27.10.2017 20:55, Alex Rousskov пишет: > On 10/27/2017 08:32 AM, Amos Jeffries wrote: >> On 28/10/17 02:59, Yuri wrote: >>> the regular expression is simply silently ignored and it is extremely >>> difficult to detect. >> That sounds like a library problem. If Squid receives a regex error code >> from the library when compiling any regex from your squid.conf it logs >> the relevant error to cache.log. > When a regular expression is using extended features, the basic regular > expression compiler often (or even always?!) does not fail because it > views the extended features as ordinary plain characters. Thus, Squid > cannot tell that something went wrong. > > I cannot give a Squid-based example quickly, but here is a related > illustration using grep (which is not exactly the same as what happens > inside Squid, but I suspect it is similar enough for the illustration > purposes in this context): > >> $ echo "foobar" | grep --basic-regexp 'foo|bar' >> $ echo "foobar" | grep --extended-regexp 'foo|bar' >> foobar > As you can see, the basic compiler is silent about the "|" character > that it does not support. Here is a similar example where a malformed > extended regular expression is silently accepted by the basic compiler: > > >> $ echo "foobar" | grep --basic-regexp 'foo(bar' >> $ echo "foobar" | grep --extended-regexp 'foo(bar' >> grep: Unmatched ( or \( > > In theory, Squid itself could detect special characters unsupported by > the current regex library but doing so correctly without breaking many > existing working configurations may be impossible. On the other hand, > this validation could become an optional feature that admins can control. > > The best strategy for a Squid admin working with complex regex ACLs may > be to add external test cases that validate ACL matching expectations, > but doing so requires significant amount of work and discipline. That's what I'm talking about. Just when it comes to hundreds and thousands of regular expressions - this approach seems not too acceptable. Therefore, I would like to see that the grammars used are clearly documented. Squid with a simple configuration check often does not show anything (if there are no obvious errors - i.e. incomplete regex or similar) and, in a productive configuration, it is extremely difficult to detect a non-working access control list parts. The websites are also thousands. Therefore, I would like either a clear documentation or some tool for checking whether the regular expression is correct from the point of view of the current library used by Squid or not. The existing opportunities seem completely unsatisfactory. > > Alex. > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -- ************************** * C++: Bug to the future * **************************
Attachment:
0x3E3743A7.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users