From: hno <> Date: Sat, 3 Apr 2004 22:15:28 +0000 (+0000) Subject: Bug #935: squid_ldap_auth can be confused by the use of reserved characters X-Git-Tag: SQUID_3_0_PRE4~1119 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=307228f182ee6ec50cfcb73c0b66f73e6144a8ca;p=thirdparty%2Fsquid.git Bug #935: squid_ldap_auth can be confused by the use of reserved characters squid_ldap_auth may be confused by the use of reserved characters allowing the login name to be masqueraded in different manners possibly allowing the user to partially bypass certain per-user restrictions or confuse third party accounting packages. Note that the user can not bypass the login procedure as such. All he can do is to make the login name look different than normal. There is still full audit trails on who the user is etc. The patch also adds and documents a -d flag to both squid_ldap_auth and squid_ldap_group to allow for easier tracing of the operation of these programs if results is not what is expected. --- diff --git a/helpers/basic_auth/LDAP/squid_ldap_auth.8 b/helpers/basic_auth/LDAP/squid_ldap_auth.8 index 9e3d87c542..afa493f0b7 100644 --- a/helpers/basic_auth/LDAP/squid_ldap_auth.8 +++ b/helpers/basic_auth/LDAP/squid_ldap_auth.8 @@ -130,6 +130,12 @@ Netscape LDAP API libraries) .BI -t search_timeout Specify time limit on LDAP search operations . +.TP +.BU -d +Debug mode where each step taken will get reported in detail. +Useful for understanding what goes wrong if the results is +not what is expected. +. .SH EXAMPLES For directories using the RFC2307 layout with a single domain, all you need to specify is usually the base DN under where your users diff --git a/helpers/basic_auth/LDAP/squid_ldap_auth.c b/helpers/basic_auth/LDAP/squid_ldap_auth.c index 6a9dec01e8..96e0aa0438 100644 --- a/helpers/basic_auth/LDAP/squid_ldap_auth.c +++ b/helpers/basic_auth/LDAP/squid_ldap_auth.c @@ -30,6 +30,12 @@ * or (at your option) any later version. * * Changes: + * 2004-03-01: Henrik Nordstrom + * - corrected building of search filters to escape + * unsafe input + * - -d option for "debug" like squid_ldap_group + * 2004-01-05: Henrik Nordstrom + * - Corrected TLS mode * 2003-03-01: David J N Begley * - Support for Netscape API method of ldap over SSL * connections @@ -93,6 +99,7 @@ static int sslinit = 0; #endif static int connect_timeout = 0; static int timelimit = LDAP_NO_LIMIT; +static int debug = 0; /* Added for TLS support and version 3 */ static int use_tls = 0; @@ -206,6 +213,7 @@ main(int argc, char **argv) case 'R': case 'z': case 'Z': + case 'd': break; default: if (strlen(argv[1]) > 2) { @@ -331,6 +339,9 @@ main(int argc, char **argv) use_tls = 1; break; #endif + case 'd': + debug++; + break; default: fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown command line option '%c'\n", option); exit(1); @@ -475,6 +486,34 @@ main(int argc, char **argv) return 0; } +static int +ldap_escape_value(char *escaped, int size, const char *src) +{ + int n = 0; + while (size > 4 && *src) { + switch(*src) { + case '*': + case '(': + case ')': + case '\\': + n += 3; + size -= 3; + if (size > 0) { + *escaped++ = '\\'; + snprintf(escaped, 3, "%02x", (unsigned char)*src++); + escaped+=2; + } + break; + default: + *escaped++ = *src++; + n++; + size--; + } + } + *escaped = '\0'; + return n; +} + static int checkLDAP(LDAP * ld, const char *userid, const char *password) { @@ -488,6 +527,7 @@ checkLDAP(LDAP * ld, const char *userid, const char *password) } if (searchfilter) { char filter[256]; + char escaped_login[256]; LDAPMessage *res = NULL; LDAPMessage *entry; char *searchattr[] = @@ -495,6 +535,7 @@ checkLDAP(LDAP * ld, const char *userid, const char *password) char *userdn; int rc; + ldap_escape_value(escaped_login, sizeof(escaped_login), userid); if (binddn) { rc = ldap_simple_bind_s(ld, binddn, bindpasswd); if (rc != LDAP_SUCCESS) { @@ -502,7 +543,9 @@ checkLDAP(LDAP * ld, const char *userid, const char *password) return 1; } } - snprintf(filter, sizeof(filter), searchfilter, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid); + snprintf(filter, sizeof(filter), searchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); + if (debug) + fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, basedn); rc = ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res); if (rc != LDAP_SUCCESS) { if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { @@ -539,6 +582,8 @@ checkLDAP(LDAP * ld, const char *userid, const char *password) snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn); } + if (debug) + fprintf(stderr, "attempting to bind to user '%s'\n", dn); if (ldap_simple_bind_s(ld, dn, password) != LDAP_SUCCESS) return 1; diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.8 b/helpers/external_acl/ldap_group/squid_ldap_group.8 index b92964f460..ec5063f76a 100644 --- a/helpers/external_acl/ldap_group/squid_ldap_group.8 +++ b/helpers/external_acl/ldap_group/squid_ldap_group.8 @@ -138,6 +138,12 @@ Specify time limit on LDAP search operations .BI -S Strip NT domain name component from user names (/ or \\ separated) . +.TP +.BU -d +Debug mode where each step taken will get reported in detail. +Useful for understanding what goes wrong if the results is +not what is expected. + .SH SQUID CONFIGURATION . This helper is intended to be used as a external_acl_type helper from diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.c b/helpers/external_acl/ldap_group/squid_ldap_group.c index 7b845e3be1..017124d394 100644 --- a/helpers/external_acl/ldap_group/squid_ldap_group.c +++ b/helpers/external_acl/ldap_group/squid_ldap_group.c @@ -226,6 +226,7 @@ main(int argc, char **argv) case 'R': case 'z': case 'Z': + case 'd': case 'g': case 'S': break; @@ -555,7 +556,7 @@ ldap_escape_value(char *escaped, int size, const char *src) size -= 3; if (size > 0) { *escaped++ = '\\'; - snprintf(escaped, 3, "%02x", (int)*src++); + snprintf(escaped, 3, "%02x", (unsigned char)*src++); escaped+=2; } break;