heads/auto","pushedAt":"2024-09-20T18:47:13.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Use ERR_ACCESS_DENIED for HTTP 403 (Forbidden) errors (#1899)\n\n... when request authentication fails. Do not use\nERR_CACHE_ACCESS_DENIED for those \"permanent\" errors.\n\nDefault ERR_CACHE_ACCESS_DENIED is meant for cases where the user is\nlikely to eventually gain access (e.g., by supplying credentials). Its\ndefault text says \"not currently allowed... until you have authenticated\nyourself\". When the error page was added in 1998 commit cb69b4c7 it was\nonly used for HTTP 407 errors. The same logic was preserved when that\ncode was refactored in 1999 commit 1cfdbcf0, but exceptions started to\ncreep in, perhaps accidentally, since 2011 when HTTP 403 case was added\nin commit 2f1431ea that introduced USE_AUTH macro. 2011 commit 21512911\nadded a similar \"not possible to authenticate\" SslBump case.\n\nOther HTTP 403 (Forbidden) cases already use ERR_ACCESS_DENIED or a\nsimilar \"permanent\" error (e.g., ERR_FORWARDING_DENIED or ERR_TOO_BIG).\n\nIt is still possible to customize the returned error page via deny_info.","shortMessageHtmlLink":"Use ERR_ACCESS_DENIED for HTTP 403 (Forbidden) errors (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2517334012\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1899\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1899/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1899\">#1899</a>)"}},{"before":"84f5cdd658e3e8362ef5a38958ac3a4b3055e763","after":"5b8668e65bbce545434af46cda2ea1c15bf34bc9","ref":"refs/heads/auto","pushedAt":"2024-09-20T09:45:38.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Bug 5428: Warn if pkg-config is not found (#1902)\n\nSquid builds without pkg-config, but results are likely to surprise\nadministrators because many optional features will not be\ndefault-enabled despite properly installed libraries.","shortMessageHtmlLink":"Bug 5428: Warn if pkg-config is not found (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2532196399\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1902\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1902/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1902\">#1902</a>)"}},{"before":"908634e8c63a33918d7620c8cb44774748b7ebba","after":"84f5cdd658e3e8362ef5a38958ac3a4b3055e763","ref":"refs/heads/master","pushedAt":"2024-09-20T09:34:54.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Fix ENTRY_ABORTED assertion in sendClientOldEntry() (#1903)\n\n    FATAL: assertion failed: client_side_reply.cc:392:\n    \"!EBIT_TEST(http->storeEntry()->flags, ENTRY_ABORTED)\"\n\nThe replaced assertion was wrong because a stale entry may be aborted\nwhile we are revalidating it. The exact real-world conditions that\ntriggered this assertion are unknown, but many conditions lead to\naborted entries. The assertion can be triggered in lab tests using a hit\ntransaction that collapses on a miss transaction that runs into storage\nproblems (e.g., a memory cache that ran out of usable space).\n\nAlso adjusted cacheHit() to avoid similar problems. We have not\nreproduced them, but no code maintains the asserted invariant on the\ncacheHit() path either. Moreover, async-called cacheHit() initiates\nprocessExpired() that leads to problematic sendClientOldEntry() call, so\nseeing an aborted StoreEntry at cacheHit() time is probably a matter of\nsufficient concurrency levels and asynchronous callback delays.","shortMessageHtmlLink":"Fix ENTRY_ABORTED assertion in sendClientOldEntry() (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2532254965\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1903\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1903/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1903\">#1903</a>)"}},{"before":"721c1cf49f67ef980fa2e9624420e271b9b0afef","after":"84f5cdd658e3e8362ef5a38958ac3a4b3055e763","ref":"refs/heads/auto","pushedAt":"2024-09-19T22:13:15.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Fix ENTRY_ABORTED assertion in sendClientOldEntry() (#1903)\n\n    FATAL: assertion failed: client_side_reply.cc:392:\n    \"!EBIT_TEST(http->storeEntry()->flags, ENTRY_ABORTED)\"\n\nThe replaced assertion was wrong because a stale entry may be aborted\nwhile we are revalidating it. The exact real-world conditions that\ntriggered this assertion are unknown, but many conditions lead to\naborted entries. The assertion can be triggered in lab tests using a hit\ntransaction that collapses on a miss transaction that runs into storage\nproblems (e.g., a memory cache that ran out of usable space).