>> If you want to do things like this safely please upgrade to Squid-4
>> where the logformat codes are available. Those codes provide
>> customizable escaping and quoting styles so you can set one that
>> protects LDAP against these attacks to be ued on the URI field value
>> sent by Squid.
>
> You mean these <http://www.squid-cache.org/Doc/config/logformat/ >
> logformats are available to be used in acl / external acls @ squid.conf? Or?
>
Yes. I'm trying to get all the things in squid.conf that take/use a
custom format to use the logformat code system. Squid-4 is the
external_acl_type directives turn.
All of them are available for use in the %FORMAT field. It only depends
on whether the data any given code outputs exists at the point of
transaction where your ACL gets used.
Amos
external_acl_type ldap_HTTP %LOGIN %>rd /lib/squid/ext_ldap_group_acl ...
However when attempting to escape as described in the logformat doc:
external_acl_type ldap_HTTP %
I get:
Aug 23 15:50:41 squid squid: Can't parse configuration token: '%/>rd'
Apparently "/" had not yet been implemented. I've patched it as follows:
--- format/Token.cc.original 2016-08-23 16:19:16.627158974 +0000
+++ format/Token.cc 2016-08-23 16:19:31.867410625 +0000
@@ -343,6 +343,11 @@
++cur;
break;
+ case '/':
+ quote = LOG_QUOTE_SHELL;
+ ++cur;
+ break;
+
default:
quote = *quoting;
break;
The startup error went away, squid has been so far working as expected.
Dio
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
