squid-cache · rousskov · Oct 25, 2024 · Oct 25, 2024 · Oct 29, 2024 · Oct 29, 2024
diff --git a/doc/Programming-Guide/03_MajorComponents.dox b/doc/Programming-Guide/03_MajorComponents.dox
@@ -329,13 +329,4 @@ TODO: get RFCs linked from ietf
 	we have made almost all of the cachemgr information available
 	via SNMP.
 
-\section URNSupport URN Support
-\par
-	We are experimenting with URN support in Squid version 1.2.
-	Note, we're not talking full-blown generic URN's here. This
-	is primarily targeted toward using URN's as an smart way
-	of handling lists of mirror sites.  For more details, please
-	see (http://squid.nlanr.net/Squid/urn-support.html) URN Support in Squid
-	.
-
  */
diff --git a/doc/debug-sections.txt b/doc/debug-sections.txt
@@ -98,7 +98,6 @@ section 49    SNMP Interface
 section 49    SNMP support
 section 50    Log file handling
 section 51    Filedescriptor Functions
-section 52    URN Parsing
 section 53    AS Number handling
 section 53    Radix Tree data structure implementation
 section 54    Interprocess Communication

diff --git a/doc/release-notes/release-7.sgml.in b/doc/release-notes/release-7.sgml.in
@@ -34,6 +34,7 @@ The Squid-@SQUID_RELEASE@ change history can be <url url="https://github.com/squ
 	<item>Removed purge tool
 	<item>Remove deprecated languages
 	<item>Remove Ident protocol support
+	<item>Remove URN protocol support
 </itemize>
 
 <p>Most user-facing changes are reflected in squid.conf (see further below).
@@ -123,6 +124,14 @@ in the position of what used to be a %ui record field.
 <p>If necessary, an external ACL helper can be written to perform Ident transactions
 and deliver the user identity to Squid through the **user=** annotation.
 
+<sect1>Removed URN protocol support
+
+<p>Squid URN resolution code has been neglected for a very long time and caused
+multiple security vulnerabilities. This feature was rarely used (if at all).
+
+<p>If necessary, a similar feature can be implemented externally, using
+url_rewrite_program helpers or adaptation services.
+
 <sect>Changes to squid.conf since Squid-@SQUID_RELEASE_OLD@
 <p>
 This section gives an account of those changes in three categories:

diff --git a/errors/template.am b/errors/template.am
@@ -48,6 +48,5 @@ ERROR_TEMPLATES = \
 	templates/ERR_TOO_BIG \
 	templates/ERR_UNSUP_HTTPVERSION \
 	templates/ERR_UNSUP_REQ \
-	templates/ERR_URN_RESOLVE \
 	templates/ERR_WRITE_ERROR \
 	templates/ERR_ZERO_SIZE_OBJECT
diff --git a/errors/templates/ERR_URN_RESOLVE b/errors/templates/ERR_URN_RESOLVE
diff --git a/src/FwdState.cc b/src/FwdState.cc
@@ -55,7 +55,6 @@
 #include "ssl/PeekingPeerConnector.h"
 #include "Store.h"
 #include "StoreClient.h"
-#include "urn.h"
 #if USE_OPENSSL
 #include "ssl/cert_validate_message.h"
 #include "ssl/Config.h"
@@ -388,19 +387,8 @@ FwdState::Start(const Comm::ConnectionPointer &clientConn, StoreEntry *entry, Ht
         return;
     }
 
-    switch (request->url.getScheme()) {
-
-    case AnyP::PROTO_URN:
-        urnStart(request, entry, al);
-        return;
-
-    default:
-        FwdState::Pointer fwd = new FwdState(clientConn, entry, request, al);
-        fwd->start(fwd);
-        return;
-    }
-
-    /* NOTREACHED */
+    FwdState::Pointer fwd = new FwdState(clientConn, entry, request, al);
+    fwd->start(fwd);
 }
 
 void
@@ -1272,10 +1260,6 @@ FwdState::dispatch()
                 Ftp::StartGateway(this);
             break;
 