\n\nAlso adjusted cacheHit() to avoid similar problems. We have not\nreproduced them, but no code maintains the asserted invariant on the\ncacheHit() path either. Moreover, async-called cacheHit() initiates\nprocessExpired() that leads to problematic sendClientOldEntry() call, so\nseeing an aborted StoreEntry at cacheHit() time is probably a matter of\nsufficient concurrency levels and asynchronous callback delays.","shortMessageHtmlLink":"Fix ENTRY_ABORTED assertion in sendClientOldEntry() (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2532254965\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1903\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1903/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1903\">#1903</a>)"}},{"before":"77d3895e1de5275d30aec79e7aace7bdbcee546c","after":"721c1cf49f67ef980fa2e9624420e271b9b0afef","ref":"refs/heads/auto","pushedAt":"2024-09-19T21:35:36.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Bug 5428: Warn if pkg-config is not found (#1902)\n\nSquid builds without pkg-config, but results are likely to surprise\nadministrators because many optional features will not be\ndefault-enabled despite properly installed libraries.","shortMessageHtmlLink":"Bug 5428: Warn if pkg-config is not found (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2532196399\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1902\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1902/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1902\">#1902</a>)"}},{"before":"cc0b6894286810f9e79ae162e6f34f4ba4ca9535","after":"5d701898c215759ccd95877fb785203417edb1d0","ref":"refs/heads/v6","pushedAt":"2024-09-15T20:54:39.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"kinkie","name":"Francesco Chemolli","path":"/kinkie","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5175948?s=80&v=4"},"commit":{"message":"v6.11","shortMessageHtmlLink":"v6.11"}},{"before":"d9fd4db2579d8cffa89e1ccd823475c11c8dbce6","after":"cc0b6894286810f9e79ae162e6f34f4ba4ca9535","ref":"refs/heads/v6","pushedAt":"2024-09-15T20:52:03.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"kinkie","name":"Francesco Chemolli","path":"/kinkie","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5175948?s=80&v=4"},"commit":{"message":"Prep for v6.11 (#1886)\n\n* Prep for 6.11\r\n\r\n* Update release date","shortMessageHtmlLink":"Prep for v6.11 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2471689517\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1886\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1886/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1886\">#1886</a>)"}},{"before":"99deeb416b058a0918b43be86efc610cab10f9d8","after":"77d3895e1de5275d30aec79e7aace7bdbcee546c","ref":"refs/heads/auto","pushedAt":"2024-09-15T14:40:44.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Prep for v6.11 (#1886)","shortMessageHtmlLink":"Prep for v6.11 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2471689517\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1886\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1886/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1886\">#1886</a>)"}},{"before":"908634e8c63a33918d7620c8cb44774748b7ebba","after":"99deeb416b058a0918b43be86efc610cab10f9d8","ref":"refs/heads/auto","pushedAt":"2024-09-11T01:30:18.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Prep for v6.11 (#1886)","shortMessageHtmlLink":"Prep for v6.11 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2471689517\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1886\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1886/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1886\">#1886</a>)"}},{"before":"5f31e83aa7d399045171dafd10f6934cd1eb5d5c","after":"908634e8c63a33918d7620c8cb44774748b7ebba","ref":"refs/heads/master","pushedAt":"2024-09-11T01:26:25.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Bug 5293: Security::CreateClientSession uses wrong TLS options (#1895)\n\nWhen establishing a TLS connection to an origin server _through_ a\ncache_peer, Security::CreateClientSession() used cache_peer's\nSecurity::PeerOptions instead of global ProxyOutgoingConfig (i.e.\ntls_outgoing_options). Used cache_peer's PeerOptions are unrelated to\nthe (tunneled) TLS connection in question (and are currently empty\nbecause Squid does not support TLS inside TLS -- the cache_peer accepts\nplain HTTP connections).\n\nThis TLS context:options mismatch exists in both OpenSSL and GnuTLS\nbuilds, but it currently does not affect OpenSSL builds where\nCreateSession() gets TLS options from its Security::Context parameter\nrather than its (unused) Security::PeerOptions parameter.\n\nThe mismatch exists on both PeekingPeerConnector/SslBump and\nBlindPeerConnector code paths.