From: hno <> Date: Mon, 12 Aug 2002 07:11:47 +0000 (+0000) Subject: Bugzilla #81: basic scheme authentication helpers dont' allow the space character... X-Git-Tag: SQUID_3_0_PRE1~849 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9bbd16554739b675c0a0caae65289f82867f163c;p=thirdparty%2Fsquid.git Bugzilla #81: basic scheme authentication helpers dont' allow the space character (ascii 32) in usernames or passwords as per rfc 2617 This patch URL escapes Basic auth login and password information when sent to the helpers, to allow for spaces and other odd characters --- diff --git a/ChangeLog b/ChangeLog index 04bceea75b..db208f754d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -61,6 +61,9 @@ Changes to squid-2.5 (): In addition to that they have a new look (background-color, font) and are valid according to the HTML standards at www.w3.org. (Clemens Löser) + - Login and password send to Basic auth helpers is now URL escaped + to allow for spaces and other "odd" characters in logins and + passwords Changes to Squid-2.4.STABLE7 (July 2, 2002): diff --git a/helpers/basic_auth/LDAP/Makefile.am b/helpers/basic_auth/LDAP/Makefile.am index bc5de010d3..180960d87c 100644 --- a/helpers/basic_auth/LDAP/Makefile.am +++ b/helpers/basic_auth/LDAP/Makefile.am @@ -1,7 +1,7 @@ # # Makefile for the Squid LDAP authentication helper # -# $Id: Makefile.am,v 1.3 2002/01/08 16:24:15 hno Exp $ +# $Id: Makefile.am,v 1.4 2002/08/12 01:11:48 hno Exp $ # # Uncomment and customize the following to suit your needs: # @@ -11,4 +11,5 @@ man_MANS = squid_ldap_auth.8 EXTRA_DIST = squid_ldap_auth.8 squid_ldap_auth_SOURCES = squid_ldap_auth.c -LDADD = -lldap -llber +LDADD = -L$(top_builddir)/lib -lmiscutil -lldap -llber $(XTRA_LIBS) +INCLUDES = -I$(top_srcdir)/include diff --git a/helpers/basic_auth/LDAP/squid_ldap_auth.c b/helpers/basic_auth/LDAP/squid_ldap_auth.c index 2958c99403..609fcf57a4 100644 --- a/helpers/basic_auth/LDAP/squid_ldap_auth.c +++ b/helpers/basic_auth/LDAP/squid_ldap_auth.c @@ -58,6 +58,8 @@ #include #include +#include "util.h" + /* Change this to your search base */ static char *basedn; static char *searchfilter = NULL; @@ -294,6 +296,8 @@ main(int argc, char **argv) printf("ERR\n"); continue; } + rfc1738_unescape(user); + rfc1738_unescape(passwd); tryagain = 1; recover: if (ld == NULL) { diff --git a/helpers/basic_auth/MSNT/Makefile.am b/helpers/basic_auth/MSNT/Makefile.am index 8d2034dd3a..9ffb626a1d 100644 --- a/helpers/basic_auth/MSNT/Makefile.am +++ b/helpers/basic_auth/MSNT/Makefile.am @@ -1,7 +1,7 @@ # # Makefile for the Squid Object Cache server # -# $Id: Makefile.am,v 1.8 2002/06/26 18:44:27 hno Exp $ +# $Id: Makefile.am,v 1.9 2002/08/12 01:11:48 hno Exp $ # # Uncomment and customize the following to suit your needs: # @@ -27,10 +27,9 @@ EXTRA_DIST = \ sysconf_DATA = \ msntauth.conf.default -LDADD = @XTRA_LIBS@ +LDADD = -L$(top_builddir)/lib -lmiscutil $(XTRA_LIBS) -INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ - -I$(top_srcdir)/src/ +INCLUDES = -I$(top_srcdir)/include confload.o: confload.c $(COMPILE) -DSYSCONFDIR=\"$(sysconfdir)\" -c $(srcdir)/confload.c -o $@ diff --git a/helpers/basic_auth/MSNT/msntauth.c b/helpers/basic_auth/MSNT/msntauth.c index 8f9a94e394..02af0794d2 100644 --- a/helpers/basic_auth/MSNT/msntauth.c +++ b/helpers/basic_auth/MSNT/msntauth.c @@ -117,6 +117,9 @@ main(int argc, char **argv) } Checktimer(); /* Check if the user lists have changed */ + rfc1738_unescape(username); + rfc1738_unescape(password); + /* * Check if user is explicitly denied or allowed. * If user passes both checks, they can be authenticated. diff --git a/helpers/basic_auth/NCSA/Makefile.am b/helpers/basic_auth/NCSA/Makefile.am index 83f1a13f6c..4a55e42c9b 100644 --- a/helpers/basic_auth/NCSA/Makefile.am +++ b/helpers/basic_auth/NCSA/Makefile.am @@ -1,7 +1,7 @@ # # Makefile for the Squid Object Cache server # -# $Id: Makefile.am,v 1.1 2001/08/31 11:19:16 robertc Exp $ +# $Id: Makefile.am,v 1.2 2002/08/12 01:11:49 hno Exp $ # # Uncomment and customize the following to suit your needs: # @@ -9,5 +9,4 @@ libexec_PROGRAMS = ncsa_auth ncsa_auth_SOURCES = ncsa_auth.c LDADD = -L$(top_builddir)/lib -lmiscutil $(CRYPTLIB) $(XTRA_LIBS) -INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ - -I$(top_srcdir)/src/ +INCLUDES = -I$(top_srcdir)/include diff --git a/helpers/basic_auth/NCSA/ncsa_auth.c b/helpers/basic_auth/NCSA/ncsa_auth.c index ceb81572c0..5706837f68 100644 --- a/helpers/basic_auth/NCSA/ncsa_auth.c +++ b/helpers/basic_auth/NCSA/ncsa_auth.c @@ -130,6 +130,8 @@ main(int argc, char **argv) printf("ERR\n"); continue; } + rfc1738_unescape(user); + rfc1738_unescape(passwd); u = hash_lookup(hash, user); if (u == NULL) { printf("ERR\n"); diff --git a/helpers/basic_auth/PAM/Makefile.am b/helpers/basic_auth/PAM/Makefile.am index 73be7b9f9c..be4d46a5d4 100644 --- a/helpers/basic_auth/PAM/Makefile.am +++ b/helpers/basic_auth/PAM/Makefile.am @@ -1,15 +1,14 @@ # # Makefile for the Squid PAM authentication helper # -# $Id: Makefile.am,v 1.3 2002/01/08 16:24:21 hno Exp $ +# $Id: Makefile.am,v 1.4 2002/08/12 01:11:50 hno Exp $ # # Uncomment and customize the following to suit your needs: # -INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ - -I$(top_srcdir)/src/ +INCLUDES = -I$(top_srcdir)/include man_MANS = pam_auth.8 EXTRA_DIST = pam_auth.8 libexec_PROGRAMS = pam_auth -LDADD = -lpam $(XTRA_LIBS) +LDADD = -L$(top_builddir)/lib -lmiscutil -lpam $(XTRA_LIBS) diff --git a/helpers/basic_auth/PAM/pam_auth.c b/helpers/basic_auth/PAM/pam_auth.c index 921d08ba48..04bd33ebb9 100644 --- a/helpers/basic_auth/PAM/pam_auth.c +++ b/helpers/basic_auth/PAM/pam_auth.c @@ -1,5 +1,5 @@ /* - * $Id: pam_auth.c,v 1.7 2002/01/07 03:29:10 hno Exp $ + * $Id: pam_auth.c,v 1.8 2002/08/12 01:11:50 