-        case AnyP::PROTO_URN:
-            fatal_dump("Should never get here");
-            break;
-
         case AnyP::PROTO_WHOIS:
             whoisStart(this);
             break;

diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc
@@ -812,7 +812,7 @@ HttpRequest::manager(const CbcPointer<ConnStateData> &aMgr, const AccessLogEntry
 char *
 HttpRequest::canonicalCleanUrl() const
 {
-    return urlCanonicalCleanWithoutRequest(effectiveRequestUri(), method, url.getScheme());
+    return urlCanonicalCleanWithoutRequest(effectiveRequestUri(), method);
 }
 
 /// a helper for handling PortCfg cases of FindListeningPortAddress()

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -455,8 +455,6 @@ squid_SOURCES = \
 	tunnel.cc \
 	tunnel.h \
 	typedefs.h \
-	urn.cc \
-	urn.h \
 	wccp.cc \
 	wccp.h \
 	wccp2.cc \
@@ -1944,8 +1942,6 @@ tests_testHttpRange_SOURCES = \
 	tools.h \
 	tests/stub_tunnel.cc \
 	tunnel.h \
-	urn.cc \
-	urn.h \
 	tests/stub_wccp2.cc \
 	wccp2.h \
 	wordlist.cc \
@@ -2331,8 +2327,6 @@ tests_testHttpRequest_SOURCES = \
 	tools.h \
 	tests/stub_tunnel.cc \
 	tunnel.h \
-	urn.cc \
-	urn.h \
 	tests/stub_wccp2.cc \
 	wccp2.h \
 	wordlist.cc \
@@ -2626,8 +2620,6 @@ tests_testCacheManager_SOURCES = \
 	tools.h \
 	tests/stub_tunnel.cc \
 	tunnel.h \
-	urn.cc \
-	urn.h \
 	tests/stub_wccp2.cc \
 	wccp2.h \
 	wordlist.cc \

diff --git a/src/adaptation/ecap/Host.cc b/src/adaptation/ecap/Host.cc
@@ -56,7 +56,6 @@ Adaptation::Ecap::Host::Host()
     libecap::protocolHttps.assignHostId(AnyP::PROTO_HTTPS);
     libecap::protocolFtp.assignHostId(AnyP::PROTO_FTP);
     libecap::protocolWais.assignHostId(AnyP::PROTO_WAIS);
-    libecap::protocolUrn.assignHostId(AnyP::PROTO_URN);
     libecap::protocolWhois.assignHostId(AnyP::PROTO_WHOIS);
     protocolIcp.assignHostId(AnyP::PROTO_ICP);
 #if USE_HTCP

diff --git a/src/adaptation/ecap/MessageRep.cc b/src/adaptation/ecap/MessageRep.cc
@@ -149,8 +149,6 @@ Adaptation::Ecap::FirstLineRep::protocol() const
         return libecap::protocolWais;
     case AnyP::PROTO_WHOIS:
         return libecap::protocolWhois;
-    case AnyP::PROTO_URN:
-        return libecap::protocolUrn;
     case AnyP::PROTO_ICP:
         return protocolIcp;
 #if USE_HTCP

diff --git a/src/anyp/ProtocolType.h b/src/anyp/ProtocolType.h
@@ -32,7 +32,6 @@ typedef enum {
 #if USE_HTCP
     PROTO_HTCP,
 #endif
-    PROTO_URN,
     PROTO_WHOIS,
     PROTO_ICY,
     PROTO_TLS,

diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
@@ -325,11 +325,6 @@ AnyP::Uri::parse(const HttpRequestMethod& method, const SBuf &rawUrl)
             if (scheme == AnyP::PROTO_NONE)
                 return false; // invalid scheme
 
-            if (scheme == AnyP::PROTO_URN) {
-                parseUrn(tok); // throws on any error
-                return true;
-            }
-
             // URLs then have "//"
             static const SBuf doubleSlash("//");
             if (!tok.skip(doubleSlash))
@@ -531,48 +526,6 @@ AnyP::Uri::parse(const HttpRequestMethod& method, const SBuf &rawUrl)
     }
 }
 
