[packages/squid.git] / squid-2.5.STABLE7-ldap_spaces.patch

Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c
diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.14 squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.15
*** squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.14	Tue Aug 10 03:39:29 2004
--- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c	Sun Jan 16 21:24:14 2005
***************
*** 30,35 ****
--- 30,39 ----
   * or (at your option) any later version.
   *
   * Changes:
+  * 2005-01-07: Henrik Nordstrom <hno@squid-cache.org>
+  *             - Added some sanity checks on login names to avoid
+  *             users bypassing equality checks by exploring the
+  *             overly helpful match capabilities of LDAP
   * 2004-07-17: Henrik Nordstrom <hno@squid-cache.org>
   *             - Corrected non-persistent mode to only issue one
   *             ldap_bind per connection.
***************
*** 83,88 ****
--- 87,93 ----
  #include <stdlib.h>
  #include <lber.h>
  #include <ldap.h>
+ #include <ctype.h>
  
  #include "util.h"
  
***************
*** 261,266 ****
--- 266,297 ----
      return ld;
  }
  
+ /* Make a sanity check on the username to reject oddly typed names */
+ static int
+ validUsername(const char *user)
+ {
+     const unsigned char *p = user;
+ 
+     /* Leading whitespace? */
+     if (isspace(p[0]))
+ 	return 0;
+     while(p[0] && p[1]) {
+ 	if (isspace(p[0])) {
+ 	    /* More than one consequitive space? */
+ 	    if (isspace(p[1]))
+ 		return 0;
+ 	    /* or odd space type character used? */
+ 	    if (p[0] != ' ')
+ 		return 0;
+ 	}
+ 	p++;
+     }
+     /* Trailing whitespace? */
+     if (isspace(p[0]))
+ 	return 0;
+     return 1;
+ }
+ 
  int
  main(int argc, char **argv)
  {
***************
*** 481,486 ****
--- 512,521 ----
  	}
  	rfc1738_unescape(user);
  	rfc1738_unescape(passwd);
+ 	if (!validUsername(user)) {
+ 	    printf("ERR\n");
+ 	    continue;
+ 	}
  	tryagain = (ld != NULL);
        recover:
  	if (ld == NULL && persistent)
Commit	Line	Data
657376c6	1	Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c
	2	diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.14 squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.15
	3	*** squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.14 Tue Aug 10 03:39:29 2004
	4	--- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c Sun Jan 16 21:24:14 2005
	5	***************
	6	* 30,35 **
	7	--- 30,39 ----
	8	* or (at your option) any later version.
	9	*
	10	* Changes:
	11	+ * 2005-01-07: Henrik Nordstrom <hno@squid-cache.org>
	12	+ * - Added some sanity checks on login names to avoid
	13	+ * users bypassing equality checks by exploring the
	14	+ * overly helpful match capabilities of LDAP
	15	* 2004-07-17: Henrik Nordstrom <hno@squid-cache.org>
	16	* - Corrected non-persistent mode to only issue one
	17	* ldap_bind per connection.
	18	***************
	19	* 83,88 **
	20	--- 87,93 ----
	21	#include <stdlib.h>
	22	#include <lber.h>
	23	#include <ldap.h>
	24	+ #include <ctype.h>
	25
	26	#include "util.h"
	27
	28	***************
	29	* 261,266 **
	30	--- 266,297 ----
	31	return ld;
	32	}
	33
	34	+ /* Make a sanity check on the username to reject oddly typed names */
	35	+ static int
	36	+ validUsername(const char *user)
	37	+ {
	38	+ const unsigned char *p = user;
	39	+
	40	+ /* Leading whitespace? */
	41	+ if (isspace(p[0]))
	42	+ return 0;
	43	+ while(p[0] && p[1]) {
	44	+ if (isspace(p[0])) {
	45	+ /* More than one consequitive space? */
	46	+ if (isspace(p[1]))
	47	+ return 0;
	48	+ /* or odd space type character used? */
	49	+ if (p[0] != ' ')
	50	+ return 0;
	51	+ }
	52	+ p++;
	53	+ }
	54	+ /* Trailing whitespace? */
	55	+ if (isspace(p[0]))
	56	+ return 0;
	57	+ return 1;
	58	+ }
	59	+
	60	int
	61	main(int argc, char **argv)
	62	{
	63	***************
	64	* 481,486 **
65	--- 512,521 ----
66	}
67	rfc1738_unescape(user);
68	rfc1738_unescape(passwd);
69	+ if (!validUsername(user)) {
70	+ printf("ERR\n");
71	+ continue;
72	+ }
73	tryagain = (ld != NULL);
74	recover:
75	if (ld == NULL && persistent)