# Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: henrik@henriknordstrom.net-20100306200338-\ # py3969agu3ccjdeh # target_branch: /home/henrik/SRC/squid/trunk/ # testament_sha1: b4225d56b5d7245eacec5a2406019e692aa00cce # timestamp: 2010-03-06 21:03:58 +0100 # base_revision_id: henrik@henriknordstrom.net-20100306194302-\ # eknq7yvpt5ygzkdz # # Begin patch === modified file 'src/auth/digest/auth_digest.cc' --- src/auth/digest/auth_digest.cc 2010-03-06 14:47:46 +0000 +++ src/auth/digest/auth_digest.cc 2010-03-06 19:48:42 +0000 @@ -50,6 +50,7 @@ #include "SquidTime.h" /* TODO don't include this */ #include "digestScheme.h" +#include "rfc1738.h" /* Digest Scheme */ @@ -935,7 +936,9 @@ safe_free(digestAuthRealm); } -AuthDigestConfig::AuthDigestConfig() : authenticateChildren(20) +AuthDigestConfig::AuthDigestConfig() : + authenticateChildren(20), + helperProtocol(DIGEST_HELPER_PROTOCOL_QUOTEDSTRING) { /* TODO: move into initialisation list */ /* 5 minutes */ @@ -978,6 +981,17 @@ parse_onoff(&PostWorkaround); } else if (strcasecmp(param_str, "utf8") == 0) { parse_onoff(&utf8); + } else if (strcasecmp(param_str, "protocol") == 0) { + char *token = NULL; + parse_eol(&token); + if (strcmp(token, "quoted")) { + helperProtocol = DIGEST_HELPER_PROTOCOL_QUOTEDSTRING; + } else if (strcmp(token, "urlescaped")) { + helperProtocol = DIGEST_HELPER_PROTOCOL_URLESCAPE; + } else { + debugs(29, 0, "unrecognised digest auth helper protocol '" << token << "'"); + } + safe_free(token); } else { debugs(29, 0, "unrecognised digest auth scheme parameter '" << param_str << "'"); } @@ -1237,10 +1251,10 @@ } /* Sanity check of the username. - * " can not be allowed in usernames until * the digest helper protocol - * have been redone + * " can not be allowed in usernames when using the old quotedstring + * helper protocol */ - if (strchr(username, '"')) { + if (helperProtocol == DIGEST_HELPER_PROTOCOL_QUOTEDSTRING && strchr(username, '"')) { debugs(29, 2, "authenticateDigestDecode: Unacceptable username '" << username << "'"); return authDigestLogUsername(username, digest_request); } @@ -1390,7 +1404,6 @@ AuthDigestUserRequest::module_start(RH * handler, void *data) { DigestAuthenticateStateData *r = NULL; - char buf[8192]; digest_user_h *digest_user; assert(user()->auth_type == AUTH_DIGEST); digest_user = dynamic_cast < digest_user_h * >(user()); @@ -1402,20 +1415,35 @@ return; } + r = cbdataAlloc(DigestAuthenticateStateData); r->handler = handler; r->data = cbdataReference(data); r->auth_user_request = this; AUTHUSERREQUESTLOCK(r->auth_user_request, "r"); + + const char *username = digest_user->username(); + char utf8str[1024]; if (digestConfig.utf8) { - char userstr[1024]; - latin1_to_utf8(userstr, sizeof(userstr), digest_user->username()); - snprintf(buf, 8192, "\"%s\":\"%s\"\n", userstr, realm); - } else { - snprintf(buf, 8192, "\"%s\":\"%s\"\n", digest_user->username(), realm); - } - - helperSubmit(digestauthenticators, buf, authenticateDigestHandleReply, r); + latin1_to_utf8(utf8str, sizeof(utf8str), username); + username = utf8str; + } + + MemBuf mb; + + mb.init(); + switch(digestConfig.helperProtocol) { + case AuthDigestConfig::DIGEST_HELPER_PROTOCOL_QUOTEDSTRING: + mb.Printf("\"%s\":\"%s\"\n", username, realm); + break; + case AuthDigestConfig::DIGEST_HELPER_PROTOCOL_URLESCAPE: + mb.Printf("%s ", rfc1738_escape(username)); + mb.Printf("%s\n", rfc1738_escape(realm)); + break; + } + + helperSubmit(digestauthenticators, mb.buf, authenticateDigestHandleReply, r); + mb.clean(); } DigestUser::DigestUser (AuthConfig *aConfig) : AuthUser (aConfig), HA1created (0) === modified file 'src/auth/digest/auth_digest.h' --- src/auth/digest/auth_digest.h 2009-12-16 03:46:59 +0000 +++ src/auth/digest/auth_digest.h 2010-03-06 16:09:24 +0000 @@ -163,6 +163,10 @@ int CheckNonceCount; int PostWorkaround; int utf8; + enum { + DIGEST_HELPER_PROTOCOL_QUOTEDSTRING, + DIGEST_HELPER_PROTOCOL_URLESCAPE + } helperProtocol; }; typedef class AuthDigestConfig auth_digest_config; === modified file 'src/cf.data.pre' --- src/cf.data.pre 2010-03-06 19:43:02 +0000 +++ src/cf.data.pre 2010-03-06 20:03:38 +0000 @@ -181,13 +181,18 @@ === Parameters for the digest scheme follow === "program" cmdline - Specify the command for the external authenticator. Such - a program reads a line containing "username":"realm" and + Specify the command for the external authenticator. + Such a program reads a line containing the username and realm and replies with the appropriate H(A1) value hex encoded or ERR if the user (or his H(A1) hash) does not exists. See rfc 2616 for the definition of H(A1). + See the protocol directive below for a description of the different + request formats sent to such helpers. "ERR" responses may optionally be followed by a error description available as %m in the returned error page. + See also + the protocol option below for description of the request/response + format. By default, the digest authentication scheme is not used unless a program is specified. @@ -226,6 +231,15 @@ auth_param digest children 20 startup=0 idle=1 + protocol