\n\nThis minimal change pairs TLS context with its TLS options. Long-term,\nthe added FuturePeerContext shim (that stores references to independent\ncontext and options objects) should be replaced with a PeerContext class\nthat encapsulates those two objects. We may also be able to avoid\nre-computing GnuTLS context from options and to simplify code by\npreventing PeerConnector construction in Squid builds that do not\nsupport TLS. That refactoring should be done separately because it\ntriggers many changes unrelated to Bug 5293.\n\nAlso removed updateSessionOptions() from\nPeekingPeerConnector::initialize() because Security::CreateSession(),\ncalled by our parent initialize() method, already sets session options.\nIt is easier to remove that call/code than keep it up to date.\nSecurity::BlindPeerConnector does not updateSessionOptions().","shortMessageHtmlLink":"Bug 5293: Security::CreateClientSession uses wrong TLS options (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2487721523\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1895\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1895/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1895\">#1895</a>)"}},{"before":"c42a36d3b8d5dc60a732093aa40f8e08558d113e","after":"908634e8c63a33918d7620c8cb44774748b7ebba","ref":"refs/heads/auto","pushedAt":"2024-09-10T20:30:58.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Bug 5293: Security::CreateClientSession uses wrong TLS options (#1895)\n\nWhen establishing a TLS connection to an origin server _through_ a\ncache_peer, Security::CreateClientSession() used cache_peer's\nSecurity::PeerOptions instead of global ProxyOutgoingConfig (i.e.\ntls_outgoing_options). Used cache_peer's PeerOptions are unrelated to\nthe (tunneled) TLS connection in question (and are currently empty\nbecause Squid does not support TLS inside TLS -- the cache_peer accepts\nplain HTTP connections).\n\nThis TLS context:options mismatch exists in both OpenSSL and GnuTLS\nbuilds, but it currently does not affect OpenSSL builds where\nCreateSession() gets TLS options from its Security::Context parameter\nrather than its (unused) Security::PeerOptions parameter.\n\nThe mismatch exists on both PeekingPeerConnector/SslBump and\nBlindPeerConnector code paths.\n\nThis minimal change pairs TLS context with its TLS options. Long-term,\nthe added FuturePeerContext shim (that stores references to independent\ncontext and options objects) should be replaced with a PeerContext class\nthat encapsulates those two objects. We may also be able to avoid\nre-computing GnuTLS context from options and to simplify code by\npreventing PeerConnector construction in Squid builds that do not\nsupport TLS. That refactoring should be done separately because it\ntriggers many changes unrelated to Bug 5293.\n\nAlso removed updateSessionOptions() from\nPeekingPeerConnector::initialize() because Security::CreateSession(),\ncalled by our parent initialize() method, already sets session options.\nIt is easier to remove that call/code than keep it up to date.\nSecurity::BlindPeerConnector does not updateSessionOptions().","shortMessageHtmlLink":"Bug 5293: Security::CreateClientSession uses wrong TLS options (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2487721523\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1895\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1895/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1895\">#1895</a>)"}},{"before":"5f31e83aa7d399045171dafd10f6934cd1eb5d5c","after":"c42a36d3b8d5dc60a732093aa40f8e08558d113e","ref":"refs/heads/auto","pushedAt":"2024-09-10T01:32:46.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Prep for v6.11 (#1886)","shortMessageHtmlLink":"Prep for v6.11 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2471689517\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1886\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1886/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1886\">#1886</a>)"}},{"before":"5370d36199e577b6aa424658260aab08e32d9015","after":"5f31e83aa7d399045171dafd10f6934cd1eb5d5c","ref":"refs/heads/master","pushedAt":"2024-09-10T01:27:44.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Limit Server::inBuf growth (#1898)\n\nAfter a ReadNow() call, the buffer length must not exceed accumulation\nlimits (e.g., client_request_buffer_max_size). SBuf::reserve() alone\ncannot reliably enforce those limits because it does not decrease SBuf\nspace; various SBuf manipulations may lead to excessive SBuf space. When\nfilled by ReadNow(), that space exceeds the limit.