]>
Commit | Line | Data |
---|---|---|
657376c6 | 1 | Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c |
2 | diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.14 squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.15 | |
3 | *** squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.14 Tue Aug 10 03:39:29 2004 | |
4 | --- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c Sun Jan 16 21:24:14 2005 | |
5 | *************** | |
6 | *** 30,35 **** | |
7 | --- 30,39 ---- | |
8 | * or (at your option) any later version. | |
9 | * | |
10 | * Changes: | |
11 | + * 2005-01-07: Henrik Nordstrom <hno@squid-cache.org> | |
12 | + * - Added some sanity checks on login names to avoid | |
13 | + * users bypassing equality checks by exploring the | |
14 | + * overly helpful match capabilities of LDAP | |
15 | * 2004-07-17: Henrik Nordstrom <hno@squid-cache.org> | |
16 | * - Corrected non-persistent mode to only issue one | |
17 | * ldap_bind per connection. | |
18 | *************** | |
19 | *** 83,88 **** | |
20 | --- 87,93 ---- | |
21 | #include <stdlib.h> | |
22 | #include <lber.h> | |
23 | #include <ldap.h> | |
24 | + #include <ctype.h> | |
25 | ||
26 | #include "util.h" | |
27 | ||
28 | *************** | |
29 | *** 261,266 **** | |
30 | --- 266,297 ---- | |
31 | return ld; | |
32 | } | |
33 | ||
34 | + /* Make a sanity check on the username to reject oddly typed names */ | |
35 | + static int | |
36 | + validUsername(const char *user) | |
37 | + { | |
38 | + const unsigned char *p = user; | |
39 | + | |
40 | + /* Leading whitespace? */ | |
41 | + if (isspace(p[0])) | |
42 | + return 0; | |
43 | + while(p[0] && p[1]) { | |
44 | + if (isspace(p[0])) { | |
45 | + /* More than one consequitive space? */ | |
46 | + if (isspace(p[1])) | |
47 | + return 0; | |
48 | + /* or odd space type character used? */ | |
49 | + if (p[0] != ' ') | |
50 | + return 0; | |
51 | + } | |
52 | + p++; | |
53 | + } | |
54 | + /* Trailing whitespace? */ | |
55 | + if (isspace(p[0])) | |
56 | + return 0; | |
57 | + return 1; | |
58 | + } | |
59 | + | |
60 | int | |
61 | main(int argc, char **argv) | |
62 | { | |
63 | *************** | |
64 | *** 481,486 **** | |
65 | --- 512,521 ---- | |
66 | } | |
67 | rfc1738_unescape(user); | |
68 | rfc1738_unescape(passwd); | |
69 | + if (!validUsername(user)) { | |
70 | + printf("ERR\n"); | |
71 | + continue; | |
72 | + } | |
73 | tryagain = (ld != NULL); | |
74 | recover: | |
75 | if (ld == NULL && persistent) |