[squid-users] dynamic group using URI as group name on external acl with ext_ldap_group_acl

Diogenes S. Jesus splash at gmail.com
Tue Aug 23 16:24:15 UTC 2016


> >> If you want to do things like this safely please upgrade to Squid-4
> >> where the logformat codes are available. Those codes provide
> >> customizable escaping and quoting styles so you can set one that
> >> protects LDAP against these attacks to be ued on the URI field value
> >> sent by Squid.
> >
> > You mean these <http://www.squid-cache.org/Doc/config/logformat/>
> > logformats are available to be used in acl / external acls @ squid.conf?
> Or?
> >
>
> Yes. I'm trying to get all the things in squid.conf that take/use a
> custom format to use the logformat code system. Squid-4 is the
> external_acl_type directives turn.
>
> All of them are available for use in the %FORMAT field. It only depends
> on whether the data any given code outputs exists at the point of
> transaction where your ACL gets used.
>
> Amos
>
>
Cool. I've compiled the latest beta of squid4 and tested. I was able to
move to "%>rd", the following works:


external_acl_type ldap_HTTP %LOGIN %>rd /lib/squid/ext_ldap_group_acl ...

However when attempting to escape as described in the logformat doc:

external_acl_type ldap_HTTP %LOGIN %/>rd /lib/squid/ext_ldap_group_acl

 I get:

Aug 23 15:50:41 squid squid: Can't parse configuration token: '%/>rd'


Apparently "/" had not yet been implemented. I've patched it as follows:

--- format/Token.cc.original 2016-08-23 16:19:16.627158974 +0000

+++ format/Token.cc 2016-08-23 16:19:31.867410625 +0000

@@ -343,6 +343,11 @@

             ++cur;

             break;



+        case '/':

+            quote = LOG_QUOTE_SHELL;

+            ++cur;

+            break;

+

         default:

             quote = *quoting;

             break;


The startup  error went away, squid has been so far working as expected.

Dio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160823/90e787d3/attachment.html>


More information about the squid-users mailing list