quoted | urlescaped + Specifies the helper protocol to use. In the default quoted format + requests are sent on the form "username":"realm" and the use of + usernames or realms with " characters in them is forbidden. + In the urlescaped protocol format request are sent on the form + urlescape(username) urlescape(realm) + and " may be used in the login or realm if desired. + In future default may change to the newer urlescaped form. + "realm" realmstring Specifies the realm name which is to be reported to the client for the digest proxy authentication scheme (part of # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWXtrunQAChffgGQwW/f//3/n /o6////+YA9HehvsxMXYDRQAAD7uq5Zo5tdu51113F3aKpW3cUoe2Q0ESn6mJtEJ6JkZqYmhpoAA AAGhoGmhzCaA0Bo0YRoMRpiZMTQYRoGQDJgJKEJinlGjNGoNG001AGQNAAAAAAJEU0BDUwQnpqn6 IxJ4SekzQmJoB6RppoaNAIpFHpCYp/qp4TUemiYRtQaekZGhkAAAyBoIpBDQJoAQTVT8m1MRNMpv Sj1AH6oAAaD2qNBEGkRIYALKA+YTz9Ruu3KKXXaiY44DIz08gze2NvgZQzQTGy/gYl8ImpTetUiG OtXiAryBdG6G1qjxg+wfiZtR0qPca9a06cM2eCKO6Yajy2e6TWIJhQ0mIKxQtc1+/SCsmkYpzS4o XIRzQoWW4CLC9daUFNhJVSq/xOp3BLrC58gkcDBIwFzNjBdWvZ9HF8eU5meD0MXfnl4GviXIXvFq E0A222DbbZ5bP4+Aly97ptFkFdXSQqSYMbHxkybXxsqdGbmNnG7UNu2a6lQrrlw1Rlky446UVKQu /mzwagtcKqCqVB5AU9nSgFk4q7ddGWY1yse5WIxgJWqWHJTt09uu/D9jVf/S7fMkcbtNw7DKu3v5 ULZZ41oa2NIzGeek36c8oxE8KV4tjgknDR02CwlW5Yi6HqvplzRXLrdlwswxsbGMbChJkivzW4WA qscb8IL3ZjHAyFiQgEsIgkwPdFhzSOEhiYSCw1wbaERk/P47woou3GX9zMa1eSTbG6CaCTVAjD8Q FWUFQ4kO8ZGc2dM85YYz2MUUEFJyUoYSxJP8g6mfe0Aq2wh2wAQndTe+VZZQWwCpCxLoECyHmcNe ToDqnpExWsqNO1PX0a9d0c1DRVefKxXEqJGvDht83bG9z2Z+g7z3pN1CsryRptVlbumqZuj9DY0v rfjFvltz/bTQwtKZ9wnwkWkB2OyVgVaSTD1D1QfgH5g+slsMxPAbkOJ58u/LdpvxxtLXTP4AWBiO jhJ9KaAgfD5Pijy+N1Z8+XjxJSlKUoiIhuPGAsrF1hn2azVihEJ9bSVQ4kIS1WBWwpmGl2KkWxmr gLgqyGCFVorCuz8sfYeBusDgeZcbtQzV8TWhO2Aq0PnIZYF5vOB+zEteYqyJm/fMvdAuIEWxicNC DI4F5UmZl0gcRMCRiDfiQWDEkGy0KH58EPATkJzMP55SxkpnI1ilEdIdZaSkG1bIbCrsQr++FeB7 CmJmbzDQiBC8wOpu+lQ6jx4xfrLfLGXTlGo5bsS7OnEJmZkcmtRuKAyJAXhFBNC8vqYWu7yoDxMF bGJFpBom/PMrlLKgODkIfgsIJSQ2lgalUUxBbrQ0lpiSbxiElwQcT0M9XDCRrhLdOdKhJCkfG9XM YVWqvKZItc8jDHTpXdXDCZyL4Q1p0MixQ7FzgDhYtLMnoJMlS4qWqOBecBNNt9sCpayhuDU3GJkY jIINJeVF5ygvkgzl9yjK810vCiJZBIaBVyIJeBxOxwrGZQxmby8mtwzLjAxEkbFXDJWM95KVy8xw mUDacqjbcZTMPZUKXYHuHEyN7IxIC4ND9RobzEubyZ9QfeJ5id1eOWbuwxBzE2uuvhiGZ5SVuims UfShQwLjqZS7oSC7sRB3K4ZBXU7SqRkQPQzNjQoJsHM1MJn1V1DOsoJOqEuEjiDuyNjeZGZQ2Phv TPjJ4GmVv5pbLSHjBnjuEwVteeYnlafAwVsakqHE/HKsTosjgaYmJjp7CshLVMeh3uuLGuoPrEQF efgSM8Tuakjny5GpodWRIuMiRyOpieYensDY75WlwMxK0McaBcvc8okO0ydu0FxMHI72chFsQNjI SRzMCxUkrvLpweYZV6xfndHXr4kpcR3FryzvKDieKuJqWKK9i84EjnLG+DLAyOBQrxPITA376FyY 