From patchwork Sun May 19 01:14:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 2255
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mail01.ipfire.org",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by web07.i.ipfire.org (Postfix) with ESMTPS id E922585218B
	for <patchwork@web07.i.ipfire.org>;
	Sat, 18 May 2019 16:14:31 +0100 (BST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 455pbp4Kbhz53WsM;
	Sat, 18 May 2019 16:14:30 +0100 (BST)
Received: from [127.0.0.1] (unknown [62.102.148.67])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 455pbk6wfkz519NN;
	Sat, 18 May 2019 16:14:26 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201904rsa; t=1558192468;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	content-transfer-encoding:content-transfer-encoding;
	bh=hcJLpgzVoJ2uMw6N8eht8rk96Nzi91a7OVDP6AF8v8U=;
	b=AerNuLgZCldIiYMlpTkQaCfI3C3Zk9dP6QsNMRMdFf1BWUIk4F5xRyQ3JJYZ2A1ypkH9xm
	zr9pRK0QCicCfffXNCOee2XrJLXMrHgI4txURVQoQL3pY84tVbuqLML/ISlc6EYvv4YL9D
	0+A85QLPTvvkveUNAhrfYmD8BoWc6Exp5zOIYauonAb1t4iRzS3XPwbICp6YaXI5UbrnhI
	qx973ZNwPFNH3GgCJwrcwEAAJgrz7+5EVv9Z9jDmQ5dXRhay2HUuBCo7DCRLla+jn5rYZx
	9GOAk1u7Y0dh0+eNa4u+1i1rb4Dd0UQ0fxSFHccrpzDw0eXc57fkSOwtmUvoJw==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201904ed25519; t=1558192468;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	content-transfer-encoding:content-transfer-encoding;
	bh=hcJLpgzVoJ2uMw6N8eht8rk96Nzi91a7OVDP6AF8v8U=;
	b=MBQZ9MpMQ93kt+N9CpSyI/jvcdV64RYoPmIuN90JSXklYxmdWobRxy+gZx63S5tTL7kNP9
	8zVLWSIwBLSGY0CA==
To: Stefan Schantl <stefan.schantl@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: Question regarding upstream proxy validation in ids-functions.pl
Organization: IPFire.org
Message-ID: <7433eaad-7c6d-dfd2-84c8-2409d71b4b3b@ipfire.org>
Date: Sat, 18 May 2019 15:14:00 +0000
MIME-Version: 1.0
Content-Language: en-US
Authentication-Results: mail01.ipfire.org;
	auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org
Cc: "IPFire: Development-List" <development@lists.ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Hello Stefan,

while upgrading to Core Update 131, I stumbled across the
"downloadruleset()" function in ids-functions.pl . It seems
to contain a validation for read proxy information which is
faulty and will not return any information.

By removing the validation as shown in the diff below, the
CGI works correct behind an upstream proxy:


Since I guess the validation was intentional, could you please
explain to me what it was supposed to do? I am not sure if I got
the regex right...

Either was, the CGI is currently not working behind an upstream
proxy. To be honest, I accidentally have not tested this (firewall
talked directly to the internet :-/ ), sorry.

Thanks, and best regards,
Peter Müller
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index deb287bb7..5530da11e 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -174,28 +174,18 @@ sub downloadruleset {
 
 	# Check if an upstream proxy is configured.
 	if ($proxysettings{'UPSTREAM_PROXY'}) {
-		my ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/);
 		my $proxy_url;
 
-		# Check if we got a peer.
-		if ($peer) {
-			$proxy_url = "http://";
+		$proxy_url = "http://";
 
-			# Check if the proxy requires authentication.
-			if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) {
-				$proxy_url .= "$proxysettings{'UPSTREAM_USER'}\:$proxysettings{'UPSTREAM_PASSWORD'}\@";
-			}
-
-			# Add proxy server address and port.
-			$proxy_url .= "$peer\:$peerport";
-		} else {
-			# Log error message and break.
-			&_log_to_syslog("Could not proper configure the proxy server access.");
-
-			# Return "1" - false.
-			return 1;
+		# Check if the proxy requires authentication.
+		if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) {
+			$proxy_url .= "$proxysettings{'UPSTREAM_USER'}\:$proxysettings{'UPSTREAM_PASSWORD'}\@";
 		}
 
+		# Add proxy server address and port.
+		$proxy_url .= $proxysettings{'UPSTREAM_PROXY'};
+
 		# Setup proxy settings.
 		$downloader->proxy(['http', 'https'], $proxy_url);
 	}