------------------------------------------------------------ revno: 12431 revision-id: squid3@treenet.co.nz-20121230074320-tmgtpf8tbdbji2g7 parent: squid3@treenet.co.nz-20121230073150-88eirnv3sxkkaa0t author: Markus Moeller , Amos Jeffries committer: Amos Jeffries branch nick: 3.3 timestamp: Sun 2012-12-30 00:43:20 -0700 message: Various Kerberos helper updates * Use rfc1738 escapes for negotiate_kerberos logging and kerberos_ldap_group. * Include the option for kerberos_ldap_group to read group information from stdin (squid config file list) instead of a command line argument. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20121230074320-tmgtpf8tbdbji2g7 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # testament_sha1: 9604e9d64f76e80435feffd7e3ebcf1b89617631 # timestamp: 2012-12-30 07:54:14 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # base_revision_id: squid3@treenet.co.nz-20121230073150-\ # 88eirnv3sxkkaa0t # # Begin patch === modified file 'helpers/external_acl/kerberos_ldap_group/Makefile.am' --- helpers/external_acl/kerberos_ldap_group/Makefile.am 2011-03-14 06:08:24 +0000 +++ helpers/external_acl/kerberos_ldap_group/Makefile.am 2012-12-30 07:43:20 +0000 @@ -24,6 +24,7 @@ ext_kerberos_ldap_group_acl_LDFLAGS = ext_kerberos_ldap_group_acl_LDADD = \ + $(top_builddir)/lib/libmiscencoding.la \ $(COMPAT_LIB) \ $(LDAPLIB) \ $(LBERLIB) \ === modified file 'helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc' --- helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc 2012-08-28 13:00:30 +0000 +++ helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc 2012-12-30 07:43:20 +0000 @@ -32,6 +32,7 @@ #include "squid.h" #include "helpers/defines.h" #include "util.h" +#include "rfc1738.h" #ifdef HAVE_LDAP @@ -226,7 +227,8 @@ main(int argc, char *const argv[]) { char buf[6400]; - char *user, *domain; + char *user, *domain, *group; + char *up=NULL, *dp=NULL, *np=NULL; char *nuser, *nuser8 = NULL, *netbios; char *c; int opt; @@ -334,11 +336,17 @@ } debug((char *) "%s| %s: INFO: Starting version %s\n", LogTime(), PROGRAM, KERBEROS_LDAP_GROUP_VERSION); + int gopt = 0; if (create_gd(&margs)) { - debug((char *) "%s| %s: FATAL: Error in group list: %s\n", LogTime(), PROGRAM, margs.glist ? margs.glist : "NULL"); - SEND_ERR(""); - clean_args(&margs); - exit(1); + if ( margs.glist != NULL ) { + debug((char *) "%s| %s: FATAL: Error in group list: %s\n", LogTime(), PROGRAM, margs.glist ? margs.glist : "NULL"); + SEND_ERR(""); + clean_args(&margs); + exit(1); + } else { + debug((char *) "%s| %s: INFO: no group list given expect it from stdin\n", LogTime(), PROGRAM); + gopt = 1; + } } if (create_nd(&margs)) { debug((char *) "%s| %s: FATAL: Error in netbios list: %s\n", LogTime(), PROGRAM, margs.nlist ? margs.nlist : "NULL"); @@ -370,12 +378,18 @@ if (c) { *c = '\0'; } else { - SEND_ERR(""); + SEND_ERR("Invalid input. CR missing"); debug((char *) "%s| %s: ERR\n", LogTime(), PROGRAM); continue; } - user = buf; + user = strtok(buf, " \n"); + if (!user) { + debug((char *) "%s| %s: INFO: No Username given\n", LogTime(), PROGRAM); + SEND_ERR("Invalid request. No Username"); + continue; + } + rfc1738_unescape(user); nuser = strchr(user, '\\'); if (!nuser) nuser8 = strstr(user, "%5C"); @@ -391,33 +405,62 @@ nuser = nuser8 + 3; } netbios = user; + up = xstrdup(rfc1738_escape(nuser)); + np = xstrdup(rfc1738_escape(netbios)); if (debug_enabled) - debug((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, nuser, netbios); + debug((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, up, np); else - log((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, nuser, netbios); + log((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, up, np); domain = get_netbios_name(&margs, netbios); user = nuser; + xfree(up); + xfree(np); } else if (domain) { strup(domain); *domain = '\0'; ++domain; } + up = xstrdup(rfc1738_escape(user)); + if (domain) + dp = xstrdup(rfc1738_escape(domain)); if (!domain && margs.ddomain) { domain = xstrdup(margs.ddomain); if (debug_enabled) - debug((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, user, domain); + debug((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, up, dp); else - log((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, user, domain); + log((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, up, dp); } if (debug_enabled) - debug((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, user, domain ? domain : "NULL"); + debug((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, up, domain ? dp : "NULL"); else - log((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, user, domain ? domain : "NULL"); + log((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, up, domain ? dp : "NULL"); + xfree(up); + xfree(dp); if (!strcmp(user, "QQ") && domain && !strcmp(domain, "QQ")) { clean_args(&margs); exit(-1); } + if (gopt) { + if ((group = strtok(NULL, " \n")) != NULL) { + debug((char *) "%s| %s: INFO: Read group list %s from stdin\n", LogTime(), PROGRAM, group); + rfc1738_unescape(group); + if (margs.groups) { + clean_gd(margs.groups); + margs.groups = NULL; + } + margs.glist = xstrdup(group); + if (create_gd(&margs)) { + SEND_ERR("Error in group list"); + debug((char *) "%s| %s: FATAL: Error in group list: %s\n", LogTime(), PROGRAM, margs.glist ? margs.glist : "NULL"); + continue; + } + } else { + SEND_ERR("No group list received on stdin"); + debug((char *) "%s| %s: FATAL: No group list received on stdin\n", LogTime(), PROGRAM); + continue; + } + } if (check_memberof(&margs, user, domain)) { SEND_OK(""); debug((char *) "%s| %s: DEBUG: OK\n", LogTime(), PROGRAM); === modified file 'helpers/external_acl/kerberos_ldap_group/support_group.cc' --- helpers/external_acl/kerberos_ldap_group/support_group.cc 2012-08-28 13:00:30 +0000 +++ helpers/external_acl/kerberos_ldap_group/support_group.cc 2012-12-30 07:43:20 +0000 @@ -42,6 +42,18 @@ return gdsp; } +void +free_gd(struct gdstruct *gdsp) +{ + while (gdsp) { + struct gdstruct *gdspn = gdsp->next; + xfree(gdsp->group); + xfree(gdsp->domain); + xfree(gdsp); + gdsp = gdspn; + } +} + char *utf8dup(struct main_args *margs); char * @@ -101,35 +113,24 @@ char * hex_utf_char(struct main_args *margs, int flag) { - char *up; - char *upd; - char *ul; - int a, n, nl, ival, ichar; + int ival, ichar; int iUTF2, iUTF3, iUTF4; - if (flag) { - up = margs->ulist; - } else { - up = margs->tlist; - } - + char *up = (flag ? margs->ulist : margs->tlist); if (!up) return NULL; - upd = strrchr(up, '@'); - if (upd) - a = upd - up; - else - a = strlen(up); + char *upd = strrchr(up, '@'); + size_t a = (upd ? (upd - up) : strlen(up) ); - ul = (char *) xmalloc(strlen(up)); - n = 0; - nl = 0; + char *ul = (char *) xmalloc(strlen(up)+1); + size_t n = 0; + int nl = 0; iUTF2 = 0; iUTF3 = 0; iUTF4 = 0; - while (n < (int) strlen(up)) { + while (n < strlen(up)) { if (flag && n == a) break; if (up[n] == '@') { @@ -147,15 +148,13 @@ ichar = (ival - 48) * 16; else { debug((char *) "%s| %s: WARNING: Invalid Hex value %c\n", LogTime(), PROGRAM, ival); - if (ul) - xfree(ul); + xfree(ul); return NULL; } if (n == a - 1) { debug((char *) "%s| %s: WARNING: Invalid Hex UTF-8 string %s\n", LogTime(), PROGRAM, up); - if (ul) - xfree(ul); + xfree(ul); return NULL; } ++n; @@ -168,8 +167,7 @@ ichar = ichar + ival - 48; else { debug((char *) "%s| %s: WARNING: Invalid Hex value %c\n", LogTime(), PROGRAM, ival); - if (ul) - xfree(ul); + xfree(ul); return NULL; } @@ -189,8 +187,7 @@ ul[nl] = ichar; ul[nl + 1] = '\0'; debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); - if (ul) - xfree(ul); + xfree(ul); return NULL; } } else if (iUTF3) { @@ -219,8 +216,7 @@ ul[nl] = ichar; ul[nl + 1] = '\0'; debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); - if (ul) - xfree(ul); + xfree(ul); return