\n\nThis change uses documented CommIoCbParams::size trick to limit how much\nComm::ReadNow() may read, obeying SQUID_TCP_SO_RCVBUF (server-to-Squid)\nand client_request_buffer_max_size (client-to-Squid) accumulation limit.","shortMessageHtmlLink":"Limit Server::inBuf growth (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2510363466\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1898\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1898/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1898\">#1898</a>)"}},{"before":"2d6f19fa44d1e4896ed43efd8d797704f1d6526f","after":"5f31e83aa7d399045171dafd10f6934cd1eb5d5c","ref":"refs/heads/auto","pushedAt":"2024-09-09T20:27:23.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Limit Server::inBuf growth (#1898)\n\nAfter a ReadNow() call, the buffer length must not exceed accumulation\nlimits (e.g., client_request_buffer_max_size). SBuf::reserve() alone\ncannot reliably enforce those limits because it does not decrease SBuf\nspace; various SBuf manipulations may lead to excessive SBuf space. When\nfilled by ReadNow(), that space exceeds the limit.\n\nThis change uses documented CommIoCbParams::size trick to limit how much\nComm::ReadNow() may read, obeying SQUID_TCP_SO_RCVBUF (server-to-Squid)\nand client_request_buffer_max_size (client-to-Squid) accumulation limit.","shortMessageHtmlLink":"Limit Server::inBuf growth (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2510363466\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1898\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1898/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1898\">#1898</a>)"}},{"before":"5370d36199e577b6aa424658260aab08e32d9015","after":"2d6f19fa44d1e4896ed43efd8d797704f1d6526f","ref":"refs/heads/auto","pushedAt":"2024-09-09T16:41:26.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Prep for v6.11 (#1886)","shortMessageHtmlLink":"Prep for v6.11 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2471689517\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1886\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1886/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1886\">#1886</a>)"}},{"before":"4d6dd3ddba5e850a42c86d8233735165a371c31c","after":"5370d36199e577b6aa424658260aab08e32d9015","ref":"refs/heads/master","pushedAt":"2024-09-09T16:35:19.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Bug 5417: An empty annotation value does not match (#1896)\n\nHelpers may return annotations with empty values:\n\n    OK team_=\"\"\n\nA note ACL may be configured to match an annotation with an empty value:\n\n    configuration_includes_quoted_values on\n    acl emptyTeam note team_ \"\"\n\nHowever, that emptyTeam ACL did not match the above helper annotation:\n\n* AppendTokens() split an empty annotation value into an empty vector\n  instead of a vector with a single empty entry. That \"never match an\n  empty value received from the helper\" bug was probably introduced in\n  2017 commit 75d47340 when it replaced an \"always try to match an empty\n  value, even when it was not received from the helper\" bug in\n  ACLNoteStrategy::matchNotes().\n\n* ACLStringData::match(SBuf v) never matched an empty value v. That bug\n  was probably introduced in 2015 commit 76ee67ac that mistook a nil\n  c-string pointer for an empty c-string.","shortMessageHtmlLink":"Bug 5417: An empty annotation value does not match (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2489549329\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1896\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1896/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1896\">#1896</a>)"}},{"before":"434c3b7401668ffb41bf0031461d9f73fbc4283b","after":"5370d36199e577b6aa424658260aab08e32d9015","ref":"refs/heads/auto","pushedAt":"2024-09-09T12:52:24.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Bug 5417: An empty annotation value does not match (#1896)\n\nHelpers may return annotations with empty values:\n\n    OK team_=\"\"\n\nA note ACL may be configured to match an annotation with an empty value:\n\n    configuration_includes_quoted_values on\n    acl emptyTeam note team_ \"\"\n\nHowever, that emptyTeam ACL did not match the above helper annotation:\n\n* AppendTokens() split an empty annotation value into an empty vector\n  instead of a vector with a single empty entry. That \"never match an\n  empty value received from the helper\" bug was probably introduced in\n  2017 commit 75d47340 when it replaced an \"always try to match an empty\n  value, even when it was not received from the helper\" bug in\n  ACLNoteStrategy::matchNotes().