squid-cache
diff --git a/‎squid-dev/2026-April.txt‎
Lines changed: 125 additions & 0 deletions b/‎squid-dev/2026-April.txt‎
Lines changed: 125 additions & 0 deletions
diff --git a/‎squid-dev/2026-April/010018.html‎
Lines changed: 4 additions & 3 deletions b/‎squid-dev/2026-April/010018.html‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎squid-dev/2026-April/010020.html‎
Lines changed: 1 addition & 0 deletions b/‎squid-dev/2026-April/010020.html‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎squid-dev/2026-April/010021.html‎
Lines changed: 4 additions & 3 deletions b/‎squid-dev/2026-April/010021.html‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎squid-dev/2026-April/010022.html‎
Lines changed: 175 additions & 0 deletions b/‎squid-dev/2026-April/010022.html‎
Lines changed: 175 additions & 0 deletions
@@ -1496,3 +1496,128 @@ Alex.
 > https://lists.squid-cache.org/listinfo/squid-dev
 
 
+From rousskov at measurement-factory.com  Mon Apr 20 18:59:14 2026
+From: rousskov at measurement-factory.com (Alex Rousskov)
+Date: Mon, 20 Apr 2026 14:59:14 -0400
+Subject: [squid-dev] Issue with acl note (without -m) splitting helper
+ tokens containing commas
+In-Reply-To: <CADJd0Y1M=Z9VY6spPMcR1SoFgrfDKuWdbWM=6=A=CEoS+oi+Og@mail.gmail.com>
+References: <CADJd0Y1M=Z9VY6spPMcR1SoFgrfDKuWdbWM=6=A=CEoS+oi+Og@mail.gmail.com>
+Message-ID: <10e9ebca-6fa4-48a9-9082-1c03eb97a792@measurement-factory.com>
+
+On 2026-04-17 09:08, Andrey K wrote:
+
+> While working with annotations, I?ve noticed an inconsistency in how acl 
+> note (without the -m option) handles tokens received from helpers when 
+> they contain a comma.
+
+I think it is important to note that there are several distinct players 
+here, including:
+
+1. What annotations the helper sends to Squid.
+
+2. How helper response parser converts received helper response into
+    transaction annotations.
+
+3. How the "note" ACL code interprets transaction annotations.
+    These annotations may come from sources other than a helper.
+
+
+> According to the documentation, an ACL like this:
+>  ? ? acl staff note group Staff:accountants,lawyers,security
+> should match a helper response such as:
+>  ? ? group="Staff:accountants,lawyers,security"
+
+The above implies that helper response parser should not split group=X 
+response fields (using comma as a delimiter). Do we document that 
+anywhere? Did our helper response parser ever split such fields in the past?
+
+BTW, 2015 commit 76ee67ac used a very similar example. AFAICT by looking 
+at that code, we did not apply value delimiters by default back then 
+(i.e. when ACL_F_SUBSTRING a.k.a. "-m" flag was not set). The bug was 
+introduced in 2017 commit 4eac3407 that replaced a possibly-nil 
+`flags.delimiters()` with a never-nil `&delimiters.value`.
+
+The following comment suggests that we missed the fact that using the 
+[default-initialized] value "without checking whether the option is 
+enabled()" is a bug -- the corresponding "trick" never fully worked:
+
+```C++
+// TODO: Some callers use .value without checking whether the option is
+// enabled(), accessing the (default-initialized or customized) default
+// value that way. This trick will stop working if we add valued options
+// that can be disabled (e.g., --with-foo=x --without-foo).
+```
+
+
+> However, this is not the case. The helper's response is split into 
+> tokens using a comma as the default delimiter. As a result, only ACLs 
+> like the following will match:
+>  ? ? acl staff note group lawyers
+> 
+> This behavior occurs because in Acl::NoteCheck::matchNotes(), a comma is 
+> passed as the default delimiter to the expandListEntries() function
+
+Agreed.
+
+
+> I would like to propose two changes:
+> 1. Removing the default comma delimiter.
+
+... and check enabled() before using the stored value, fixing the bug 
+introduced in 2017 commit 4eac3407.
+
+
+> I am prepared to submit a simple PR to exclude this comma to fix the 
+> incorrect matching of strings containing commas.
+> However, I realize this might be a breaking change for users who 
+> currently rely on this implicit splitting behavior.
+
+Yes. We should disclose the bug fix in Squid release notes.
+
+We can also add code to warn admins (via a cache.log WARNING message) 
+when a "note" ACL configured without "-m" looks at an annotation value 
+containing a comma, but that requires more work.
+
+
+> 2. Supporting custom delimiters in helper responses.
+> I also propose a PR to support a format where tag values can be passed 
+> as a list with a custom delimiter:
+>  ? ? <key>=<delimiter>"<value1><delimiter><value2>..."
+> For example:
+>  ? ? group=,"group1,group2,group3"
+>  ? ? clt_con_tag=;"tag1;tag2;tag3"
+> In this PR, the helper response would be tokenized based on the 
+> specified custom delimiter, while still supporting delimiter escaping 
+> with a backslash (\).
+
+I do not think this hack will work well as is, without syntax 
+modifications because Squid already uses double quotes specially in this 
+context. Overloading quotation meaning would be confusing/wrong.
+
+Overall, I am not excited about this hack, but let's start with these 
+questions about its scope:
+
+* Can the same effect be achieved today by sending a helper response 
+containing multiple same-name annotations? For example:
+
+     group=group1 group=group2 group=group3
+
+* If the "note" ACL bug is fixed, do we still need to allow helper to 
+use custom value delimiters?
+
+* What would Squid do today if it receives a `group=,"a,b"` annotation 
+from a helper? AFAICT from looking at 
+Helper::Reply::parseResponseKeys(), Squid would silently treat the 
+leading comma delimiter as the first character of the received 
+annotation value and keep double quotes, right?
+
+* Squid does not treat backslashes in annotation values specially today, 
+does it? If present, they become part of the annotation key or value, right?
+
+
+
+HTH,
+
+Alex.
+
@@ -12,7 +12,7 @@
            }
    </style>
    <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
-   <LINK REL="Previous"  HREF="010021.html">
+   <LINK REL="Previous"  HREF="010022.html">
    <LINK REL="Next"  HREF="010020.html">
  </HEAD>
  <BODY BGCOLOR="#ffffff">
@@ -23,7 +23,7 @@ <H1>[squid-dev] NO_SPECIAL_HANDLING define for HTTP methods</H1>
        </A><BR>
     <I>Sun Apr 19 21:35:02 UTC 2026</I>
     <P><UL>
-        <LI>Previous message (by thread): <A HREF="010021.html">[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas
+        <LI>Previous message (by thread): <A HREF="010022.html">[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas
 </A></li>
         <LI>Next message (by thread): <A HREF="010020.html">[squid-dev] NO_SPECIAL_HANDLING define for HTTP methods
 </A></li>
@@ -49,11 +49,12 @@ <H1>[squid-dev] NO_SPECIAL_HANDLING define for HTTP methods</H1>
 
