Re: [squid-users] Usernames with whitespace

From: Tim Neto <tneto@dont-contact.us>
Date: Fri, 07 Jan 2005 10:13:29 -0500

Hello Andrew,

What external authentication helper are you using? LDAP, SAMBA, or ... ???

The helper program needs to be upgraded to effectively respond with
"ERR" to these type of requests.

Tim

-----------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer Komatsu Canada Limited
 Ph#: 905-625-6292 x265 1725B Sismet Road
 Fax: 905-625-6348 Mississauga, Canada
 E-Mail: tneto@komatsu.ca L4W 1P9
-----------------------------------------------------------

apmailist@free.fr wrote:

>Hi,
>
>
>Putting a whitespace prefix or suffix in the username at authentication time
>causes :
>
> - acl's based on username to be circumvented
> - access.log analysis to be fooled.
>
>This is because a "%20" is put in place of the whitespace :
> %20username
>or username%20
>
>
>Is there a rule or option to reject all usernames containing a whitespace ?
>Or should I put a special ACL to deny access to those users who put a whitespace
>by mistake?
>The best would be that Squid asks for a username/passwd until it is valid (good
>pair && no whitespace) so that the end-user doesn't get confused.
>IE : "my password is accepted , but I get a Forbidden Access page"
>
>(I could'nt find anything in the archives or FAQ, maybe I didn't use the correct
>keywords ? - %20, username, whitespace, space, or blank)
>
>
>
>Thanks for your help,
>
>Andrew.
>
>
>
>
Received on Fri Jan 07 2005 - 08:13:20 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST