Hi,
recently I found an error in the Arjan de Vet's external authenticator
patch. It
allows a user to authenticate with "<username> <password>" instead of the
single
word username. The effect is, the squid writes two (space separated) words
instead
of a single one in the log file - a bad thing if you rely on the number of
fields
while processing this log file.
I wrote a simple patch that
- makes ncsa_auth to accept at most two words
- has squid checked the user name against a set of predefined words
-------------- x ---------------------- x ---------------------- x
---------------
diff -rPc squid-1.1.22.patched/src/client_side.c
squid-1.1.22.ready/src/client_side.c
*** squid-1.1.22.patched/src/client_side.c Mon Aug 24 13:47:24 1998
--- squid-1.1.22.ready/src/client_side.c Mon Aug 24 12:59:46 1998
***************
*** 172,184 ****
xstrncpy(sent_user, clear_userandpw, ICP_IDENT_SZ);
xfree(clear_userandpw);
if ((s = strstr(sent_user, ":")) != NULL) {
*s = '\0'; s++;
xstrncpy(icpState->ident.ident, sent_user, ICP_IDENT_SZ);
/* we need this in authenticate.c */
xstrncpy(icpState->ident.passwd, s, ICP_IDENT_SZ);
proxy_auth_hdr = 1;
} else {
/* invalid Basic proxy authorization */
s = mime_get_header(icpState->request_hdr,
"Proxy-authorization:");
debug(33, 0, "clientAccessCheck: invalid proxy authorization
header: %s\n",
--- 172,200 ----
xstrncpy(sent_user, clear_userandpw, ICP_IDENT_SZ);
xfree(clear_userandpw);
if ((s = strstr(sent_user, ":")) != NULL) {
+ /* BEGIN BLOCK: USER NAME PATCH Mon Aug 24 14:59:34 CEST
1998, <jordan@mjh.teddy-net.com> */
+ # define isValidPasswdChar(c) (isalnum (c) || strchr
("-_@./*~", (c)))
+ char *p ;
+ debug(33, 5, "clientAccessCheck: validating alphanum user
name: '%s'\n", sent_user);
+ /* there must be no space character in the user name ! */
+ for (p = sent_user; *p != 0 && p != s && isValidPasswdChar
(*p); p ++)
+ ;
+ if (*p && *p != ':') {
+ s = mime_get_header(icpState->request_hdr,
+ "Proxy-authorization:");
+ debug(33, 0, "clientAccessCheck: proxy auth user name
contains non-alpha: %s\n",
+ sent_user);
+ xstrncpy(icpState->aclChecklist->auth.basic, "-:-",
ICP_IDENT_SZ);
+ } else {
+ /* END BLOCK: USER NAME PATCH Mon Aug 24 14:59:34 CEST 1998,
<jordan@mjh.teddy-net.com> */
*s = '\0'; s++;
xstrncpy(icpState->ident.ident, sent_user, ICP_IDENT_SZ);
/* we need this in authenticate.c */
xstrncpy(icpState->ident.passwd, s, ICP_IDENT_SZ);
proxy_auth_hdr = 1;
+ } /* LINE: USER NAME PATCH Mon Aug 24 14:59:34 CEST 1998,
<jordan@mjh.teddy-net.com> */
} else {
/* invalid Basic proxy authorization */
s = mime_get_header(icpState->request_hdr,
"Proxy-authorization:");
debug(33, 0, "clientAccessCheck: invalid proxy authorization
header: %s\n",
diff -rPc squid-1.1.22.patched/src/ncsa_auth.c
squid-1.1.22.ready/src/ncsa_auth.c
*** squid-1.1.22.patched/src/ncsa_auth.c Mon Aug 24 13:47:24 1998
--- squid-1.1.22.ready/src/ncsa_auth.c Mon Aug 24 11:19:14 1998
***************
*** 82,88 ****
{
char buf[256];
time_t now = 0;
! char *user, *passwd;
hash_link *hashr;
if (argc != 2) {
--- 82,88 ----
{
char buf[256];
time_t now = 0;
! char *user, *passwd, *trash;
hash_link *hashr;
if (argc != 2) {
***************
*** 100,107 ****
}
user = strtok(buf, " ");
passwd = strtok(NULL, " \n");
hashr = hash_lookup(hash, user);
if (hashr &&
strcmp(hashr->item, (char *) crypt(passwd, hashr->item)) == 0) {
printf("OK\n");
} else {
--- 100,109 ----
}
user = strtok(buf, " ");
passwd = strtok(NULL, " \n");
+ trash = strtok(NULL, " \n");
hashr = hash_lookup(hash, user);
if (hashr &&
+ trash == 0 &&
strcmp(hashr->item, (char *) crypt(passwd, hashr->item)) == 0) {
printf("OK\n");
} else {
------------ x ---------------------- x ---------------------- x
---------------
Jordan Hrycaj
Received on Mon Aug 24 1998 - 07:30:18 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:41 MST