<!DOCTYPE html>
<html data-lt-installed="true">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body style="padding-bottom: 1px;">
<p>This is the patch file, tested successfully on squid 6.x and 7.x</p>
<p>--- src/acl/UserData.h.orig 2026-03-06 16:23:44.415748741
+0000<br>
+++ src/acl/UserData.h 2026-03-06 16:23:44.431748826 +0000<br>
@@ -34,11 +34,15 @@<br>
/* ACLData API */<br>
const Acl::Options &lineOptions() override;<br>
<br>
- typedef std::set<SBuf,bool(*)(const SBuf&, const
SBuf&)> UserDataNames_t;<br>
- UserDataNames_t userDataNames;<br>
+ typedef std::set<SBuf, bool(*)(const SBuf&, const
SBuf&)> UserDataNames_t;<br>
+<br>
+ /// names added while -i (case-insensitive) was off<br>
+ UserDataNames_t caseSensitiveNames;<br>
+<br>
+ /// names added while -i (case-insensitive) was on; stored
lowercased<br>
+ UserDataNames_t caseInsensitiveNames;<br>
<br>
struct {<br>
- bool case_insensitive;<br>
bool required;<br>
} flags;<br>
<br>
--- src/acl/UserData.cc.orig 2026-03-06 16:23:44.435748847
+0000<br>
+++ src/acl/UserData.cc 2026-03-06 16:23:44.459748972 +0000<br>
@@ -23,7 +23,7 @@<br>
bool<br>
ACLUserData::match(char const *user)<br>
{<br>
- debugs(28, 7, "user is " << user << ",
case_insensitive is " << flags.case_insensitive);<br>
+ debugs(28, 7, "user is " << user);<br>
<br>
if (user == nullptr || strcmp(user, "-") == 0)<br>
return 0;<br>
@@ -33,9 +33,26 @@<br>
return 1;<br>
}<br>
<br>
- bool result = (userDataNames.find(SBuf(user)) !=
userDataNames.end());<br>
- debugs(28, 7, "returning " << result);<br>
- return result;<br>
+ const SBuf userKey(user);<br>
+<br>
+ // check case-sensitive set first (exact match)<br>
+ if (caseSensitiveNames.find(userKey) !=
caseSensitiveNames.end()) {<br>
+ debugs(28, 7, "returning 1 (case-sensitive match)");<br>
+ return 1;<br>
+ }<br>
+<br>
+ // check case-insensitive set (lowercased lookup)<br>
+ if (!caseInsensitiveNames.empty()) {<br>
+ SBuf lowerUser(userKey);<br>
+ lowerUser.toLower();<br>
+ if (caseInsensitiveNames.find(lowerUser) !=
caseInsensitiveNames.end()) {<br>
+ debugs(28, 7, "returning 1 (case-insensitive
match)");<br>
+ return 1;<br>
+ }<br>
+ }<br>
+<br>
+ debugs(28, 7, "returning 0");<br>
+ return 0;<br>
}<br>
<br>
SBufList<br>
@@ -48,14 +65,18 @@<br>
return sl;<br>
}<br>
<br>
- if (flags.case_insensitive)<br>
- sl.push_back(SBuf("-i"));<br>
+ // dump case-sensitive names first (no flag needed)<br>
+ sl.insert(sl.end(), caseSensitiveNames.begin(),
caseSensitiveNames.end());<br>
<br>
- sl.insert(sl.end(), userDataNames.begin(),
userDataNames.end());<br>
+ // dump case-insensitive names with -i prefix<br>
+ if (!caseInsensitiveNames.empty()) {<br>
+ sl.push_back(SBuf("-i"));<br>
+ sl.insert(sl.end(), caseInsensitiveNames.begin(),
caseInsensitiveNames.end());<br>
+ }<br>
<br>
- debugs(28,5, "ACLUserData dump output: " <<<br>
- JoinContainerToSBuf(userDataNames.begin(),
userDataNames.end(),<br>
- SBuf(" ")));<br>
+ debugs(28, 5, "ACLUserData dump output: " <<<br>
+ caseSensitiveNames.size() << " case-sensitive, "
<<<br>
+ caseInsensitiveNames.size() << "
case-insensitive users");<br>
return sl;<br>
}<br>
<br>
@@ -72,9 +93,9 @@<br>
