> Its not currently possible to block such requests in Squid because
> the funny characters are a part of the "login" component of the
> URL. Squid doesn't have any ACLs that use or care about the login
> data. It should be pretty easy to come up with a patch that does.
The attached patch adds a new ACL type: urllogin
With it you could write some rules to deny any HTTP request that contains
any login credentials:
acl UrlHasLogin urllogin .
http_access deny UrlHasLogin
or you can deny a request where the login data contains
a non-alphanumeric character:
acl SketchyLogin urllogin [^a-zA-Z0-9]
http_access deny SketchyLogin
Duane W.
Index: src/acl.c
===================================================================
RCS file: /server/cvs-server/squid/squid/src/acl.c,v
retrieving revision 1.270.2.18
diff -u -3 -p -r1.270.2.18 acl.c
--- src/acl.c 29 Nov 2003 08:59:23 -0000 1.270.2.18
+++ src/acl.c 18 Dec 2003 21:54:43 -0000
@@ -178,6 +178,8 @@ aclStrToType(const char *s)
return ACL_MAX_USER_IP;
if (!strcmp(s, "external"))
return ACL_EXTERNAL;
+ if (!strcmp(s, "urllogin"))
+ return ACL_URLLOGIN;
return ACL_NONE;
}
@@ -252,6 +254,8 @@ aclTypeToStr(squid_acl type)
return "max_user_ip";
if (type == ACL_EXTERNAL)
return "external";
+ if (type == ACL_URLLOGIN)
+ return "urllogin";
return "ERROR";
}
@@ -737,6 +741,7 @@ aclParseAclLine(acl ** head)
aclParseTimeSpec(&A->data);
break;
case ACL_URL_REGEX:
+ case ACL_URLLOGIN:
case ACL_URLPATH_REGEX:
case ACL_BROWSER:
case ACL_REFERER_REGEX:
@@ -1464,6 +1469,7 @@ aclMatchAcl(acl * ae, aclCheck_t * check
case ACL_URLPATH_REGEX:
case ACL_URL_PORT:
case ACL_URL_REGEX:
+ case ACL_URLLOGIN:
/* These ACL types require checklist->request */
if (NULL == r) {
debug(28, 1) ("WARNING: '%s' ACL is used but there is no"
@@ -1567,6 +1573,12 @@ aclMatchAcl(acl * ae, aclCheck_t * check
k = aclMatchRegex(ae->data, esc_buf);
safe_free(esc_buf);
return k;
+ case ACL_URLLOGIN:
+ esc_buf = xstrdup(r->login);
+ rfc1738_unescape(esc_buf);
+ k = aclMatchRegex(ae->data, esc_buf);
+ safe_free(esc_buf);
+ return k;
/* NOTREACHED */
case ACL_MAXCONN:
k = clientdbEstablished(checklist->src_addr, 0);
@@ -2114,6 +2126,7 @@ aclDestroyAcls(acl ** head)
#endif
case ACL_PROXY_AUTH_REGEX:
case ACL_URL_REGEX:
+ case ACL_URLLOGIN:
case ACL_URLPATH_REGEX:
case ACL_BROWSER:
case ACL_REFERER_REGEX:
@@ -2529,6 +2542,7 @@ aclDumpGeneric(const acl * a)
return aclDumpTimeSpecList(a->data);
case ACL_PROXY_AUTH_REGEX:
case ACL_URL_REGEX:
+ case ACL_URLLOGIN:
case ACL_URLPATH_REGEX:
case ACL_BROWSER:
case ACL_REFERER_REGEX:
Index: src/enums.h
===================================================================
RCS file: /server/cvs-server/squid/squid/src/enums.h,v
retrieving revision 1.203.2.8
diff -u -3 -p -r1.203.2.8 enums.h
--- src/enums.h 21 Jan 2003 00:06:39 -0000 1.203.2.8
+++ src/enums.h 18 Dec 2003 21:51:57 -0000
@@ -136,6 +136,7 @@ typedef enum {
ACL_REP_MIME_TYPE,
ACL_MAX_USER_IP,
ACL_EXTERNAL,
+ ACL_URLLOGIN,
ACL_ENUM_MAX
} squid_acl;