 
 
+
 <!--endarticle-->
     <HR>
     <P><UL>
         <!--threads-->
-	<LI>Previous message (by thread): <A HREF="010021.html">[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas
+	<LI>Previous message (by thread): <A HREF="010022.html">[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas
 </A></li>
 	<LI>Next message (by thread): <A HREF="010020.html">[squid-dev] NO_SPECIAL_HANDLING define for HTTP methods
 </A></li>
 
@@ -54,6 +54,7 @@ <H1>[squid-dev] NO_SPECIAL_HANDLING define for HTTP methods</H1>
 </PRE>
 
 
+
 <!--endarticle-->
     <HR>
     <P><UL>
 
@@ -13,7 +13,7 @@
    </style>
    <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
    <LINK REL="Previous"  HREF="010019.html">
-   <LINK REL="Next"  HREF="010018.html">
+   <LINK REL="Next"  HREF="010022.html">
  </HEAD>
  <BODY BGCOLOR="#ffffff">
    <H1>[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas</H1>
@@ -25,7 +25,7 @@ <H1>[squid-dev] Issue with acl note (without -m) splitting helper tokens contain
     <P><UL>
         <LI>Previous message (by thread): <A HREF="010019.html">[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas
 </A></li>
-        <LI>Next message (by thread): <A HREF="010018.html">[squid-dev] NO_SPECIAL_HANDLING define for HTTP methods
+        <LI>Next message (by thread): <A HREF="010022.html">[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas
 </A></li>
          <LI> <B>Messages sorted by:</B> 
               <a href="date.html#10021">[ date ]</a>
@@ -140,13 +140,14 @@ <H1>[squid-dev] Issue with acl note (without -m) splitting helper tokens contain
 </I>
 </PRE>
 