NULL; } } else if (iUTF4) { @@ -248,8 +244,7 @@ ul[nl] = ichar; ul[nl + 1] = '\0'; debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); - if (ul) - xfree(ul); + xfree(ul); return NULL; } } else if (ichar < 0x80) { @@ -275,8 +270,7 @@ ul[nl] = ichar; ul[nl + 1] = '\0'; debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); - if (ul) - xfree(ul); + xfree(ul); return NULL; } ++n; @@ -286,8 +280,7 @@ if (iUTF2 || iUTF3 || iUTF4) { debug((char *) "%s| %s: INFO: iUTF2: %d iUTF3: %d iUTF4: %d\n", LogTime(), PROGRAM, iUTF2, iUTF3, iUTF4); debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); - if (ul) - xfree(ul); + xfree(ul); return NULL; } if (flag && upd) @@ -299,7 +292,6 @@ create_gd(struct main_args *margs) { char *gp, *dp; - char *hp1, *hp2, *up; char *p; struct gdstruct *gdsp = NULL, *gdspn = NULL; /* @@ -321,28 +313,43 @@ * * */ - hp1 = hex_utf_char(margs, 0); - hp2 = hex_utf_char(margs, 1); - up = utf8dup(margs); + char *hp1 = hex_utf_char(margs, 0); + char *hp2 = hex_utf_char(margs, 1); + char *up = utf8dup(margs); + + // NP: will point to the start of a temporary assembly buffer used by 'p' and 'gp' + // for catenation of the hp1, hp2, and up buffer contents from above. + // necessary for xfree() because both p and gp move over the assembly area + char *gpbuf = NULL; + + // release the allocated UTF decoding buffers +#define cleanup() { \ + xfree(gpbuf); \ + xfree(hp1); \ + xfree(hp2); \ + xfree(up); \ + free_gd(gdsp); \ + } + p = up; if (hp1) { if (hp2) { if (up) { - p = (char *) xmalloc(strlen(up) + strlen(hp1) + strlen(hp2) + 2); + gpbuf = p = (char *) xmalloc(strlen(up) + strlen(hp1) + strlen(hp2) + 2); strcpy(p, up); strcat(p, ":"); strcat(p, hp1); strcat(p, ":"); strcat(p, hp2); } else { - p = (char *) xmalloc(strlen(hp1) + strlen(hp2) + 1); + gpbuf = p = (char *) xmalloc(strlen(hp1) + strlen(hp2) + 1); strcpy(p, hp1); strcat(p, ":"); strcat(p, hp2); } } else { if (up) { - p = (char *) xmalloc(strlen(up) + strlen(hp1) + 1); + gpbuf = p = (char *) xmalloc(strlen(up) + strlen(hp1) + 1); strcpy(p, up); strcat(p, ":"); strcat(p, hp1); @@ -352,7 +359,7 @@ } else { if (hp2) { if (up) { - p = (char *) xmalloc(strlen(up) + strlen(hp2) + 1); + gpbuf = p = (char *) xmalloc(strlen(up) + strlen(hp2) + 1); strcpy(p, up); strcat(p, ":"); strcat(p, hp2); @@ -367,6 +374,7 @@ if (!p) { debug((char *) "%s| %s: ERROR: No groups defined.\n", LogTime(), PROGRAM); + cleanup(); return (1); } while (*p) { /* loop over group list */ @@ -377,18 +385,24 @@ if (*p == '@') { /* end of group name - start of domain name */ if (p == gp) { /* empty group name not allowed */ debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p); + cleanup(); return (1); } + if (dp) { /* end of domain name - twice */ + debug((char *) "%s| %s: @ is not allowed in group name %s@%s\n",LogTime(), PROGRAM,gp,dp); + cleanup(); + return(1); + } *p = '\0'; ++p; gdsp = init_gd(); - gdsp->group = gp; - if (gdspn) /* Have already an existing structure */ - gdsp->next = gdspn; + gdsp->group = xstrdup(gp); + gdsp->next = gdspn; dp = p; /* after @ starts new domain name */ } else if (*p == ':') { /* end of group name or end of domain name */ if (p == gp) { /* empty group name not allowed */ debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p); + cleanup(); return (1); } *p = '\0'; @@ -398,9 +412,8 @@ dp = NULL; } else { /* end of group name and no domain name */ gdsp = init_gd(); - gdsp->group = gp; - if (gdspn) /* Have already an existing structure */ - gdsp->next = gdspn; + gdsp->group = xstrdup(gp); + gdsp->next = gdspn; } gdspn = gdsp; gp = p; /* after : starts new group name */ @@ -410,19 +423,22 @@ } if (p == gp) { /* empty group name not allowed */ debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p); + cleanup(); return (1); } if (dp) { /* end of domain name */ gdsp->domain = xstrdup(dp); } else { /* end of group name and no domain