Hello,
I got a complaint from an authentication helper author because his
helper crashes Squid with a "NA NT_STATUS_NO_SUCH_USER *\n" response
that lack a "token" field or kv-pair. The corresponding fatalf() is in
auth/negotiate/UserRequest.cc:
> case HelperReply::Error: {
> Note::Pointer messageNote = reply.notes.find("message");
> Note::Pointer tokenNote = reply.notes.find("token");
> if (tokenNote == NULL) {
> /* protocol error */
> fatalf("authenticateNegotiateHandleReply: *** Unsupported helper response ***, '%s'\n", reply.other().content());
> break;
> }
I tried to understand whether this fatalf() is intentional but failed.
As far as I can tell, the helper documentation on wiki says these
self-contradictory things:
NA: Deprecated by ERR result from Squid-3.4 onwards.
token: Negotiate authenticator interface requires it on NA responses.
token: This field must not be sent on ERR responses.
token=...: This field is only used on OK responses.
The trunk code appears to say these things:
* ERR and NA results are treated the same way
* ERR and NA negotiate results require a token kv pair
Could somebody with better authentication and helper knowledge clarify
whether the token field is indeed required for Nagotiate ERR and NA
responses? If not, can we just remove the above quoted fatalf() blob and
make the following line conditional on the token presence?
> lm_request->server_blob = xstrdup(tokenNote->firstValue());
Thank you,
Alex.
Received on Tue Feb 12 2013 - 21:42:00 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 13 2013 - 12:00:08 MST