hno Exp $ * * PAM authenticator module for Squid. * Copyright (C) 1999,2002 Henrik Nordstrom @@ -191,6 +191,8 @@ start: goto error; } *password++ = '\0'; + rfc1738_unescape(user); + rfc1738_unescape(password); conv.appdata_ptr = (char *) password; /* from buf above. not allocated */ if (ttl == 0) { diff --git a/helpers/basic_auth/SASL/Makefile.am b/helpers/basic_auth/SASL/Makefile.am index 08feb8fa0f..9735bdaf3e 100644 --- a/helpers/basic_auth/SASL/Makefile.am +++ b/helpers/basic_auth/SASL/Makefile.am @@ -1,14 +1,13 @@ # # Makefile for the Squid SASL authentication helper # -# $Id: Makefile.am,v 1.2 2002/04/14 22:24:03 hno Exp $ +# $Id: Makefile.am,v 1.3 2002/08/12 01:11:51 hno Exp $ # # Uncomment and customize the following to suit your needs: # -INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ - -I$(top_srcdir)/src/ +INCLUDES = -I$(top_srcdir)/include libexec_PROGRAMS = sasl_auth -LDADD = -lsasl $(XTRA_LIBS) +LDADD = -L$(top_builddir)/lib -lmiscutil -lsasl $(XTRA_LIBS) EXTRA_DIST = squid_sasl_auth squid_sasl_auth.conf diff --git a/helpers/basic_auth/SASL/sasl_auth.c b/helpers/basic_auth/SASL/sasl_auth.c index 4bdd43b7bc..0878d3e0c0 100644 --- a/helpers/basic_auth/SASL/sasl_auth.c +++ b/helpers/basic_auth/SASL/sasl_auth.c @@ -1,5 +1,5 @@ /* - * $Id: sasl_auth.c,v 1.2 2002/04/01 09:08:38 hno Exp $ + * $Id: sasl_auth.c,v 1.3 2002/08/12 01:11:51 hno Exp $ * * SASL authenticator module for Squid. * Copyright (C) 2002 Ian Castle @@ -79,6 +79,9 @@ main() } *password++ = '\0'; + rfc1738_unescape(username); + rfc1738_unescape(password); + rc = sasl_checkpass(conn, username, strlen(username), password, strlen(password), &errstr); if ( rc != SASL_OK ) { diff --git a/helpers/basic_auth/SMB/Makefile.am b/helpers/basic_auth/SMB/Makefile.am index 7a2ecd4274..aedd63d1d1 100644 --- a/helpers/basic_auth/SMB/Makefile.am +++ b/helpers/basic_auth/SMB/Makefile.am @@ -1,7 +1,7 @@ # # Makefile for the Squid Object Cache server # -# $Id: Makefile.am,v 1.3 2002/05/20 02:03:56 hno Exp $ +# $Id: Makefile.am,v 1.4 2002/08/12 01:11:55 hno Exp $ # # Uncomment and customize the following to suit your needs: # @@ -22,7 +22,6 @@ libexec_PROGRAMS = smb_auth smb_auth_CFLAGS = -DSAMBAPREFIX=\"$(SAMBAPREFIX)\" -DHELPERSCRIPT=\"$(SMB_AUTH_HELPER_PATH)\" EXTRA_DIST = smb_auth.sh COPYING-2.0 -LDADD = $(XTRA_LIBS) +LDADD = -L$(top_builddir)/lib -lmiscutil $(XTRA_LIBS) -INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ - -I$(top_srcdir)/src/ +INCLUDES = -I$(top_srcdir)/include diff --git a/helpers/basic_auth/SMB/smb_auth.c b/helpers/basic_auth/SMB/smb_auth.c index 3f6f245c76..bc9a1cdc4c 100644 --- a/helpers/basic_auth/SMB/smb_auth.c +++ b/helpers/basic_auth/SMB/smb_auth.c @@ -45,6 +45,8 @@ #include #include +#include "util.h" + #define BUFSIZE 256 #define NMB_UNICAST 1 #define NMB_BROADCAST 2 @@ -234,6 +236,8 @@ main(int argc, char *argv[]) (void) printf("ERR\n"); continue; } + rfc1738_unescape(user); + rfc1738_unescape(pass); (void) fprintf(p, "%s\n", dom->name); (void) fprintf(p, "%s\n", dom->passthrough); (void) fprintf(p, "%s\n", dom->nmbaddr); diff --git a/helpers/basic_auth/YP/Makefile.am b/helpers/basic_auth/YP/Makefile.am index 88caf93904..1f2ba03864 100644 --- a/helpers/basic_auth/YP/Makefile.am +++ b/helpers/basic_auth/YP/Makefile.am @@ -1,12 +1,11 @@ # # Makefile for the Squid Object Cache server # -# $Id: Makefile.am,v 1.3 2001/12/27 00:23:33 hno Exp $ +# $Id: Makefile.am,v 1.4 2002/08/12 01:11:55 hno Exp $ # # libexec_PROGRAMS = yp_auth yp_auth_SOURCES = yp_auth.c nis_support.h nis_support.c LDADD = -L$(top_builddir)/lib -lmiscutil $(CRYPTLIB) $(XTRA_LIBS) -INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ - -I$(top_srcdir)/src/ +INCLUDES = -I$(top_srcdir)/include diff --git a/helpers/basic_auth/YP/yp_auth.c b/helpers/basic_auth/YP/yp_auth.c index bb2ce8fc4f..3c0fd2cc2c 100644 --- a/helpers/basic_auth/YP/yp_auth.c +++ b/helpers/basic_auth/YP/yp_auth.c @@ -63,6 +63,10 @@ main(int argc, char **argv) printf("ERR\n"); continue; } + + rfc1738_unescape(user); + rfc1738_unescape(passwd); + nispasswd = get_nis_password(user, nisdomain, nismap); if (!nispasswd) { diff --git a/helpers/basic_auth/getpwnam/Makefile.am b/helpers/basic_auth/getpwnam/Makefile.am index e92de4d3ce..46f3b32d67 100644 --- a/helpers/basic_auth/getpwnam/Makefile.am +++ b/helpers/basic_auth/getpwnam/Makefile.am @@ -1,7 +1,7 @@ # # Makefile for the Squid Object Cache server # -# $Id: Makefile.am,v 1.1 2001/08/31 11:19:20 robertc Exp $ +# $Id: Makefile.am,v 1.2 2002/08/12 01:11:56 hno Exp $ # # Uncomment and customize the following to suit your needs: # @@ -11,7 +11,5 @@ libexec_PROGRAMS = getpwname_auth getpwname_auth_SOURCES = getpwnam_auth.c -INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ - -I$(top_srcdir)/src/ - +INCLUDES = -I$(top_srcdir)/include LDADD = -L$(top_builddir)/lib -lmiscutil $(CRYPTLIB) $(XTRA_LIBS) diff --git a/helpers/basic_auth/getpwnam/getpwnam_auth.c b/helpers/basic_auth/getpwnam/getpwnam_auth.c index e71c3656fb..ebd7cc38db 100644 --- a/helpers/basic_auth/getpwnam/getpwnam_auth.c +++ b/helpers/basic_auth/getpwnam/getpwnam_auth.c @@ -40,6 +40,7 @@ #include #endif +#include "util.h" #define ERR "ERR\n" #define OK "OK\n" @@ -65,6 +66,8 @@ main() printf(ERR); continue; } + rfc1738_unescape(user); + rfc1738_unescape(passwd); pwd = getpwnam(user); if (pwd == NULL) { printf(ERR); diff --git a/helpers/basic_auth/multi-domain-NTLM/smb_auth.pl b/helpers/basic_auth/multi-domain-NTLM/smb_auth.pl index e52116f9f5..c28fe642a2 100644 --- a/helpers/basic_auth/multi-domain-NTLM/smb_auth.pl +++ b/helpers/basic_auth/multi-domain-NTLM/smb_auth.pl @@ -1,5 +1,5 @@ #!/usr/bin/perl -# $Id: smb_auth.pl,v 1.2 2001/05/21 04:50:58 hno Exp $ +# $Id: smb_auth.pl,v 1.3 2002/08/12 01:11:57 hno Exp $ #if you define this, debugging output will be printed to STDERR. #$debug=1; @@ -38,13 +38,16 @@ use Authen::Smb; $|=1; while (<>) { - if (! m;([^\\]+)(\\|/)(\S+)\s(.