Hello Andrew,
What external authentication helper are you using? LDAP, SAMBA, or ... ???
The helper program needs to be upgraded to effectively respond with "ERR" to these type of requests.
Tim
----------------------------------------------------------- Timothy E. Neto Computer Systems Engineer Komatsu Canada Limited Ph#: 905-625-6292 x265 1725B Sismet Road Fax: 905-625-6348 Mississauga, Canada E-Mail: [EMAIL PROTECTED] L4W 1P9 -----------------------------------------------------------
[EMAIL PROTECTED] wrote:
Hi,
Putting a whitespace prefix or suffix in the username at authentication time causes :
- acl's based on username to be circumvented - access.log analysis to be fooled.
This is because a "%20" is put in place of the whitespace : %20username or username%20
Is there a rule or option to reject all usernames containing a whitespace ? Or should I put a special ACL to deny access to those users who put a whitespace by mistake? The best would be that Squid asks for a username/passwd until it is valid (good pair && no whitespace) so that the end-user doesn't get confused. IE : "my password is accepted , but I get a Forbidden Access page"
(I could'nt find anything in the archives or FAQ, maybe I didn't use the correct keywords ? - %20, username, whitespace, space, or blank)
Thanks for your help,
Andrew.
