Re: [squid-users] 2.4STABLE1 & authentication & FTP - BUG

From: Robert Collins <robert.collins@dont-contact.us>
Date: 10 Aug 2001 15:44:40 +1000

On 10 Aug 2001 15:06:34 +1000, Ken Thomson wrote:
> I have noticed what appears to be a bug in Squid 2.4STABLE1.
>
> If you have user authentication (ie. an acl with proxy_auth REQUIRED set on)
> and try to access a FTP site via squid and cancel the authentication request
> windows, you can still get at any directory/file and start a file download.
> You do not need to be authenticated!
>
> The reason for this is that Squid renders the FTP directory in the browser
> prior to prompting for authentication. So you can cancel the authentication
> and proceed as normal by clicking links and continually cancelling the
> authentication requests.

Thats very strange... the authentication test should be done before any
communication to the FTP server. I'd guess that what you have happening
is something like
http_access allow ftp
http_access deny notauthed

so that squid is actually asking you to authenticate for the graphics on
the ftp directory list, not the ftp listing itself.

> Anyone else experience this?

Nope. If you can confirm that it's not an acl issue, please try with the
current 2.5 devel version and see if it's any different.

Rob
 
> Regards,
> Ken.
Received on Thu Aug 09 2001 - 23:56:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:32 MST