-/**
- * Governed by RFC 8141 section 2:
- *
- *  assigned-name = "urn" ":" NID ":" NSS
- *  NID           = (alphanum) 0*30(ldh) (alphanum)
- *  ldh           = alphanum / "-"
- *  NSS           = pchar *(pchar / "/")
- *
- * RFC 3986 Appendix D.2 defines (as deprecated):
- *
- *   alphanum     = ALPHA / DIGIT
- *
- * Notice that NID is exactly 2-32 characters in length.
- */
-void
-AnyP::Uri::parseUrn(Parser::Tokenizer &tok)
-{
-    static const auto nidChars = CharacterSet("NID","-") + CharacterSet::ALPHA + CharacterSet::DIGIT;
-    static const auto alphanum = (CharacterSet::ALPHA + CharacterSet::DIGIT).rename("alphanum");
-    SBuf nid;
-    if (!tok.prefix(nid, nidChars, 32))
-        throw TextException("NID not found", Here());
-
-    if (!tok.skip(':'))
-        throw TextException("NID too long or missing ':' delimiter", Here());
-
-    if (nid.length() < 2)
-        throw TextException("NID too short", Here());
-
-    if (!alphanum[*nid.begin()])
-        throw TextException("NID prefix is not alphanumeric", Here());
-
-    if (!alphanum[*nid.rbegin()])
-        throw TextException("NID suffix is not alphanumeric", Here());
-
-    setScheme(AnyP::PROTO_URN, nullptr);
-    host(nid.c_str());
-    // TODO validate path characters
-    path(tok.remaining());
-    debugs(23, 3, "Split URI into proto=urn, nid=" << nid << ", " << Raw("path",path().rawContent(),path().length()));
-}
-
 /// Extracts and returns a (suspected but only partially validated) uri-host
 /// IPv6address, IPv4address, or reg-name component. This function uses (and
 /// quotes) RFC 3986, Section 3.2.2 syntax rules.
@@ -695,23 +648,18 @@ AnyP::Uri::absolute() const
 
         absolute_.append(getScheme().image());
         absolute_.append(":",1);
-        if (getScheme() != AnyP::PROTO_URN) {
-            absolute_.append("//", 2);
-            const bool allowUserInfo = getScheme() == AnyP::PROTO_FTP ||
-                                       getScheme() == AnyP::PROTO_UNKNOWN;
-
-            if (allowUserInfo && !userInfo().isEmpty()) {
-                static const CharacterSet uiChars = CharacterSet(UserInfoChars())
-                                                    .remove('%')
-                                                    .rename("userinfo-reserved");
-                absolute_.append(Encode(userInfo(), uiChars));
-                absolute_.append("@", 1);
-            }
-            absolute_.append(authority());
-        } else {
-            absolute_.append(host());
-            absolute_.append(":", 1);
+        absolute_.append("//", 2);
+        const bool allowUserInfo = getScheme() == AnyP::PROTO_FTP ||
+                                   getScheme() == AnyP::PROTO_UNKNOWN;
+
+        if (allowUserInfo && !userInfo().isEmpty()) {
+            static const CharacterSet uiChars = CharacterSet(UserInfoChars())
+                                                .remove('%')
+                                                .rename("userinfo-reserved");
+            absolute_.append(Encode(userInfo(), uiChars));
+            absolute_.append("@", 1);
         }
+        absolute_.append(authority());
         absolute_.append(path()); // TODO: Encode each URI subcomponent in path_ as needed.
     }
 
@@ -723,15 +671,15 @@ AnyP::Uri::absolute() const
  *        and never copy the query-string part in the first place
  */
 char *
-urlCanonicalCleanWithoutRequest(const SBuf &url, const HttpRequestMethod &method, const AnyP::UriScheme &scheme)
+urlCanonicalCleanWithoutRequest(const SBuf &url, const HttpRequestMethod &method)
 {
     LOCAL_ARRAY(char, buf, MAX_URL);
 
     snprintf(buf, sizeof(buf), SQUIDSBUFPH, SQUIDSBUFPRINT(url));
     buf[sizeof(buf)-1] = '\0';
 
