From: hno <> Date: Thu, 27 Jun 2002 01:09:47 +0000 (+0000) Subject: Don't use denyusers/allowusers unless configured in msntauth.conf X-Git-Tag: SQUID_3_0_PRE1~937 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=811c6e766bf74877397e06f66a5689a7f462ca7c;p=thirdparty%2Fsquid.git Don't use denyusers/allowusers unless configured in msntauth.conf Fixed a DoS condition. --- diff --git a/helpers/basic_auth/MSNT/README.html b/helpers/basic_auth/MSNT/README.html index 28a70e0edb..5fec298277 100644 --- a/helpers/basic_auth/MSNT/README.html +++ b/helpers/basic_auth/MSNT/README.html @@ -173,7 +173,7 @@ the msntauth process receives a SIGHUP signal.

The denied user file is set using the 'denyusers' directive -in msntauth.h. The denied user file +in msntauth.conf. The denied user file contains a list of usernames in no particular structure or form. If the file does not exist, no users are denied. The file must be readable by the web proxy user. @@ -191,7 +191,7 @@ allowed supposed to be accessing a proxy.

The allowed user file is set using the 'allowusers' directive -in msntauth.h. +in msntauth.conf. If the file does not exist or if empty, all users are allowed.

diff --git a/helpers/basic_auth/MSNT/allowusers.c b/helpers/basic_auth/MSNT/allowusers.c index 33ec88c0a7..c161dd527e 100644 --- a/helpers/basic_auth/MSNT/allowusers.c +++ b/helpers/basic_auth/MSNT/allowusers.c @@ -30,7 +30,10 @@ Read_allowusers(void) memset(&AllowUsers, '\0', sizeof(AllowUsers)); init = 1; } - return Read_usersfile(Allowuserpath, &AllowUsers); + if (*Allowuserpath) + return Read_usersfile(Allowuserpath, &AllowUsers); + else + return 0; } int diff --git a/helpers/basic_auth/MSNT/confload.c b/helpers/basic_auth/MSNT/confload.c index a7f1552b4a..5823a49e1f 100644 --- a/helpers/basic_auth/MSNT/confload.c +++ b/helpers/basic_auth/MSNT/confload.c @@ -27,8 +27,6 @@ #define SYSCONFDIR "/usr/local/squid/etc" #endif #define CONFIGFILE SYSCONFDIR "/msntauth.conf" -#define DENYUSERSDEFAULT SYSCONFDIR "/denyusers" -#define ALLOWUSERSDEFAULT SYSCONFDIR "/allowusers" /* Maximum number of servers to query. This number can be increased. */ #define MAXSERVERS 5 @@ -69,8 +67,6 @@ OpenConfigFile(void) memset(ServerArray, '\0', sizeof(ServerArray)); memset(Denyuserpath, '\0', MAXPATHLEN); memset(Allowuserpath, '\0', MAXPATHLEN); - strncpy(Denyuserpath, DENYUSERSDEFAULT, MAXPATHLEN - 1); - strncpy(Allowuserpath, ALLOWUSERSDEFAULT, MAXPATHLEN - 1); /* Open file */ if ((ConfigFile = fopen(CONFIGFILE, "r")) == NULL) { diff --git a/helpers/basic_auth/MSNT/denyusers.c b/helpers/basic_auth/MSNT/denyusers.c index 661f5a7eb5..fd44f2f3a6 100644 --- a/helpers/basic_auth/MSNT/denyusers.c +++ b/helpers/basic_auth/MSNT/denyusers.c @@ -31,7 +31,10 @@ Read_denyusers(void) memset(&DenyUsers, '\0', sizeof(DenyUsers)); init = 1; } - return Read_usersfile(Denyuserpath, &DenyUsers); + if (*Denyuserpath) + return Read_usersfile(Denyuserpath, &DenyUsers); + else + return 0; } static void diff --git a/helpers/basic_auth/MSNT/msntauth.c b/helpers/basic_auth/MSNT/msntauth.c index 8b939eb206..5b01892400 100644 --- a/helpers/basic_auth/MSNT/msntauth.c +++ b/helpers/basic_auth/MSNT/msntauth.c @@ -53,6 +53,7 @@ main(int argc, char **argv) char username[256]; char password[256]; char wstr[256]; + int err = 0; openlog("msnt_auth", LOG_PID, LOG_USER); setbuf(stdout, NULL); @@ -89,8 +90,12 @@ main(int argc, char **argv) if (fgets(wstr, 255, stdin) == NULL) break; /* ignore this line if we didn't get the end-of-line marker */ - if (NULL == strchr(wstr, '\n')) - break; + if (NULL == strchr(wstr, '\n')) { + err = 1; + continue; + } + if (err) + goto error; /* * extract username and password. @@ -118,8 +123,11 @@ main(int argc, char **argv) puts("ERR"); else if (QueryServers(username, password) == 0) puts("OK"); - else + else { +error: puts("ERR"); + } + err = 0; } return 0;