2NQvJHTkcDoYcQ5Sty2hLjdusIaGJcal5iSJFSpxOR5hzE16hx4dcEldpfQ9yU6UyuuGItzkWKlC d97fEzahQHsfKVyHIkdSBOvWIvNciMTrfoW6FTIdVC6wdS4mQWIMjEg+CHoeQnEO6+QPffka7s0n PtSJbi5YElu7XGZ1kUB5FDLEoJmXQGKOZFfEjiTQwbzQZGhyNcpGYdEnbcQaGZqOZBBkXGReXlS8 2PaHLL8Py8dnKF9XyaTNh3woQDmIHVwVoEP4BeTCWWz+vFxhsMWu2yCwDm4aX58QPAMDnCBXmGEf ITTQcg7ayhL4MlwDEhkBtihwBgNNpsG0Nqw07RdyR2CzjKY3BmJOC4NJDaG2PBiBA3uf5hvZMJdZ I2kxDaGjDxf2H6/FBXvot+ruwmJmb0cR6gtjEOitf4nOhbQ0hpQsuQnQh0oYs49CFz+plxxjSgfX 680OyH/V+v3QmS8kOiFkyQ8vINUOKH0fisksmAdkN6HjAbuaSQ5haOQuovbpTAFlnW2uySiOPqoZ UMiG2ri4ghdpNKhElBVKV8dNAbY2MXP1x2ca7fXUmooWgLIdR7D1kGJq1+wMC8rPSM4PUPtPzz4k mc+0sPR81RgWGcZ3RqobDlU8Pp2mBFzRBio9KzGvr4yP3eN4nWEHeZoVY0IKKwlpLWpH64JZvqm0 PSDQ3GVm9+IWn375iwkQ8pwlRuNhsNhWDICSs3G0tGQXyZjBMwNBuLzZ7dQtRs2+1L1CA2BhojcB MVjpMam+QxCnICuTFgjJBw4cZYRHSQkYwyyQfLc4jhLFQUk4LIIiMWUZibaoY2YeKKhSbecbRxV3 9TEe2A8Ma3E5fAQshjHMtWs1lgRDS5ohsGDoQlsN2gg3FDgMZOQrLjhL0LaQZCFig1sq+48Ti+u4 3HUuMSx1IMfDr1f7hyym3kL4MnQmpX0TjmGWPf2L1doRDa9IdivbJG/ZPP3PLfCyCatGNhJZ3SXO lLjUrGoFsKilwuYzQTyBpLnUtlwaheKidJQ1oO2FzzIh96MpIy6SER95U+JcUPMx8BhOgPgDwe8B 9wwkHXtOQ1UPkeXdSnnscjkeZleSlGeXnTyrXdBK/sT3FSX6Fc8mwTAqh7Q0GQU3WOndJWSCyoYe IaAIFMZ4RIZh7RCQr91BPP4/xVTIe92l/Vagem+6kIqhQxCzeF8kAnlGxheslAXi42NJDaUDCy8E QJ0EGXFWMhDrUfjmmHVZn8F7Kk1QXS+XBhaH2jgaNHhheIBpFdGBWKgkVk0TknqamZAP2xgUOCPS Og/0D+I9hnAn5QL5RuXiGV+7ZEMGQGGWFVrMUM8iDvIbG99RsH0Bwmzc32kqIGKLioETzAJo2EoD TpF0Hk4TCqqsUDx+Au25echDITIBwmQDhQ1BAOBkKCCE/9BAVhlSXT+XlETyCFTzoOKAjZHY3FXT 4Qd2wHLlzQbyOEoMvWQiREBAGFBjiSAi0oBA84FDhYm/mJILc0dEzarrVRqivHMc7DBAxAofxoXn Cf1uz7CDHz9SBxvWvKhqEsEtg5x1IbqsDJeHXKWgQOQPAP2KEwQP2hvXEKphDWBNwh5kv1iiPSB1 jqNOlj7R7iSAnqdIFPxEhpc/wjUdgYEz92ZmNMItKdqJWYIGHQIW+/wuEND7Vj4EW1TWg4B3BxjO B7l4cK5cTQdQNrFcqTX5UkUnIlKCn72shqNPEToE1Q5A8AYLxuhLA0LNQnFBppBApImNpLeYZbMe oTNrIfIEC0BPEVAxIUi9kE4EJQqwIZa/f9h70gOkXiQTQfw00a9L6XDIWkBXvVRCYF9C0QinaGfC maRRBoYCCLwJHvHCCBJEnfAhPenDABoJuegm5DL4fhJfaNAtAQUywgrguYYGSEokVwFbQQT8QZta EI9DWo1BgcozArHi3ArUjXHUodcOUOMTyiNaNWRZHpMB0RA24s20ZVRkNJOkpA+dnSM7VCQiHSp1 dkMcCDPzZG3A9M/Rflv0BDA6xHfwH5jQZjChNddZkYbEZbhUDQ/xfech5ol4vVC7pA8oBAxmAFmE IC4C+NOuAUsFZAg/7fmm6uXD7+WSUqgTFYo4dgLwCVB2XjqUOERjPSfR9wkvfCMA8wZVEHKY3aiH 3CZVw8JC6QmkAuEI1UPyxh8awdIYhBXFfZdnNJwvsYY1UJmYmXcLQVIgSSpAMoD5ieQfuE8VsN6N w2H9AZTYnC40GhmERl1GnpvBxHF7pjCJQHygMxiYZXB2BigOmwZZA0S8e0CEv1/Pu20UIyELCTQ/ lgnAiGEVmDpAhsO75rQHmP43nlK2dwh34Ql4E4pJ47s2cQOK0lkyaZaFhis77BKZsMQKEFP3gwRi cRgNsbb8eyJY9Ag/AFyCBa0vCl+QXlPoHZfpNWke/f2j+lXgGQPtDLVCyh7rjzHgPP0mPqP31GY9 g4CUD7PiJ3hMpvgB6hiLWBx9SY//F3JFOFCQe2u6dA==