+
 <!--endarticle-->
     <HR>
     <P><UL>
         <!--threads-->
 	<LI>Previous message (by thread): <A HREF="010019.html">[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas
 </A></li>
-	<LI>Next message (by thread): <A HREF="010018.html">[squid-dev] NO_SPECIAL_HANDLING define for HTTP methods
+	<LI>Next message (by thread): <A HREF="010022.html">[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas
 </A></li>
          <LI> <B>Messages sorted by:</B> 
               <a href="date.html#10021">[ date ]</a>
 
@@ -0,0 +1,175 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:squid-dev%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-dev%5D%20Issue%20with%20acl%20note%20%28without%20-m%29%20splitting%20helper%0A%20tokens%20containing%20commas&In-Reply-To=%3C10e9ebca-6fa4-48a9-9082-1c03eb97a792%40measurement-factory.com%3E">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <style type="text/css">
+       pre {
+           white-space: pre-wrap;       /* css-2.1, curent FF, Opera, Safari */
+           }
+   </style>
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="010021.html">
+   <LINK REL="Next"  HREF="010018.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas</H1>
+    <B>Alex Rousskov</B> 
+    <A HREF="mailto:squid-dev%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-dev%5D%20Issue%20with%20acl%20note%20%28without%20-m%29%20splitting%20helper%0A%20tokens%20containing%20commas&In-Reply-To=%3C10e9ebca-6fa4-48a9-9082-1c03eb97a792%40measurement-factory.com%3E"
+       TITLE="[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas">rousskov at measurement-factory.com
+       </A><BR>
+    <I>Mon Apr 20 18:59:14 UTC 2026</I>
+    <P><UL>
+        <LI>Previous message (by thread): <A HREF="010021.html">[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas
+</A></li>
+        <LI>Next message (by thread): <A HREF="010018.html">[squid-dev] NO_SPECIAL_HANDLING define for HTTP methods
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#10022">[ date ]</a>
+              <a href="thread.html#10022">[ thread ]</a>
+              <a href="subject.html#10022">[ subject ]</a>
+              <a href="author.html#10022">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>On 2026-04-17 09:08, Andrey K wrote:
+
+&gt;<i> While working with annotations, I&#8217;ve noticed an inconsistency in how acl 
+</I>&gt;<i> note (without the -m option) handles tokens received from helpers when 
+</I>&gt;<i> they contain a comma.
+</I>
+I think it is important to note that there are several distinct players 
+here, including:
+
+1. What annotations the helper sends to Squid.
+
+2. How helper response parser converts received helper response into
+    transaction annotations.
+
+3. How the &quot;note&quot; ACL code interprets transaction annotations.
+    These annotations may come from sources other than a helper.
+
+
+&gt;<i> According to the documentation, an ACL like this:
+</I>&gt;<i>  &#160; &#160; acl staff note group Staff:accountants,lawyers,security
+</I>&gt;<i> should match a helper response such as:
+</I>&gt;<i>  &#160; &#160; group=&quot;Staff:accountants,lawyers,security&quot;
+</I>
+The above implies that helper response parser should not split group=X 
+response fields (using comma as a delimiter). Do we document that 
+anywhere? Did our helper response parser ever split such fields in the past?
+
+BTW, 2015 commit 76ee67ac used a very similar example. AFAICT by looking 
+at that code, we did not apply value delimiters by default back then 
+(i.e. when ACL_F_SUBSTRING a.k.a. &quot;-m&quot; flag was not set). The bug was 
+introduced in 2017 commit 4eac3407 that replaced a possibly-nil 
+`flags.delimiters()` with a never-nil `&amp;delimiters.value`.
+
+The following comment suggests that we missed the fact that using the 
+[default-initialized] value &quot;without checking whether the option is 
+enabled()&quot; is a bug -- the corresponding &quot;trick&quot; never fully worked:
+
+```C++
+// TODO: Some callers use .value without checking whether the option is