}<br>
<br>
ACLUserData::ACLUserData() :<br>
- userDataNames(CaseSensitiveSBufCompare)<br>
+ caseSensitiveNames(CaseSensitiveSBufCompare),<br>
+ caseInsensitiveNames(CaseInsensitveSBufCompare)<br>
{<br>
- flags.case_insensitive = false;<br>
flags.required = false;<br>
}<br>
<br>
@@ -91,63 +112,61 @@<br>
ACLUserData::parse()<br>
{<br>
debugs(28, 2, "parsing user list");<br>
- flags.case_insensitive = bool(CaseInsensitive_);<br>
+<br>
+ bool caseInsensitive = bool(CaseInsensitive_);<br>
<br>
char *t = nullptr;<br>
- if ((t = ConfigParser::strtokFile())) {<br>
+ while ((t = ConfigParser::strtokFile())) {<br>
SBuf s(t);<br>
- debugs(28, 5, "first token is " << s);<br>
-<br>
- if (s.cmp("-i",2) == 0) {<br>
- debugs(28, 5, "Going case-insensitive");<br>
- flags.case_insensitive = true;<br>
- // due to how the std::set API work, if we want to
change<br>
- // the comparison function we have to create a new
std::set<br>
- UserDataNames_t newUdn(CaseInsensitveSBufCompare);<br>
- newUdn.insert(userDataNames.begin(),
userDataNames.end());<br>
- swap(userDataNames,newUdn);<br>
- } else if (s.cmp("REQUIRED") == 0) {<br>
- debugs(28, 5, "REQUIRED-type enabled");<br>
- flags.required = true;<br>
- } else {<br>
- if (flags.case_insensitive)<br>
- s.toLower();<br>
+ debugs(28, 6, "Got token: " << s);<br>
<br>
- debugs(28, 6, "Adding user " << s);<br>
- userDataNames.insert(s);<br>
+ if (s.cmp("-i", 2) == 0) {<br>
+ debugs(28, DBG_IMPORTANT, "WARNING: ACL uses '-i' as
a token in the user list; " <<<br>
+ "use 'acl ... proxy_auth -i ...' line option
instead");<br>
+ continue;<br>
}<br>
- }<br>
-<br>
- debugs(28, 3, "Case-insensitive-switch is " <<
flags.case_insensitive);<br>
- /* we might inherit from a previous declaration */<br>
<br>
- debugs(28, 4, "parsing following tokens");<br>
+ if (s.cmp("+i", 2) == 0) {<br>
+ debugs(28, DBG_IMPORTANT, "WARNING: ACL uses '+i' as
a token in the user list; " <<<br>
+ "use 'acl ... proxy_auth +i ...' line option
instead");<br>
+ continue;<br>
+ }<br>
<br>
- while ((t = ConfigParser::strtokFile())) {<br>
- SBuf s(t);<br>
- debugs(28, 6, "Got token: " << s);<br>
+ if (s.cmp("REQUIRED") == 0) {<br>
+ debugs(28, 5, "REQUIRED-type enabled");<br>
+ flags.required = true;<br>
+ continue;<br>
+ }<br>
<br>
- if (flags.case_insensitive)<br>
+ if (caseInsensitive) {<br>
s.toLower();<br>
-<br>
- debugs(28, 6, "Adding user " << s);<br>
- userDataNames.insert(s);<br>
+ debugs(28, 6, "Adding user (case-insensitive) "
<< s);<br>
+ caseInsensitiveNames.insert(s);<br>
+ } else {<br>
+ debugs(28, 6, "Adding user (case-sensitive) "
<< s);<br>
+ caseSensitiveNames.insert(s);<br>
+ }<br>
}<br>
<br>
- if (flags.required && !userDataNames.empty()) {<br>
+ if (flags.required && (!caseSensitiveNames.empty() ||
!caseInsensitiveNames.empty())) {<br>
debugs(28, DBG_PARSE_NOTE(1), "WARNING: detected attempt
to add usernames to an acl of type REQUIRED");<br>
- userDataNames.clear();<br>
+ caseSensitiveNames.clear();<br>
+ caseInsensitiveNames.clear();<br>
}<br>
<br>
- debugs(28,4, "ACL contains " << userDataNames.size()
<< " users");<br>
+ debugs(28, 4, "ACL contains " <<
