Bug #431: case insensitive authentication

Most authentication backends are case insensitive on the user name, and
so should Squid. (with option for case sensitive operation)

Patch ported to Squid-3 by Guido

diff --git a/src/auth/basic/auth_basic.cc b/src/auth/basic/auth_basic.cc
index 4dcbbda676cdf47c28597a6db203b065c0a023f2..db032ff4a3177a7b809dd42bc421be270d0ab64f 100644 (file)
--- a/src/auth/basic/auth_basic.cc
+++ b/src/auth/basic/auth_basic.cc
@@ -1,5 +1,5 @@
 /*
- * $Id: auth_basic.cc,v 1.31 2004/08/30 05:12:32 robertc Exp $
+ * $Id: auth_basic.cc,v 1.32 2004/09/26 21:35:42 hno Exp $
  *
  * DEBUG: section 29    Authenticator
  * AUTHOR: Duane Wessels
@@ -300,6 +300,7 @@ AuthBasicConfig::dump(StoreEntry * entry, const char *name, AuthConfig * scheme)
     storeAppendPrintf(entry, "%s basic children %d\n", name, authenticateChildren);
     storeAppendPrintf(entry, "%s basic concurrency %d\n", name, authenticateConcurrency);
     storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
+    storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off");
 
 }
 
@@ -328,6 +329,8 @@ AuthBasicConfig::parse(AuthConfig * scheme, int n_configured, char *param_str)
         parse_eol(&basicAuthRealm);
     } else if (strcasecmp(param_str, "credentialsttl") == 0) {
         parse_time_t(&credentialsTTL);
+    } else if (strcasecmp(param_str, "casesensitive") == 0) {
+        parse_onoff(&casesensitive);
     } else {
         debug(28, 0) ("unrecognised basic auth scheme parameter '%s'\n", param_str);
     }
@@ -403,6 +406,9 @@ BasicUser::extractUsername()
 
     if ((cleartext = strchr(username(), ':')) != NULL)
         *(cleartext)++ = '\0';
+
+    if (!basicConfig.casesensitive)
+        Tolower((char *)username());
 }
 
 void

diff --git a/src/auth/basic/auth_basic.h b/src/auth/basic/auth_basic.h
index b1438188244859f8569b87431f2aacd5f938064c..f5736869c61cda1284af1d55846fcae884e8ed8a 100644 (file)
--- a/src/auth/basic/auth_basic.h
+++ b/src/auth/basic/auth_basic.h
@@ -130,6 +130,7 @@ public:
     char *basicAuthRealm;
     wordlist *authenticate;
     time_t credentialsTTL;
+    int casesensitive;
 };
 
 #endif

diff --git a/src/cf.data.pre b/src/cf.data.pre
index e9f0cb03b9569f5b0ab821f5ef812bf552be411a..3ff6dc186c4453be513dfd682459392a431bcd7e 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1,6 +1,6 @@
 
 #
-# $Id: cf.data.pre,v 1.355 2004/09/25 15:46:44 hno Exp $
+# $Id: cf.data.pre,v 1.356 2004/09/26 21:35:41 hno Exp $
 #
 #
 # SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -1746,6 +1746,13 @@ DOC_START
        you will be vulnerable to replay attacks unless you also
        use the max_user_ip ACL in an http_access rule.
 
+    "casesensitive" on|off
+    Specifies if usernames are case sensitive. Most user databases are
+    case insensitive allowing the same username to be spelled using both
+    lower and upper case letters, but some are case sensitive. This
+    makes a big difference for user_max_ip ACL processing and similar.
+    auth_param basic casesensitive off
+
        === Parameters for the digest scheme follow ===
 
        "program" cmdline