name */ gdsp = init_gd(); - gdsp->group = gp; + gdsp->group = xstrdup(gp); if (gdspn) /* Have already an existing structure */ gdsp->next = gdspn; } debug((char *) "%s| %s: INFO: Group %s Domain %s\n", LogTime(), PROGRAM, gdsp->group, gdsp->domain ? gdsp->domain : "NULL"); margs->groups = gdsp; + gdsp = NULL; // prevent the cleanup() deallocating it. + cleanup(); return (0); } #endif === modified file 'helpers/external_acl/kerberos_ldap_group/support_ldap.cc' --- helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2012-08-28 13:00:30 +0000 +++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2012-12-30 07:43:20 +0000 @@ -369,19 +369,18 @@ search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); - if (ldap_filter_esc) - xfree(ldap_filter_esc); + xfree(ldap_filter_esc); if (depth > margs->mdepth) { debug((char *) "%s| %s: DEBUG: Max search depth reached %d>%d\n", LogTime(), PROGRAM, depth, margs->mdepth); + xfree(search_exp); return 0; } debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter : %s\n", LogTime(), PROGRAM, bindp, search_exp); rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, search_exp, NULL, 0, NULL, NULL, &searchtime, 0, &res); - if (search_exp) - xfree(search_exp); + xfree(search_exp); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); @@ -673,22 +672,16 @@ rc = ldap_url_parse(ldapuri, &url); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - if (ldapuri) - xfree(ldapuri); - if (url) - xfree(url); - return NULL; - } -#else -#error "No URL parsing function" -#endif - if (url) { + xfree(ldapuri); xfree(url); - url = NULL; + return NULL; } +#else +#error "No URL parsing function" +#endif + safe_free(url); rc = ldap_initialize(&ld, ldapuri); - if (ldapuri) - xfree(ldapuri); + xfree(ldapuri); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); ldap_unbind(ld); @@ -744,22 +737,16 @@ rc = ldap_url_parse(ldapuri, &url); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - if (ldapuri) - xfree(ldapuri); - if (url) - xfree(url); - return NULL; - } -#else -#error "No URL parsing function" -#endif - if (url) { + xfree(ldapuri); xfree(url); - url = NULL; + return NULL; } +#else +#error "No URL parsing function" +#endif + safe_free(url); rc = ldap_initialize(&ld, ldapuri); - if (ldapuri) - xfree(ldapuri); + xfree(ldapuri); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); ldap_unbind(ld); @@ -897,7 +884,7 @@ continue; } lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds)); - lcreds->dn = bindp ? xstrdup(bindp) : NULL; + lcreds->dn = NULL; lcreds->pw = margs->ssl ? xstrdup(margs->ssl) : NULL; ldap_set_rebind_proc(ld, ldap_sasl_rebind, (char *) lcreds); if (ld != NULL) { @@ -938,9 +925,7 @@ port = atoi(p); } nhosts = get_hostname_list(margs, &hlist, 0, host); - if (host) - xfree(host); - host = NULL; + safe_free(host); for (i = 0; i < nhosts; ++i) { ld = tool_ldap_open(margs, hlist[i].host, port, ssl); @@ -967,8 +952,7 @@ } nhosts = free_hostname_list(&hlist, nhosts); - if (bindp) - xfree(bindp); + xfree(bindp); if (margs->lbind) { bindp = xstrdup(margs->lbind); } else { @@ -1005,15 +989,13 @@ search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); - if (ldap_filter_esc) - xfree(ldap_filter_esc); + xfree(ldap_filter_esc); debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter : %s\n", LogTime(), PROGRAM, bindp, search_exp); rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, search_exp, NULL, 0, NULL, NULL, &searchtime, 0, &res); - if (search_exp) - xfree(search_exp); + xfree(search_exp); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); @@ -1121,15 +1103,13 @@ search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); - if (ldap_filter_esc) - xfree(ldap_filter_esc); + xfree(ldap_filter_esc); debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp); rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, search_exp, NULL, 0, NULL, NULL, &searchtime, 