\n\n* ACLStringData::match(SBuf v) never matched an empty value v. That bug\n  was probably introduced in 2015 commit 76ee67ac that mistook a nil\n  c-string pointer for an empty c-string.","shortMessageHtmlLink":"Bug 5417: An empty annotation value does not match (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2489549329\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1896\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1896/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1896\">#1896</a>)"}},{"before":"4d6dd3ddba5e850a42c86d8233735165a371c31c","after":"434c3b7401668ffb41bf0031461d9f73fbc4283b","ref":"refs/heads/auto","pushedAt":"2024-09-05T17:46:05.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Prep for v6.11 (#1886)","shortMessageHtmlLink":"Prep for v6.11 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2471689517\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1886\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1886/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1886\">#1886</a>)"}},{"before":"ed8b040461bc6916d2acc96c2e6dd86c89de0110","after":"4d6dd3ddba5e850a42c86d8233735165a371c31c","ref":"refs/heads/master","pushedAt":"2024-09-05T17:41:17.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Bug 5405: Large uploads fill request buffer and die (#1887)\n\n    maybeMakeSpaceAvailable: request buffer full\n    ReadNow: ... size 0, retval 0, errno 0\n    terminateAll: 1/1 after ERR_CLIENT_GONE/WITH_CLIENT\n    %Ss=TCP_MISS_ABORTED\n\nThis bug is triggered by a combination of the following two conditions:\n\n* HTTP client upload fills Squid request buffer faster than it is\n  drained by an origin server, cache_peer, or REQMOD service. The buffer\n  accumulates 576 KB (default 512 KB client_request_buffer_max_size + 64\n  KB internal \"pipe\" buffer).\n\n* The affected server or service consumes a few bytes after the critical\n  accumulation is reached. In other words, the bug cannot be triggered\n  if nothing is consumed after the first condition above is met.\n\nComm::ReadNow() must not be called with a full buffer: Related\nFD_READ_METHOD() code cannot distinguish \"received EOF\" from \"had no\nbuffer space\" outcomes. Server::readSomeData() tried to prevent such\ncalls, but the corresponding check had two problems:\n\n* The check had an unsigned integer underflow bug[^1] that made it\n  ineffective when inBuf length exceeded Config.maxRequestBufferSize.\n  That length could exceed the limit due to reconfiguration and when\n  inBuf space size first grew outside of maybeMakeSpaceAvailable()\n  protections (e.g., during an inBuf.c_str() call) and then got filled\n  with newly read data. That growth started happening after 2020 commit\n  1dfbca06 optimized SBuf::cow() to merge leading and trailing space.\n  Prior to that commit, Bug 5405 could probably only affect Squid\n  reconfigurations that lower client_request_buffer_max_size.\n\n* The check was separated from the ReadNow() call it was meant to\n  protect. While ConnStateData was waiting for the socket to become\n  ready for reading, various asynchronous events could alter inBuf or\n  Config.maxRequestBufferSize.\n\nThis change fixes both problems.\n\nThis change also fixes Squid Bug 5214.\n\n[^1]: That underflow bug was probably introduced in 2015 commit 4d1376d7\nwhile trying to emulate the original \"do not read less than two bytes\"\nConnStateData::In::maybeMakeSpaceAvailable() condition. That condition\nitself looks like a leftover from manual zero-terminated input buffer\ndays that ended with 2014 commit e7287625. It is now removed.","shortMessageHtmlLink":"Bug 5405: Large uploads fill request buffer and die (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2471741375\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1887\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1887/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1887\">#1887</a>)"}},{"before":"02f8272c14352fe8f6c0a8ec38ef1a18c20b0db3","after":"4d6dd3ddba5e850a42c86d8233735165a371c31c","ref":"refs/heads/auto","pushedAt":"2024-09-05T14:12:21.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Bug 5405: Large uploads fill request buffer and die (#1887)\n\n    maybeMakeSpaceAvailable: request buffer full\n    ReadNow: ... size 0, retval 0, errno 0\n    terminateAll: 1/1 after ERR_CLIENT_GONE/WITH_CLIENT\n    %Ss=TCP_MISS_ABORTED\n\nThis bug is triggered by a combination of the following two conditions:\n\n* HTTP client upload fills Squid request buffer faster than it is\n  drained by an origin server, cache_peer, or REQMOD service. The buffer\n  accumulates 576 KB (default 512 KB client_request_buffer_max_size + 64\n  KB internal \"pipe\" buffer).\n\n* The affected server or service consumes a few bytes after the critical\n  accumulation is reached. In other words, the bug cannot be triggered\n  if nothing is consumed after the first condition above is met.