From 0bd9aa82f397180ed63a9ec66f9c3c70128b5125 Mon Sep 17 00:00:00 2001
From: hno <>
Date: Fri, 15 Nov 2002 20:26:59 +0000
Subject: [PATCH] Deny forwarding of unproxyable authentication schemes   NTLM 
  Negotiate

---
 src/client_side_reply.cc | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index b14ae1cf52..64f51d8256 100644
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: client_side_reply.cc,v 1.24 2002/10/26 04:57:29 adrian Exp $
+ * $Id: client_side_reply.cc,v 1.25 2002/11/15 13:26:59 hno Exp $
  *
  * DEBUG: section 88    Client-side Reply Routines
  * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c)
@@ -1256,6 +1256,23 @@ clientBuildReplyHeader(clientReplyContext *context, HttpReply * rep)
 	    httpHeaderPutInt(hdr, HDR_AGE,
 		squid_curtime - http->entry->timestamp);
     }
+    /* Filter unproxyable authentication types */
+    if (http->log_type != LOG_TCP_DENIED &&
+	(httpHeaderHas(hdr, HDR_WWW_AUTHENTICATE) || httpHeaderHas(hdr, HDR_PROXY_AUTHENTICATE))) {
+	HttpHeaderPos pos = HttpHeaderInitPos;
+	HttpHeaderEntry *e;
+	while ((e = httpHeaderGetEntry(hdr, &pos))) {
+	    if (e->id == HDR_WWW_AUTHENTICATE || e->id == HDR_PROXY_AUTHENTICATE) {
+		const char *value = strBuf(e->value);
+		if ((strncasecmp(value, "NTLM", 4) == 0 &&
+			(value[4] == '\0' || value[4] == ' '))
+		    ||
+		    (strncasecmp(value, "Negotiate", 9) == 0 &&
+			(value[9] == '\0' || value[9] == ' ')))
+		    httpHeaderDelAt(hdr, pos);
+	    }
+	}
+    }
     /* Handle authentication headers */
     if (request->auth_user_request)
 	authenticateFixHeader(rep, request->auth_user_request, request,
-- 
2.47.3