0, &res); - if (search_exp) - xfree(search_exp); + xfree(search_exp); debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); @@ -1147,15 +1127,13 @@ search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); - if (ldap_filter_esc) - xfree(ldap_filter_esc); + xfree(ldap_filter_esc); debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp); rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, search_exp, NULL, 0, NULL, NULL, &searchtime, 0, &res); - if (search_exp) - xfree(search_exp); + xfree(search_exp); max_attr_2 = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value_2); /* @@ -1187,8 +1165,10 @@ debug((char *) "%s| %s: DEBUG: Users primary group %s %s\n", LogTime(), PROGRAM, retval ? "matches" : "does not match", group); - } else + } else { + ldap_msgfree(res); debug((char *) "%s| %s: DEBUG: Did not find ldap entry for group %s\n", LogTime(), PROGRAM, group); + } /* * Cleanup */ @@ -1212,16 +1192,11 @@ krb5_cleanup(); #endif if (lcreds) { - if (lcreds->dn) - xfree(lcreds->dn); - if (lcreds->pw) - xfree(lcreds->pw); + xfree(lcreds->dn); + xfree(lcreds->pw); xfree(lcreds); } - if (bindp) - xfree(bindp); - bindp = NULL; + xfree(bindp); return (retval); - } #endif === modified file 'helpers/external_acl/kerberos_ldap_group/support_lserver.cc' --- helpers/external_acl/kerberos_ldap_group/support_lserver.cc 2012-07-02 12:14:07 +0000 +++ helpers/external_acl/kerberos_ldap_group/support_lserver.cc 2012-12-30 07:43:20 +0000 @@ -40,6 +40,18 @@ return lssp; } +void +free_ls(struct lsstruct *lssp) +{ + while (lssp) { + struct lsstruct *lsspn = lssp->next; + xfree(lssp->lserver); + xfree(lssp->domain); + xfree(lssp); + lssp = lsspn; + } +} + int create_ls(struct main_args *margs) { @@ -73,18 +85,24 @@ if (*p == '@') { /* end of group name - start of domain name */ if (p == np) { /* empty group name not allowed */ debug((char *) "%s| %s: DEBUG: No ldap servers defined for domain %s\n", LogTime(), PROGRAM, p); + free_ls(lssp); return (1); } + if (dp) { /* end of domain name - twice */ + debug((char *) "%s| %s: @ is not allowed in server name %s@%s\n",LogTime(), PROGRAM,np,dp); + free_ls(lssp); + return(1); + } *p = '\0'; ++p; lssp = init_ls(); lssp->lserver = xstrdup(np); - if (lsspn) /* Have already an existing structure */ - lssp->next = lsspn; + lssp->next = lsspn; dp = p; /* after @ starts new domain name */ } else if (*p == ':') { /* end of group name or end of domain name */ if (p == np) { /* empty group name not allowed */ debug((char *) "%s| %s: DEBUG: No ldap servers defined for domain %s\n", LogTime(), PROGRAM, p); + free_ls(lssp); return (1); } *p = '\0'; @@ -95,8 +113,7 @@ } else { /* end of group name and no domain name */ lssp = init_ls(); lssp->lserver = xstrdup(np); - if (lsspn) /* Have already an existing structure */ - lssp->next = lsspn; + lssp->next = lsspn; } lsspn = lssp; np = p; /* after : starts new group name */ @@ -106,6 +123,7 @@ } if (p == np) { /* empty group name not allowed */ debug((char *) "%s| %s: DEBUG: No ldap servers defined for domain %s\n", LogTime(), PROGRAM, p); + free_ls(lssp); return (1); } if (dp) { /* end of domain name */ === modified file 'helpers/external_acl/kerberos_ldap_group/support_netbios.cc' --- helpers/external_acl/kerberos_ldap_group/support_netbios.cc 2012-07-02 12:14:07 +0000 +++ helpers/external_acl/kerberos_ldap_group/support_netbios.cc 2012-12-30 07:43:20 +0000 @@ -41,6 +41,18 @@ return ndsp; } +void +free_nd(struct ndstruct *ndsp) +{ + while (ndsp) { + struct ndstruct *ndspn = ndsp->next; + xfree(ndsp->netbios); + xfree(ndsp->domain); + xfree(ndsp); + ndsp = ndspn; + } +} + int create_nd(struct main_args *margs) { @@ -74,18 +86,24 @@ if (*p == '@') { /* end of group name - start of domain name */ if (p == np) { /* empty group name not allowed */ debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p); + free_nd(ndsp); return (1); } + if (dp) { /* end of domain