\n\nComm::ReadNow() must not be called with a full buffer: Related\nFD_READ_METHOD() code cannot distinguish \"received EOF\" from \"had no\nbuffer space\" outcomes. Server::readSomeData() tried to prevent such\ncalls, but the corresponding check had two problems:\n\n* The check had an unsigned integer underflow bug[^1] that made it\n  ineffective when inBuf length exceeded Config.maxRequestBufferSize.\n  That length could exceed the limit due to reconfiguration and when\n  inBuf space size first grew outside of maybeMakeSpaceAvailable()\n  protections (e.g., during an inBuf.c_str() call) and then got filled\n  with newly read data. That growth started happening after 2020 commit\n  1dfbca06 optimized SBuf::cow() to merge leading and trailing space.\n  Prior to that commit, Bug 5405 could probably only affect Squid\n  reconfigurations that lower client_request_buffer_max_size.\n\n* The check was separated from the ReadNow() call it was meant to\n  protect. While ConnStateData was waiting for the socket to become\n  ready for reading, various asynchronous events could alter inBuf or\n  Config.maxRequestBufferSize.\n\nThis change fixes both problems.\n\nThis change also fixes Squid Bug 5214.\n\n[^1]: That underflow bug was probably introduced in 2015 commit 4d1376d7\nwhile trying to emulate the original \"do not read less than two bytes\"\nConnStateData::In::maybeMakeSpaceAvailable() condition. That condition\nitself looks like a leftover from manual zero-terminated input buffer\ndays that ended with 2014 commit e7287625. It is now removed.","shortMessageHtmlLink":"Bug 5405: Large uploads fill request buffer and die (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2471741375\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1887\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1887/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1887\">#1887</a>)"}},{"before":"ed8b040461bc6916d2acc96c2e6dd86c89de0110","after":"02f8272c14352fe8f6c0a8ec38ef1a18c20b0db3","ref":"refs/heads/auto","pushedAt":"2024-09-01T00:39:30.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Prep for v6.11 (#1886)","shortMessageHtmlLink":"Prep for v6.11 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2471689517\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1886\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1886/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1886\">#1886</a>)"}},{"before":"060e9c03d1434e266c85101a677f6e49ba910b32","after":"ed8b040461bc6916d2acc96c2e6dd86c89de0110","ref":"refs/heads/master","pushedAt":"2024-09-01T00:35:50.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Reject config with unknown directives before committing to it (#1897)\n\nIdeally, we want to reject configurations with unknown directives before\napplying any configuration changes that correspond to known directives,\nbut current apply-as-you-parse architecture makes that impractical.\nPending smooth reconfiguration refactoring will make that possible, but\nwe can make a step towards that ideal future now.\n\nRejecting bad configurations before calling configDoConfigure() reduces\nthe set of configuration errors that Squid can detect in one execution\n(because configDoConfigure() error-checking code is not reached), but\nthat small reduction is a lesser evil compared to running\nconfigDoConfigure() with a clearly broken config, especially when we are\ngoing to kill Squid anyway. While many legacy parse_foo() functions do\napply significant changes before configDoConfigure(), we cannot easily\nprevent that (for now). We can easily prevent configDoConfigure().","shortMessageHtmlLink":"Reject config with unknown directives before committing to it (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2492983796\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1897\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1897/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1897\">#1897</a>)"}},{"before":"f4f3e708b9da9ccc30d50325ae16ef78f1d28e26","after":"ed8b040461bc6916d2acc96c2e6dd86c89de0110","ref":"refs/heads/auto","pushedAt":"2024-08-31T20:07:10.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Reject config with unknown directives before committing to it (#1897)\n\nIdeally, we want to reject configurations with unknown directives before\napplying any configuration changes that correspond to known directives,\nbut current apply-as-you-parse architecture makes that impractical.\nPending smooth reconfiguration refactoring will make that possible, but\nwe can make a step towards that ideal future now.