-    // URN, CONNECT method, and non-stripped URIs can go straight out
-    if (Config.onoff.strip_query_terms && !(method == Http::METHOD_CONNECT || scheme == AnyP::PROTO_URN)) {
+    // CONNECT method and non-stripped URIs can go straight out
+    if (Config.onoff.strip_query_terms && method != Http::METHOD_CONNECT) {
         // strip anything AFTER a question-mark
         // leaving the '?' in place
         if (auto t = strchr(buf, '?')) {
@@ -814,10 +762,6 @@ urlIsRelative(const char *url)
 void
 AnyP::Uri::addRelativePath(const char *relUrl)
 {
-    // URN cannot be merged
-    if (getScheme() == AnyP::PROTO_URN)
-        return;
-
     // TODO: Handle . and .. segment normalization
 
     const auto lastSlashPos = path_.rfind('/');
@@ -962,7 +906,6 @@ urlCheckRequest(const HttpRequest * r)
     /* does method match the protocol? */
     switch (r->url.getScheme()) {
 
-    case AnyP::PROTO_URN:
     case AnyP::PROTO_HTTP:
         return true;
 

diff --git a/src/anyp/Uri.h b/src/anyp/Uri.h
@@ -23,7 +23,6 @@ namespace AnyP
 
 /**
  * Represents a Uniform Resource Identifier.
- * Can store both URL or URN representations.
  *
  * Governed by RFC 3986
  */
@@ -138,8 +137,6 @@ class Uri
     SBuf &absolute() const;
 
 private:
-    void parseUrn(Parser::Tokenizer&);
-
     SBuf parseHost(Parser::Tokenizer &) const;
     int parsePort(Parser::Tokenizer &) const;
 
@@ -192,9 +189,7 @@ operator <<(std::ostream &os, const Uri &url)
         os << url.getScheme().image();
     os << ":";
 
-    // no authority section on URN
-    if (url.getScheme() != PROTO_URN)
-        os << "//" << url.authority();
+    os << "//" << url.authority();
 
     // path is what it is - including absent
     os << url.path();
@@ -211,7 +206,7 @@ void urlInitialize(void);
 /// call HttpRequest::canonicalCleanUrl() instead if you have HttpRequest
 /// \returns a pointer to a local static buffer containing request URI
 /// that honors strip_query_terms and %-encodes unsafe URI characters
-char *urlCanonicalCleanWithoutRequest(const SBuf &url, const HttpRequestMethod &, const AnyP::UriScheme &);
+char *urlCanonicalCleanWithoutRequest(const SBuf &url, const HttpRequestMethod &);
 const char *urlCanonicalFakeHttps(const HttpRequest * request);
 bool urlIsRelative(const char *);
 char *urlRInternal(const char *host, unsigned short port, const char *dir, const char *name);

diff --git a/src/anyp/UriScheme.h b/src/anyp/UriScheme.h
@@ -25,7 +25,7 @@ using KnownPort = uint16_t;
 /// validated/supported port number (if any)
 using Port = std::optional<KnownPort>;
 
-/** This class represents a URI Scheme such as http:// https://, wais://, urn: etc.
+/** This class represents a URI Scheme such as http:// https://, wais:// etc.
  * It does not represent the PROTOCOL that such schemes refer to.
  */
 class UriScheme

diff --git a/src/cf.data.pre b/src/cf.data.pre
@@ -1261,7 +1261,7 @@ ENDIF
 	  # destination TCP port (or port range) of the request [fast]
 	  #
 	  # Port 0 matches requests that have no explicit and no default destination
-	  # ports (e.g., HTTP requests with URN targets)
+	  # ports (e.g., HTTP requests with ICY, ICP, and HTCP targets).
 
 	acl aclname localport 3128 ...	      # TCP port the client connected to [fast]
 	                                      # NP: for interception mode this is usually '80'