? src/.cf.data.pre.swp
Index: helpers/basic_auth/LDAP/squid_ldap_auth.c
===================================================================
RCS file: /server/cvs-server/squid/squid/helpers/basic_auth/LDAP/squid_ldap_auth.c,v
retrieving revision 1.21.2.14
diff -u -p -r1.21.2.14 squid_ldap_auth.c
--- helpers/basic_auth/LDAP/squid_ldap_auth.c	10 Aug 2004 09:39:29 -0000	1.21.2.14
+++ helpers/basic_auth/LDAP/squid_ldap_auth.c	7 Jan 2005 20:18:40 -0000
@@ -30,6 +30,10 @@
  * or (at your option) any later version.
  *
  * Changes:
+ * 2005-01-07: Henrik Nordstrom <hno@squid-cache.org>
+ *             - Added some sanity checks on login names to avoid
+ *             users bypassing equality checks by exploring the
+ *             overly helpful match capabilities of LDAP
  * 2004-07-17: Henrik Nordstrom <hno@squid-cache.org>
  *             - Corrected non-persistent mode to only issue one
  *             ldap_bind per connection.
@@ -83,6 +87,7 @@
 #include <stdlib.h>
 #include <lber.h>
 #include <ldap.h>
+#include <ctype.h>
 
 #include "util.h"
 
@@ -261,6 +266,32 @@ open_ldap_connection(const char *ldapSer
     return ld;
 }
 
+/* Make a sanity check on the username to reject oddly typed names */
+static int
+validUsername(const char *user)
+{
+    const unsigned char *p = user;
+
+    /* Leading whitespace? */
+    if (isspace(p[0]))
+	return 0;
+    while(p[0] && p[1]) {
+	if (isspace(p[0])) {
+	    /* More than one consequitive space? */
+	    if (isspace(p[1]))
+		return 0;
+	    /* or odd space type character used? */
+	    if (p[0] != ' ')
+		return 0;
+	}
+	p++;
+    }
+    /* Trailing whitespace? */
+    if (isspace(p[0]))
+	return 0;
+    return 1;
+}
+
 int
 main(int argc, char **argv)
 {
@@ -481,6 +512,10 @@ main(int argc, char **argv)
 	}
 	rfc1738_unescape(user);
 	rfc1738_unescape(passwd);
+	if (!validUsername(user)) {
+	    printf("ERR\n");
+	    continue;
+	}
 	tryagain = (ld != NULL);
       recover:
 	if (ld == NULL && persistent)