Just a quick question: why is the username rfc 1728 escaped?
With NTLM we have valid usernames of the form domain\username. which become
domain\%5c username. The only reason I can see for escaping the username is
if users are going to view the log file directly in a web browser... and
then it should be html quoting not rfc1738 escaping (which is for URI's)...
If log analyzers show that field it's up to them to present the data safely
escaped for their media - if we escape for html but the are showing display
postscript without escaping the content, there's no guarantee that a
security issue won't occur. So I don't see any reason for squid to escape
the text when it writes the log.
In the auth_rewrite branch I have commented that out.
Rob
Received on Tue Nov 07 2000 - 14:59:00 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:56 MST