> >> If you want to do things like this safely please upgrade to Squid-4
> >> where the logformat codes are available. Those codes provide
> >> customizable escaping and quoting styles so you can set one that
> >> protects LDAP against these attacks to be ued on the URI field value
> >> sent by Squid.
> >
> > You mean these <http://www.squid-cache.org/Doc/config/logformat/>
> > logformats are available to be used in acl / external acls @ squid.conf?
> Or?
> >
>
> Yes. I'm trying to get all the things in squid.conf that take/use a
> custom format to use the logformat code system. Squid-4 is the
> external_acl_type directives turn.
>
> All of them are available for use in the %FORMAT field. It only depends
> on whether the data any given code outputs exists at the point of
> transaction where your ACL gets used.
>
> Amos
>
>
Cool. I've compiled the latest beta of squid4 and tested. I was able to
move to "%>rd", the following works:
external_acl_type ldap_HTTP %LOGIN %>rd /lib/squid/ext_ldap_group_acl ...
However when attempting to escape as described in the logformat doc:
external_acl_type ldap_HTTP %LOGIN %/>rd /lib/squid/ext_ldap_group_acl
I get:
Aug 23 15:50:41 squid squid: Can't parse configuration token: '%/>rd'
Apparently "/" had not yet been implemented. I've patched it as follows:
--- format/Token.cc.original 2016-08-23 16:19:16.627158974 +0000
+++ format/Token.cc 2016-08-23 16:19:31.867410625 +0000
@@ -343,6 +343,11 @@
++cur;
break;
+ case '/':
+ quote = LOG_QUOTE_SHELL;
+ ++cur;
+ break;
+
default:
quote = *quoting;
break;
The startup error went away, squid has been so far working as expected.
Dio
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
