Re: [squid-users] Usernames with whitespace

Fri, 07 Jan 2005 12:19:38 -0800 



On Fri, 7 Jan 2005 [EMAIL PROTECTED] wrote:

I am using squid_ldap_auth as shipped with squid 2.5stable5
and also squid_ldap_group but that's out of topic.

Hmm.. What LDAP server are you using, with what user filter to squid_ldap_auth?

Also try with a more current version. There was significant changes in related areas for the 2.5.STABLE6 release (bug #935). This doesn'e explicitly deal with space characters however..

A quick test with LDAP search tools reveals this is a bit problematic as the LDAP server ignores the amount of spaces in logins.. Please try the attached patch.

Regards
Henrik
? src/.cf.data.pre.swp
Index: helpers/basic_auth/LDAP/squid_ldap_auth.c
===================================================================
RCS file: 
/server/cvs-server/squid/squid/helpers/basic_auth/LDAP/squid_ldap_auth.c,v
retrieving revision 1.21.2.14
diff -u -p -r1.21.2.14 squid_ldap_auth.c
--- helpers/basic_auth/LDAP/squid_ldap_auth.c   10 Aug 2004 09:39:29 -0000      
1.21.2.14
+++ helpers/basic_auth/LDAP/squid_ldap_auth.c   7 Jan 2005 20:18:40 -0000
@@ -30,6 +30,10 @@
  * or (at your option) any later version.
  *
  * Changes:
+ * 2005-01-07: Henrik Nordstrom <[EMAIL PROTECTED]>
+ *             - Added some sanity checks on login names to avoid
+ *             users bypassing equality checks by exploring the
+ *             overly helpful match capabilities of LDAP
  * 2004-07-17: Henrik Nordstrom <[EMAIL PROTECTED]>
  *             - Corrected non-persistent mode to only issue one
  *             ldap_bind per connection.
@@ -83,6 +87,7 @@
 #include <stdlib.h>
 #include <lber.h>
 #include <ldap.h>
+#include <ctype.h>
 
 #include "util.h"
 
@@ -261,6 +266,32 @@ open_ldap_connection(const char *ldapSer
     return ld;
 }
 
+/* Make a sanity check on the username to reject oddly typed names */
+static int
+validUsername(const char *user)
+{
+    const unsigned char *p = user;
+
+    /* Leading whitespace? */
+    if (isspace(p[0]))
+       return 0;
+    while(p[0] && p[1]) {
+       if (isspace(p[0])) {
+           /* More than one consequitive space? */
+           if (isspace(p[1]))
+               return 0;
+           /* or odd space type character used? */
+           if (p[0] != ' ')
+               return 0;
+       }
+       p++;
+    }
+    /* Trailing whitespace? */
+    if (isspace(p[0]))
+       return 0;
+    return 1;
+}
+
 int
 main(int argc, char **argv)
 {
@@ -481,6 +512,10 @@ main(int argc, char **argv)
        }
        rfc1738_unescape(user);
        rfc1738_unescape(passwd);
+       if (!validUsername(user)) {
+           printf("ERR\n");
+           continue;
+       }
        tryagain = (ld != NULL);
       recover:
        if (ld == NULL && persistent)

Reply via email to