From: serassio <> Date: Sun, 30 Jan 2005 22:54:20 +0000 (+0000) Subject: Bug #1187: Usernames with whitespace X-Git-Tag: SQUID_3_0_PRE4~886 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3cc8b8b69bf1bedd693eb227cd434910cd10ccbd;p=thirdparty%2Fsquid.git Bug #1187: Usernames with whitespace Add sanity checks on LDAP user names Forward port of 2.5 patch. --- diff --git a/helpers/basic_auth/LDAP/squid_ldap_auth.c b/helpers/basic_auth/LDAP/squid_ldap_auth.c index c4ea7d4c42..5c727adf73 100644 --- a/helpers/basic_auth/LDAP/squid_ldap_auth.c +++ b/helpers/basic_auth/LDAP/squid_ldap_auth.c @@ -30,6 +30,10 @@ * or (at your option) any later version. * * Changes: + * 2005-01-07: Henrik Nordstrom + * - Added some sanity checks on login names to avoid + * users bypassing equality checks by exploring the + * overly helpful match capabilities of LDAP * 2004-07-17: Henrik Nordstrom * - Corrected non-persistent mode to only issue one * ldap_bind per connection. @@ -83,6 +87,7 @@ #include #include #include +#include #ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */ @@ -291,6 +296,32 @@ open_ldap_connection(const char *ldapServer, int port) return ld; } +/* Make a sanity check on the username to reject oddly typed names */ +static int +validUsername(const char *user) +{ + const unsigned char *p = user; + + /* Leading whitespace? */ + if (isspace(p[0])) + return 0; + while(p[0] && p[1]) { + if (isspace(p[0])) { + /* More than one consequitive space? */ + if (isspace(p[1])) + return 0; + /* or odd space type character used? */ + if (p[0] != ' ') + return 0; + } + p++; + } + /* Trailing whitespace? */ + if (isspace(p[0])) + return 0; + return 1; +} + int main(int argc, char **argv) { @@ -528,6 +559,10 @@ main(int argc, char **argv) } rfc1738_unescape(user); rfc1738_unescape(passwd); + if (!validUsername(user)) { + printf("ERR\n"); + continue; + } tryagain = (ld != NULL); recover: if (ld == NULL && persistent)