caseSensitiveNames.size() <<<br>
+ " case-sensitive and " <<
caseInsensitiveNames.size() <<<br>
+ " case-insensitive users");<br>
}<br>
<br>
bool<br>
ACLUserData::empty() const<br>
{<br>
- debugs(28,6,"required: " << flags.required << ",
number of users: " << userDataNames.size());<br>
+ debugs(28, 6, "required: " << flags.required <<<br>
+ ", case-sensitive users: " <<
caseSensitiveNames.size() <<<br>
+ ", case-insensitive users: " <<
caseInsensitiveNames.size());<br>
if (flags.required)<br>
return false;<br>
- return userDataNames.empty();<br>
+ return caseSensitiveNames.empty() &&
caseInsensitiveNames.empty();<br>
}<br>
<br>
</p>
<div class="moz-cite-prefix">On 2026-03-06 6:43 p.m., Alex Rousskov
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c03f82ae-d41f-43e7-be0d-2a2143eb9367@measurement-factory.com">On
2026-03-06 12:32, Andre Bolinhas wrote:
<br>
<br>
<blockquote type="cite">I can't create the pull request, returns
the message "Pull request creation failed. Validation failed:
must be a collaborator"
<br>
</blockquote>
<br>
Googling suggests that you might be trying to modify the official
git repository directly. Instead, fork the official git
repository, make your changes in your forked repository, and then
submit a pull request to merge your changes into the official
repository. This process is typical for open source projects.
<br>
<br>
The following wiki page has related git hints:
<br>
<a class="moz-txt-link-freetext" href="https://wiki.squid-cache.org/DeveloperResources/GitHints">https://wiki.squid-cache.org/DeveloperResources/GitHints</a>
<br>
<br>
HTH,
<br>
<br>
Alex.
<br>
<br>
<br>
<blockquote type="cite">On 2026-03-05 2:40 p.m., Alex Rousskov
wrote:
<br>
<blockquote type="cite">On 2026-03-04 17:44, Andre Bolinhas
wrote:
<br>
<br>
<blockquote type="cite">The |proxy_auth -i| ACL
(case-insensitive user matching) is broken in Squid 6.x.
<br>
</blockquote>
<br>
Yes, there are several bugs/problems there. See a long comment
above Acl::Option class declaration for how things are
supposed to work.
<br>
<br>
If you can volunteer to work on a fix, please post a pull
request as discussed at
<a class="moz-txt-link-freetext" href="https://wiki.squid-cache.org/MergeProcedure#pull-request">https://wiki.squid-cache.org/MergeProcedure#pull-request</a>
<br>
<br>
In that pull request, instead of Option A and Option B, please
do this:
<br>
<br>
1. Split ACLUserData::userDataNames into two sets:
caseSensitiveNames and caseInsensitiveNames. Add tokens to the
right set, depending on the current CaseInsensitive_ value.
Search/print both sets as needed. Remove
flags.case_insensitive.
<br>
<br>
2. Ignore any '-i' and '+i' tokens in ACLUserData::parse(),
with a level-1 warning, instead of adding them to a set as if
they were user names.
<br>
<br>
3. Check other ACLs that use lineOptions() for similar bugs.
<br>
<br>
<br>
Thank you,
<br>
<br>
Alex.
<br>
P.S. I am sorry that our Bugzilla is still down, preventing
you from using it to report this bug. We can continue to
discuss this on GitHub.
<br>
<br>
</blockquote>
</blockquote>
<br>
</blockquote>
</body>
<lt-container></lt-container>
</html>