*); ) { #parse the line + if (! m;([^\\]+)(\\|/|%2f|%5c)(\S+)\s(.*); ) { #parse the line print "ERR\n"; next; } - $domain=$1; + $domain=$1; $user=$3; $pass=$4; + $domain =~ s/%([0-9a-f][0-9a-f])/pack("H2",$1)/gie; + $user =~ s/%([0-9a-f][0-9a-f])/pack("H2",$1)/gie; + $pass =~ s/%([0-9a-f][0-9a-f])/pack("H2",$1)/gie; print STDERR "domain: $domain, user: $user, pass=$pass\n" if (defined ($debug)); # check out that we know the PDC address diff --git a/helpers/basic_auth/winbind/Makefile.am b/helpers/basic_auth/winbind/Makefile.am index 49745ef686..1aeb18d557 100644 --- a/helpers/basic_auth/winbind/Makefile.am +++ b/helpers/basic_auth/winbind/Makefile.am @@ -1,11 +1,10 @@ # # Makefile for the Squid Object Cache server # -# $Id: Makefile.am,v 1.4 2002/05/23 14:01:19 hno Exp $ +# $Id: Makefile.am,v 1.5 2002/08/12 01:11:57 hno Exp $ # libexec_PROGRAMS = wb_auth wb_auth_SOURCES = wb_basic_auth.c wb_common.c samba_nss.h winbindd_nss.h wbntlm.h winbind_nss_config.h -INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ - -I$(top_srcdir)/src +INCLUDES = -I$(top_srcdir)/include LDADD = -L$(top_builddir)/lib -lmiscutil -lntlmauth $(XTRA_LIBS) diff --git a/helpers/basic_auth/winbind/wb_basic_auth.c b/helpers/basic_auth/winbind/wb_basic_auth.c index 1c7f94a802..9e959dc2cb 100644 --- a/helpers/basic_auth/winbind/wb_basic_auth.c +++ b/helpers/basic_auth/winbind/wb_basic_auth.c @@ -145,6 +145,9 @@ void manage_request(void) *pass='\0'; pass++; + rfc1738_unescape(user); + rfc1738_unescape(pass); + do_authenticate(user,pass); } diff --git a/src/auth/basic/auth_basic.cc b/src/auth/basic/auth_basic.cc index d78c870cbd..f391839b3e 100644 --- a/src/auth/basic/auth_basic.cc +++ b/src/auth/basic/auth_basic.cc @@ -1,5 +1,5 @@ /* - * $Id: auth_basic.cc,v 1.17 2002/04/13 23:07:53 hno Exp $ + * $Id: auth_basic.cc,v 1.18 2002/08/12 01:11:58 hno Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Duane Wessels @@ -558,6 +558,7 @@ authenticateBasicStart(auth_user_request_t * auth_user_request, RH * handler, vo { authenticateStateData *r = NULL; char buf[8192]; + char user[1024], pass[1024]; basic_data *basic_auth; assert(auth_user_request); assert(handler); @@ -590,7 +591,9 @@ authenticateBasicStart(auth_user_request_t * auth_user_request, RH * handler, vo r->auth_user_request = auth_user_request; /* mark the user as haveing verification in progress */ basic_auth->flags.credentials_ok = 2; - snprintf(buf, 8192, "%s %s\n", basic_auth->username, basic_auth->passwd); + xstrncpy(user, rfc1738_escape(basic_auth->username), sizeof(user)); + xstrncpy(pass, rfc1738_escape(basic_auth->passwd), sizeof(pass)); + snprintf(buf, sizeof(buf), "%s %s\n", user, pass); helperSubmit(basicauthenticators, buf, authenticateBasicHandleReply, r); } }