Re: hno's auth_escape patch

----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Cc: "Andrew Reid" <andrew.reid@plug.cx>; "Squid Developers"
<squid-dev@squid-cache.org>
Sent: Thursday, February 14, 2002 12:50 PM
Subject: Re: hno's auth_escape patch

> On Thursday 14 February 2002 01.54, Andrew Reid wrote:
>
> > I seem to recall that there was a few different people (Henrik
> > included) who thought that it'd be a good idea to do this, perhaps
> > on a permanent basis.
>
> Robert: This is your call. How should we manager usernames (and/or
> passwords) with spaces?
>
> - access.log

Are escaped already (done for NT style credentials 'foo\bar').

> - redirector interface
> - auth helper interface

These should be consistent - it makes third party coding easier.

> My patch simply URL escapes the username and password before sent to
> basic auth helpers or redirectors IIRC.
>
> Personally I think the basic auth helpers should use the Basic auth
> credentials as is, and the access.log and redirectors use the simple
> escaped form. Parsing a "login:password" line in the auth helpers is
> not significantly harder than to parse a "login<space>password" line,
> and avoids the whole mess.

I like the url escaping. It's more flexible - in that it allows the
redirectors and basic auth helpers to use the same interface. Digest is
already escaped IIRC, and there is that old patch we (you?) whipped up
for basic.

> Patches for this can be accepted into Squid-2.5 before STABLE unless
> overly intrusive or delaying the release significantly more. Once
> STABLE I am afraid we cannot change this until 2.6.

Now is good :].

Rob
Received on Wed Feb 13 2002 - 23:43:15 MST