Bug 5154: Reject IPv6 address when IPv6 is disabled

[FireBurn]

Address.cc:663 getAddrInfo() assertion failed: false

Commit fd9c47d added Ip::Address::fromHost(). That method relies on the old lookupHostIP() method for the final parsing steps. Unfortunately, lookupHostIP() could successfully return an IPv6 address despite disabled IPv6 support. Injecting an IPv6 address into IPv6-disabled Squid leads to an Ip::Address::getAddrInfo() assertion if Squid tries to open the connection to the corresponding destination.

This Ip::Address::lookupHostIP() adjustment eliminated that particular IPv6 injection path but broke two unit tests because those tests incorrectly expected Ip::Address and HttpRequest::FromUrl() APIs to successfully import IPv6 addresses even when IPv6 support was disabled.

While fixing those unit tests, we discovered that they never tested Squid with IPv6 support enabled! That bug was fixed by adding missing Ip::ProbeTransport() calls to those tests.

With these changes, Squid starts rejecting more non-CONNECT URLs containing IPv6 and IPv6-like addresses, including these two cases:

• all bracketed addresses when IPv6 support is disabled;
• bracket-less addresses with two colons that are not IPv6 addresses.

More rejections are expected in the foreseeable future as we tighten received request target validation.

Co-authored-by: Jeffrey Kintscher [email protected]