\n\nRejecting bad configurations before calling configDoConfigure() reduces\nthe set of configuration errors that Squid can detect in one execution\n(because configDoConfigure() error-checking code is not reached), but\nthat small reduction is a lesser evil compared to running\nconfigDoConfigure() with a clearly broken config, especially when we are\ngoing to kill Squid anyway. While many legacy parse_foo() functions do\napply significant changes before configDoConfigure(), we cannot easily\nprevent that (for now). We can easily prevent configDoConfigure().","shortMessageHtmlLink":"Reject config with unknown directives before committing to it (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2492983796\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1897\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1897/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1897\">#1897</a>)"}},{"before":"060e9c03d1434e266c85101a677f6e49ba910b32","after":"f4f3e708b9da9ccc30d50325ae16ef78f1d28e26","ref":"refs/heads/auto","pushedAt":"2024-08-27T22:20:00.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Prep for v6.11 (#1886)","shortMessageHtmlLink":"Prep for v6.11 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2471689517\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1886\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1886/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1886\">#1886</a>)"}},{"before":"54388f5c79430ec2cc9d9df20b115326a06d8a65","after":"060e9c03d1434e266c85101a677f6e49ba910b32","ref":"refs/heads/master","pushedAt":"2024-08-25T04:56:38.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Use git to extract default build-info (when enabled) (#1892)\n\nHave configure option --enable-build-info[=yes]\nrefer to git instead of bazaar to extract\ninformation about what is being built to include\nin the output of `squid -v`","shortMessageHtmlLink":"Use git to extract default build-info (when enabled) (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2479071279\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1892\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1892/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1892\">#1892</a>)"}},{"before":"54388f5c79430ec2cc9d9df20b115326a06d8a65","after":"060e9c03d1434e266c85101a677f6e49ba910b32","ref":"refs/heads/auto","pushedAt":"2024-08-25T00:28:21.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Use git to extract default build-info (when enabled) (#1892)\n\nHave configure option --enable-build-info[=yes]\nrefer to git instead of bazaar to extract\ninformation about what is being built to include\nin the output of `squid -v`","shortMessageHtmlLink":"Use git to extract default build-info (when enabled) (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2479071279\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1892\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1892/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1892\">#1892</a>)"}},{"before":"64b62887c86c8609b478faf2b11d5e0da35b3e95","after":"54388f5c79430ec2cc9d9df20b115326a06d8a65","ref":"refs/heads/master","pushedAt":"2024-08-24T23:30:19.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Maintenance: Clarify unusual IP:Intercept::LookupNat() API (#1894)","shortMessageHtmlLink":"Maintenance: Clarify unusual IP:Intercept::LookupNat() API (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2481242270\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1894\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1894/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1894\">#1894</a>)"}},{"before":"c4e6ac97f895d8fb2aba9764efefc5ba186874c3","after":"54388f5c79430ec2cc9d9df20b115326a06d8a65","ref":"refs/heads/auto","pushedAt":"2024-08-24T16:33:08.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"squid-anubis","name":"Squid Anubis","path":"/squid-anubis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35778098?s=80&v=4"},"commit":{"message":"Maintenance: Clarify unusual IP:Intercept::LookupNat() API (#1894)","shortMessageHtmlLink":"Maintenance: Clarify unusual IP:Intercept::LookupNat() API (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2481242270\" data-permission-text=\"Title is private\" data-url=\"https://github.com/squid-cache/squid/issues/1894\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/squid-cache/squid/pull/1894/hovercard\" href=\"https://github.com/squid-cache/squid/pull/1894\">#1894</a>)"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOS0yMFQyMjozNjowMy4wMDAwMDBazwAAAAS8at8I","startCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOS0yMFQyMjozNjowMy4wMDAwMDBazwAAAAS8at8I","endCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOC0yNFQxNjozMzowOC4wMDAwMDBazwAAAASjIaj2"}},"title":"Activity · squid-cache/squid"}