+// enabled(), accessing the (default-initialized or customized) default
+// value that way. This trick will stop working if we add valued options
+// that can be disabled (e.g., --with-foo=x --without-foo).
+```
+
+
+&gt;<i> However, this is not the case. The helper's response is split into 
+</I>&gt;<i> tokens using a comma as the default delimiter. As a result, only ACLs 
+</I>&gt;<i> like the following will match:
+</I>&gt;<i>  &#160; &#160; acl staff note group lawyers
+</I>&gt;<i> 
+</I>&gt;<i> This behavior occurs because in Acl::NoteCheck::matchNotes(), a comma is 
+</I>&gt;<i> passed as the default delimiter to the expandListEntries() function
+</I>
+Agreed.
+
+
+&gt;<i> I would like to propose two changes:
+</I>&gt;<i> 1. Removing the default comma delimiter.
+</I>
+... and check enabled() before using the stored value, fixing the bug 
+introduced in 2017 commit 4eac3407.
+
+
+&gt;<i> I am prepared to submit a simple PR to exclude this comma to fix the 
+</I>&gt;<i> incorrect matching of strings containing commas.
+</I>&gt;<i> However, I realize this might be a breaking change for users who 
+</I>&gt;<i> currently rely on this implicit splitting behavior.
+</I>
+Yes. We should disclose the bug fix in Squid release notes.
+
+We can also add code to warn admins (via a cache.log WARNING message) 
+when a &quot;note&quot; ACL configured without &quot;-m&quot; looks at an annotation value 
+containing a comma, but that requires more work.
+
+
+&gt;<i> 2. Supporting custom delimiters in helper responses.
+</I>&gt;<i> I also propose a PR to support a format where tag values can be passed 
+</I>&gt;<i> as a list with a custom delimiter:
+</I>&gt;<i>  &#160; &#160; &lt;key&gt;=&lt;delimiter&gt;&quot;&lt;value1&gt;&lt;delimiter&gt;&lt;value2&gt;...&quot;
+</I>&gt;<i> For example:
+</I>&gt;<i>  &#160; &#160; group=,&quot;group1,group2,group3&quot;
+</I>&gt;<i>  &#160; &#160; clt_con_tag=;&quot;tag1;tag2;tag3&quot;
+</I>&gt;<i> In this PR, the helper response would be tokenized based on the 
+</I>&gt;<i> specified custom delimiter, while still supporting delimiter escaping 
+</I>&gt;<i> with a backslash (\).
+</I>
+I do not think this hack will work well as is, without syntax 
+modifications because Squid already uses double quotes specially in this 
+context. Overloading quotation meaning would be confusing/wrong.
+
+Overall, I am not excited about this hack, but let's start with these 
+questions about its scope:
+
+* Can the same effect be achieved today by sending a helper response 
+containing multiple same-name annotations? For example:
+
+     group=group1 group=group2 group=group3
+
+* If the &quot;note&quot; ACL bug is fixed, do we still need to allow helper to 
+use custom value delimiters?
+
+* What would Squid do today if it receives a `group=,&quot;a,b&quot;` annotation 
+from a helper? AFAICT from looking at 
+Helper::Reply::parseResponseKeys(), Squid would silently treat the 
+leading comma delimiter as the first character of the received 
+annotation value and keep double quotes, right?
+
+* Squid does not treat backslashes in annotation values specially today, 
+does it? If present, they become part of the annotation key or value, right?
+
+
+
+HTH,
+
+Alex.
+</PRE>
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message (by thread): <A HREF="010021.html">[squid-dev] Issue with acl note (without -m) splitting helper tokens containing commas
+</A></li>
+	<LI>Next message (by thread): <A HREF="010018.html">[squid-dev] NO_SPECIAL_HANDLING define for HTTP methods
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#10022">[ date ]</a>
+              <a href="thread.html#10022">[ thread ]</a>
+              <a href="subject.html#10022">[ subject ]</a>
+              <a href="author.html#10022">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="https://lists.squid-cache.org/listinfo/squid-dev">More information about the squid-dev
+mailing list</a><br>
+</body></html>
-Original file line number
+Diff line change
 </PRE>
++
 <!--endarticle-->
     <HR>
     <P><UL>