Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c
diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.14 squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.15
*** squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.14	Tue Aug 10 03:39:29 2004
--- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c	Sun Jan 16 21:24:14 2005
***************
*** 30,35 ****
--- 30,39 ----
   * or (at your option) any later version.
   *
   * Changes:
+  * 2005-01-07: Henrik Nordstrom <hno@squid-cache.org>
+  *             - Added some sanity checks on login names to avoid
+  *             users bypassing equality checks by exploring the
+  *             overly helpful match capabilities of LDAP
   * 2004-07-17: Henrik Nordstrom <hno@squid-cache.org>
   *             - Corrected non-persistent mode to only issue one
   *             ldap_bind per connection.
***************
*** 83,88 ****
--- 87,93 ----
  #include <stdlib.h>
  #include <lber.h>
  #include <ldap.h>
+ #include <ctype.h>
  
  #include "util.h"
  
***************
*** 261,266 ****
--- 266,297 ----
      return ld;
  }
  
+ /* Make a sanity check on the username to reject oddly typed names */
+ static int
+ validUsername(const char *user)
+ {
+     const unsigned char *p = user;
+ 
+     /* Leading whitespace? */
+     if (isspace(p[0]))
+ 	return 0;
+     while(p[0] && p[1]) {
+ 	if (isspace(p[0])) {
+ 	    /* More than one consequitive space? */
+ 	    if (isspace(p[1]))
+ 		return 0;
+ 	    /* or odd space type character used? */
+ 	    if (p[0] != ' ')
+ 		return 0;
+ 	}
+ 	p++;
+     }
+     /* Trailing whitespace? */
+     if (isspace(p[0]))
+ 	return 0;
+     return 1;
+ }
+ 
  int
  main(int argc, char **argv)
  {
***************
*** 481,486 ****
--- 512,521 ----
  	}
  	rfc1738_unescape(user);
  	rfc1738_unescape(passwd);
+ 	if (!validUsername(user)) {
+ 	    printf("ERR\n");
+ 	    continue;
+ 	}
  	tryagain = (ld != NULL);
        recover:
  	if (ld == NULL && persistent)