Bug #935: squid_ldap_auth can be confused by the use of reserved characters

squid_ldap_auth may be confused by the use of reserved characters allowing
the login name to be masqueraded in different manners possibly allowing the
user to partially bypass certain per-user restrictions or confuse third
party accounting packages.

Note that the user can not bypass the login procedure as such. All he can
do is to make the login name look different than normal. There is still
full audit trails on who the user is etc.

The patch also adds and documents a -d flag to both squid_ldap_auth and
squid_ldap_group to allow for easier tracing of the operation of these
programs if results is not what is expected.

diff --git a/helpers/basic_auth/LDAP/squid_ldap_auth.8 b/helpers/basic_auth/LDAP/squid_ldap_auth.8
index 9e3d87c542470f0308b37e43c68015f7659aa401..afa493f0b782cc06a92943daf4d065acc83caa80 100644 (file)
--- a/helpers/basic_auth/LDAP/squid_ldap_auth.8
+++ b/helpers/basic_auth/LDAP/squid_ldap_auth.8
@@ -130,6 +130,12 @@ Netscape LDAP API libraries)
 .BI -t search_timeout
 Specify time limit on LDAP search operations
 .
+.TP
+.BU -d
+Debug mode where each step taken will get reported in detail.
+Useful for understanding what goes wrong if the results is
+not what is expected.
+.
 .SH EXAMPLES
 For directories using the RFC2307 layout with a single domain, all
 you need to specify is usually the base DN under where your users

diff --git a/helpers/basic_auth/LDAP/squid_ldap_auth.c b/helpers/basic_auth/LDAP/squid_ldap_auth.c
index 6a9dec01e88ff84aa1b98c07ad58fc9b09580c2f..96e0aa043883f5d8da4c1a92ae3a0bfcb72b2fb1 100644 (file)
--- a/helpers/basic_auth/LDAP/squid_ldap_auth.c
+++ b/helpers/basic_auth/LDAP/squid_ldap_auth.c
@@ -30,6 +30,12 @@
  * or (at your option) any later version.
  *
  * Changes:
+ * 2004-03-01: Henrik Nordstrom <hno@squid-cache.org>
+ *            - corrected building of search filters to escape
+ *              unsafe input
+ *            - -d option for "debug" like squid_ldap_group
+ * 2004-01-05: Henrik Nordstrom <hno@squid-cache.org>
+ *            - Corrected TLS mode
  * 2003-03-01: David J N Begley
  *            - Support for Netscape API method of ldap over SSL
  *              connections
@@ -93,6 +99,7 @@ static int sslinit = 0;
 #endif
 static int connect_timeout = 0;
 static int timelimit = LDAP_NO_LIMIT;
+static int debug = 0;
 
 /* Added for TLS support and version 3 */
 static int use_tls = 0;
@@ -206,6 +213,7 @@ main(int argc, char **argv)
        case 'R':
        case 'z':
        case 'Z':
+       case 'd':
            break;
        default:
            if (strlen(argv[1]) > 2) {
@@ -331,6 +339,9 @@ main(int argc, char **argv)
            use_tls = 1;
            break;
 #endif
+       case 'd':
+           debug++;
+           break;
        default:
            fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown command line option '%c'\n", option);
            exit(1);
@@ -475,6 +486,34 @@ main(int argc, char **argv)
     return 0;
 }
 
+static int
+ldap_escape_value(char *escaped, int size, const char *src)
+{
+    int n = 0;
+    while (size > 4 && *src) {
+       switch(*src) {
+       case '*':
+       case '(':
+       case ')':
+       case '\\':
+           n += 3;
+           size -= 3;
+           if (size > 0) {
+               *escaped++ = '\\';
+               snprintf(escaped, 3, "%02x", (unsigned char)*src++);
+               escaped+=2;
+           }
+           break;
+       default:
+           *escaped++ = *src++;
+           n++;
+           size--;
+       }
+    }
+    *escaped = '\0';
+    return n;
+}
+
 static int
 checkLDAP(LDAP * ld, const char *userid, const char *password)
 {
@@ -488,6 +527,7 @@ checkLDAP(LDAP * ld, const char *userid, const char *password)
     }
     if (searchfilter) {
        char filter[256];
+       char escaped_login[256];
        LDAPMessage *res = NULL;
        LDAPMessage *entry;
        char *searchattr[] =
@@ -495,6 +535,7 @@ checkLDAP(LDAP * ld, const char *userid, const char *password)
        char *userdn;
        int rc;
 
+       ldap_escape_value(escaped_login, sizeof(escaped_login), userid);
        if (binddn) {
            rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
            if (rc != LDAP_SUCCESS) {
@@ -502,7 +543,9 @@ checkLDAP(LDAP * ld, const char *userid, const char *password)
                return 1;
            }
        }
-       snprintf(filter, sizeof(filter), searchfilter, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid);
+       snprintf(filter, sizeof(filter), searchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
+       if (debug)
+           fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, basedn);
        rc = ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res);
        if (rc != LDAP_SUCCESS) {
            if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
@@ -539,6 +582,8 @@ checkLDAP(LDAP * ld, const char *userid, const char *password)
        snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn);
     }
 
+    if (debug)
+       fprintf(stderr, "attempting to bind to user '%s'\n", dn);
     if (ldap_simple_bind_s(ld, dn, password) != LDAP_SUCCESS)
        return 1;
 

diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.8 b/helpers/external_acl/ldap_group/squid_ldap_group.8
index b92964f460b57bfd7561881f9a2377ff909590bd..ec5063f76a5a2d41699d5a5ef7d93b93df6342f0 100644 (file)
--- a/helpers/external_acl/ldap_group/squid_ldap_group.8
+++ b/helpers/external_acl/ldap_group/squid_ldap_group.8
@@ -138,6 +138,12 @@ Specify time limit on LDAP search operations
 .BI -S
 Strip NT domain name component from user names (/ or \\ separated)
 .
+.TP
+.BU -d
+Debug mode where each step taken will get reported in detail.
+Useful for understanding what goes wrong if the results is
+not what is expected.
+
 .SH SQUID CONFIGURATION
 .
 This helper is intended to be used as a external_acl_type helper from

diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.c b/helpers/external_acl/ldap_group/squid_ldap_group.c
index 7b845e3be164d4ef66b692dbe6090ec10afbb53b..017124d394a0eb70924dc13959c62ed1d0a8de74 100644 (file)
--- a/helpers/external_acl/ldap_group/squid_ldap_group.c
+++ b/helpers/external_acl/ldap_group/squid_ldap_group.c
@@ -226,6 +226,7 @@ main(int argc, char **argv)
        case 'R':
        case 'z':
        case 'Z':
+       case 'd':
        case 'g':
        case 'S':
            break;
@@ -555,7 +556,7 @@ ldap_escape_value(char *escaped, int size, const char *src)
            size -= 3;
            if (size > 0) {
                *escaped++ = '\\';
-               snprintf(escaped, 3, "%02x", (int)*src++);
+               snprintf(escaped, 3, "%02x", (unsigned char)*src++);
                escaped+=2;
            }
            break;