<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>
>> If you want to do things like this safely please upgrade to Squid-4<br>
>> where the logformat codes are available. Those codes provide<br>
>> customizable escaping and quoting styles so you can set one that<br>
>> protects LDAP against these attacks to be ued on the URI field value<br>
>> sent by Squid.<br>
><br>
</span>> You mean these <<a href="http://www.squid-cache.org/Doc/config/logformat/" rel="noreferrer" target="_blank">http://www.squid-cache.org/Do<wbr>c/config/logformat/</a>><br>
<span>> logformats are available to be used in acl / external acls @ squid.conf? Or?<br>
><br>
<br>
</span>Yes. I'm trying to get all the things in squid.conf that take/use a<br>
custom format to use the logformat code system. Squid-4 is the<br>
external_acl_type directives turn.<br>
<br>
All of them are available for use in the %FORMAT field. It only depends<br>
on whether the data any given code outputs exists at the point of<br>
transaction where your ACL gets used.<br>
<span><font color="#888888"><br>
Amos<br>
<br>
</font></span></blockquote></div><div class="gmail_extra"><br></div>Cool. I've compiled the latest beta of squid4 and tested. I was able to move to "%>rd", the following works:</div><div class="gmail_extra"> <br><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span>external_acl_type ldap_HTTP %LOGIN %>rd /lib/squid/ext_ldap_group_acl ...</span></p><div><br></div><div>However when attempting to escape as described in the logformat doc:</div><div><br></div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span>external_acl_type </span>ldap_HTTP<span> %<wbr>LOGIN %/>rd /lib/squid/ext_ldap_group_acl</span></p></div><div><br></div><div> I get:</div><div><br></div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Aug 23 15:50:41 squid squid: Can't parse configuration token: '%/>rd'<br></p></div><div><span><br></span></div><div><span><br></span></div><div><span>Apparently "/" had not yet been implemented. I've patched it as follows:</span></div><div><span><br></span></div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span>--- format/Token.cc.original<span style="white-space:pre-wrap"> </span>2016-08-23 16:19:16.627158974 +0000</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span>+++ format/Token.cc<span style="white-space:pre-wrap"> </span>2016-08-23 16:19:31.867410625 +0000</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span>@@ -343,6 +343,11 @@</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span> ++cur;</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span> break;</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><span> </span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span>+ case '/':</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span>+ quote = LOG_QUOTE_SHELL;</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span>+ ++cur;</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span>+ break;</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span>+</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span> default:</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span> quote = *quoting;</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">
</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span> break;</span></p></div><div><span><br></span></div><div><span><br></span></div><div>The startup error went away, squid has been so far working as expected.<span><br></span></div><div><span><br></span></div><div>Dio</div>
</div></div>