Error in the external proxy authentication scheme

From: <JORDAN.HRYCAJ@dont-contact.us>
Date: Mon, 24 Aug 1998 16:28:33 +0200

Hi,
recently I found an error in the Arjan de Vet's external authenticator
patch. It
allows a user to authenticate with "<username> <password>" instead of the
single
word username. The effect is, the squid writes two (space separated) words
instead
of a single one in the log file - a bad thing if you rely on the number of
fields
while processing this log file.

I wrote a simple patch that
        - makes ncsa_auth to accept at most two words
        - has squid checked the user name against a set of predefined words

-------------- x ---------------------- x ---------------------- x
---------------
diff -rPc squid-1.1.22.patched/src/client_side.c
squid-1.1.22.ready/src/client_side.c
*** squid-1.1.22.patched/src/client_side.c Mon Aug 24 13:47:24 1998
--- squid-1.1.22.ready/src/client_side.c Mon Aug 24 12:59:46 1998
***************
*** 172,184 ****
              xstrncpy(sent_user, clear_userandpw, ICP_IDENT_SZ);
              xfree(clear_userandpw);
              if ((s = strstr(sent_user, ":")) != NULL) {
                  *s = '\0'; s++;
                  xstrncpy(icpState->ident.ident, sent_user, ICP_IDENT_SZ);
                  /* we need this in authenticate.c */
                  xstrncpy(icpState->ident.passwd, s, ICP_IDENT_SZ);
                  proxy_auth_hdr = 1;
              } else {
                  /* invalid Basic proxy authorization */
                  s = mime_get_header(icpState->request_hdr,
                                      "Proxy-authorization:");
                  debug(33, 0, "clientAccessCheck: invalid proxy authorization
header: %s\n",
--- 172,200 ----
              xstrncpy(sent_user, clear_userandpw, ICP_IDENT_SZ);
              xfree(clear_userandpw);
              if ((s = strstr(sent_user, ":")) != NULL) {
+ /* BEGIN BLOCK: USER NAME PATCH Mon Aug 24 14:59:34 CEST
1998, <jordan@mjh.teddy-net.com> */
+ # define isValidPasswdChar(c) (isalnum (c) || strchr
("-_@./*~", (c)))
+ char *p ;
+ debug(33, 5, "clientAccessCheck: validating alphanum user
name: '%s'\n", sent_user);
+ /* there must be no space character in the user name ! */
+ for (p = sent_user; *p != 0 && p != s && isValidPasswdChar
(*p); p ++)
+ ;
+ if (*p && *p != ':') {
+ s = mime_get_header(icpState->request_hdr,
+ "Proxy-authorization:");
+ debug(33, 0, "clientAccessCheck: proxy auth user name
contains non-alpha: %s\n",
+ sent_user);
+ xstrncpy(icpState->aclChecklist->auth.basic, "-:-",
ICP_IDENT_SZ);
+ } else {
+ /* END BLOCK: USER NAME PATCH Mon Aug 24 14:59:34 CEST 1998,
<jordan@mjh.teddy-net.com> */
                  *s = '\0'; s++;
                  xstrncpy(icpState->ident.ident, sent_user, ICP_IDENT_SZ);
                  /* we need this in authenticate.c */
                  xstrncpy(icpState->ident.passwd, s, ICP_IDENT_SZ);
                  proxy_auth_hdr = 1;
+ } /* LINE: USER NAME PATCH Mon Aug 24 14:59:34 CEST 1998,
<jordan@mjh.teddy-net.com> */
              } else {
                  /* invalid Basic proxy authorization */
                  s = mime_get_header(icpState->request_hdr,
                                      "Proxy-authorization:");
                  debug(33, 0, "clientAccessCheck: invalid proxy authorization
header: %s\n",
diff -rPc squid-1.1.22.patched/src/ncsa_auth.c
squid-1.1.22.ready/src/ncsa_auth.c
*** squid-1.1.22.patched/src/ncsa_auth.c Mon Aug 24 13:47:24 1998
--- squid-1.1.22.ready/src/ncsa_auth.c Mon Aug 24 11:19:14 1998
***************
*** 82,88 ****
  {
      char buf[256];
      time_t now = 0;
! char *user, *passwd;
      hash_link *hashr;
  
      if (argc != 2) {
--- 82,88 ----
  {
      char buf[256];
      time_t now = 0;
! char *user, *passwd, *trash;
      hash_link *hashr;
  
      if (argc != 2) {
***************
*** 100,107 ****
          }
          user = strtok(buf, " ");
          passwd = strtok(NULL, " \n");
          hashr = hash_lookup(hash, user);
          if (hashr &&
              strcmp(hashr->item, (char *) crypt(passwd, hashr->item)) == 0) {
              printf("OK\n");
          } else {
--- 100,109 ----
          }
          user = strtok(buf, " ");
          passwd = strtok(NULL, " \n");
+ trash = strtok(NULL, " \n");
          hashr = hash_lookup(hash, user);
          if (hashr &&
+ trash == 0 &&
              strcmp(hashr->item, (char *) crypt(passwd, hashr->item)) == 0) {
              printf("OK\n");
          } else {
------------ x ---------------------- x ---------------------- x
---------------
Jordan Hrycaj
Received on Mon Aug 24 1998 - 07:30:18 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:41 MST