Skip to content

Commit

Permalink
Use ERR_ACCESS_DENIED for HTTP 403 (Forbidden) errors (squid-cache#1899)
Browse files Browse the repository at this point in the history
... when request authentication fails. Do not use
ERR_CACHE_ACCESS_DENIED for those "permanent" errors.

Default ERR_CACHE_ACCESS_DENIED is meant for cases where the user is
likely to eventually gain access (e.g., by supplying credentials). Its
default text says "not currently allowed... until you have authenticated
yourself". When the error page was added in 1998 commit cb69b4c it was
only used for HTTP 407 errors. The same logic was preserved when that
code was refactored in 1999 commit 1cfdbcf, but exceptions started to
creep in, perhaps accidentally, since 2011 when HTTP 403 case was added
in commit 2f1431e that introduced USE_AUTH macro. 2011 commit 2151291
added a similar "not possible to authenticate" SslBump case.

Other HTTP 403 (Forbidden) cases already use ERR_ACCESS_DENIED or a
similar "permanent" error (e.g., ERR_FORWARDING_DENIED or ERR_TOO_BIG).

It is still possible to customize the returned error page via deny_info.
  • Loading branch information
rousskov authored and squid-anubis committed Sep 20, 2024
1 parent 84f5cdd commit fdc5bf7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/client_side_request.cc
Original file line number Diff line number Diff line change
Expand Up @@ -758,7 +758,7 @@ ClientRequestContext::clientAccessCheckDone(const Acl::Answer &answer)
status = Http::scForbidden;
#endif
if (page_id == ERR_NONE)
page_id = ERR_CACHE_ACCESS_DENIED;
page_id = (status == Http::scForbidden) ? ERR_ACCESS_DENIED : ERR_CACHE_ACCESS_DENIED;
} else {
status = Http::scForbidden;

Expand Down

0 comments on commit fdc5bf7

Please sign in to comment.