Re: [squid-users] False Web addresses, and how to handle them

Thu, 18 Dec 2003 23:39:52 -0800 

> Its not currently possible to block such requests in Squid because
> the funny characters are a part of the "login" component of the
> URL.  Squid doesn't have any ACLs that use or care about the login
> data.  It should be pretty easy to come up with a patch that does.

The attached patch adds a new ACL type: urllogin

With it you could write some rules to deny any HTTP request that contains
any login credentials:

     acl UrlHasLogin urllogin .
     http_access deny UrlHasLogin

or you can deny a request where the login data contains
a non-alphanumeric character:

     acl SketchyLogin urllogin [^a-zA-Z0-9]
     http_access deny SketchyLogin

Duane W.
Index: src/acl.c
===================================================================
RCS file: /server/cvs-server/squid/squid/src/acl.c,v
retrieving revision 1.270.2.18
diff -u -3 -p -r1.270.2.18 acl.c
--- src/acl.c   29 Nov 2003 08:59:23 -0000      1.270.2.18
+++ src/acl.c   18 Dec 2003 21:54:43 -0000
@@ -178,6 +178,8 @@ aclStrToType(const char *s)
        return ACL_MAX_USER_IP;
     if (!strcmp(s, "external"))
        return ACL_EXTERNAL;
+    if (!strcmp(s, "urllogin"))
+       return ACL_URLLOGIN;
     return ACL_NONE;
 }
 
@@ -252,6 +254,8 @@ aclTypeToStr(squid_acl type)
        return "max_user_ip";
     if (type == ACL_EXTERNAL)
        return "external";
+    if (type == ACL_URLLOGIN)
+       return "urllogin";
     return "ERROR";
 }
 
@@ -737,6 +741,7 @@ aclParseAclLine(acl ** head)
        aclParseTimeSpec(&A->data);
        break;
     case ACL_URL_REGEX:
+    case ACL_URLLOGIN:
     case ACL_URLPATH_REGEX:
     case ACL_BROWSER:
     case ACL_REFERER_REGEX:
@@ -1464,6 +1469,7 @@ aclMatchAcl(acl * ae, aclCheck_t * check
     case ACL_URLPATH_REGEX:
     case ACL_URL_PORT:
     case ACL_URL_REGEX:
+    case ACL_URLLOGIN:
        /* These ACL types require checklist->request */
        if (NULL == r) {
            debug(28, 1) ("WARNING: '%s' ACL is used but there is no"
@@ -1567,6 +1573,12 @@ aclMatchAcl(acl * ae, aclCheck_t * check
        k = aclMatchRegex(ae->data, esc_buf);
        safe_free(esc_buf);
        return k;
+    case ACL_URLLOGIN:
+       esc_buf = xstrdup(r->login);
+       rfc1738_unescape(esc_buf);
+       k = aclMatchRegex(ae->data, esc_buf);
+       safe_free(esc_buf);
+       return k;
        /* NOTREACHED */
     case ACL_MAXCONN:
        k = clientdbEstablished(checklist->src_addr, 0);
@@ -2114,6 +2126,7 @@ aclDestroyAcls(acl ** head)
 #endif
        case ACL_PROXY_AUTH_REGEX:
        case ACL_URL_REGEX:
+       case ACL_URLLOGIN:
        case ACL_URLPATH_REGEX:
        case ACL_BROWSER:
        case ACL_REFERER_REGEX:
@@ -2529,6 +2542,7 @@ aclDumpGeneric(const acl * a)
        return aclDumpTimeSpecList(a->data);
     case ACL_PROXY_AUTH_REGEX:
     case ACL_URL_REGEX:
+    case ACL_URLLOGIN:
     case ACL_URLPATH_REGEX:
     case ACL_BROWSER:
     case ACL_REFERER_REGEX:
Index: src/enums.h
===================================================================
RCS file: /server/cvs-server/squid/squid/src/enums.h,v
retrieving revision 1.203.2.8
diff -u -3 -p -r1.203.2.8 enums.h
--- src/enums.h 21 Jan 2003 00:06:39 -0000      1.203.2.8
+++ src/enums.h 18 Dec 2003 21:51:57 -0000
@@ -136,6 +136,7 @@ typedef enum {
     ACL_REP_MIME_TYPE,
     ACL_MAX_USER_IP,
     ACL_EXTERNAL,
+    ACL_URLLOGIN,
     ACL_ENUM_MAX
 } squid_acl;

Reply via email to