On tor, 2007-09-06 at 23:36 +0200, Pierangelo Masarati wrote:
> I've noticed that in Squid's main code anything following "ERR" can be
> exploited, but there's no provision for extra stuff after "OK", which
> prevents exploitation of the warning part of password policy.
HTTP do not provide any meaningful means to give successful feedback to
the user.
We could add a Warning header, but there is no standardized Warning code
to be used for this, or no user agents who at all look at Warning
headers... or mabye specify the use of an Authentication-Info header for
Basic authentication..
But it would be useful input to the group of people who is trying to get
a new revision of HTTP/1.1 done, there has been discussions if the
authentication framework should be included or not, and some attempts to
start collecting a list of issues with the current HTTP authentication
mechanisms..
> This
> might not be important unless Squid has any means of reporting to the
> user that an account is about to expire; however, if there's consensus,
> I'd like to look also at allowing (and exploiting) this (optional) part
> of successful response messages.
It's not hard to extend the helper protocol for this, and old Squid's
will even work fine with extended helpers without the need ot any
negotiation of the feature. The question is what to do with the returned
information however, and I have no good answer there..
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:05 MDT