name - twice */ + debug((char *) "%s| %s: @ is not allowed in netbios name %s@%s\n",LogTime(), PROGRAM,np,dp); + free_nd(ndsp); + return(1); + } *p = '\0'; ++p; ndsp = init_nd(); ndsp->netbios = xstrdup(np); - if (ndspn) /* Have already an existing structure */ - ndsp->next = ndspn; + ndsp->next = ndspn; dp = p; /* after @ starts new domain name */ } else if (*p == ':') { /* end of group name or end of domain name */ if (p == np) { /* empty group name not allowed */ debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p); + free_nd(ndsp); return (1); } *p = '\0'; @@ -96,13 +114,13 @@ } else { /* end of group name and no domain name */ ndsp = init_nd(); ndsp->netbios = xstrdup(np); - if (ndspn) /* Have already an existing structure */ - ndsp->next = ndspn; + ndsp->next = ndspn; } ndspn = ndsp; np = p; /* after : starts new group name */ if (!ndsp->domain || !strcmp(ndsp->domain, "")) { debug((char *) "%s| %s: DEBUG: No domain defined for netbios name %s\n", LogTime(), PROGRAM, ndsp->netbios); + free_nd(ndsp); return (1); } debug((char *) "%s| %s: DEBUG: Netbios name %s Domain %s\n", LogTime(), PROGRAM, ndsp->netbios, ndsp->domain); @@ -111,6 +129,7 @@ } if (p == np) { /* empty group name not allowed */ debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p); + free_nd(ndsp); return (1); } if (dp) { /* end of domain name */ @@ -118,11 +137,11 @@ } else { /* end of group name and no domain name */ ndsp = init_nd(); ndsp->netbios = xstrdup(np); - if (ndspn) /* Have already an existing structure */ - ndsp->next = ndspn; + ndsp->next = ndspn; } if (!ndsp->domain || !strcmp(ndsp->domain, "")) { debug((char *) "%s| %s: DEBUG: No domain defined for netbios name %s\n", LogTime(), PROGRAM, ndsp->netbios); + free_nd(ndsp); return (1); } debug((char *) "%s| %s: DEBUG: Netbios name %s Domain %s\n", LogTime(), PROGRAM, ndsp->netbios, ndsp->domain); === modified file 'helpers/external_acl/kerberos_ldap_group/support_resolv.cc' --- helpers/external_acl/kerberos_ldap_group/support_resolv.cc 2012-08-28 13:00:30 +0000 +++ helpers/external_acl/kerberos_ldap_group/support_resolv.cc 2012-12-30 07:43:20 +0000 @@ -297,10 +297,10 @@ if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, PACKETSZ_MULT * NS_PACKETSZ)) < 0) { error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); nsError(h_errno, service); - goto cleanup; + goto finalise; } } else { - goto cleanup; + goto finalise; } } if (len > PACKETSZ_MULT * NS_PACKETSZ) { @@ -309,70 +309,70 @@ if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, len)) < 0) { error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); nsError(h_errno, service); - goto cleanup; + goto finalise; } if (len > olen) { error((char *) "%s| %s: ERROR: Reply to big: buffer: %d reply length: %d\n", LogTime(), PROGRAM, olen, len); - goto cleanup; + goto finalise; } } p = buffer; p += 6 * NS_INT16SZ; /* Header(6*16bit) = id + flags + 4*section count */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < header size\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) { error((char *) "%s| %s: ERROR: Error while expanding query name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); - goto cleanup; + goto finalise; } p += size; /* Query name */ p += 2 * NS_INT16SZ; /* Query type + class (2*16bit) */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class \n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } while (p < buffer + len) { if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) { error((char *) "%s| %s: ERROR: Error while expanding answer name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); - goto cleanup; + goto finalise; } p += size; /* Resource Record name */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } NS_GET16(type, p); /* RR type (16bit) */ p += NS_INT16SZ + NS_INT32SZ; /* RR class + ttl (16bit+32bit) */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } NS_GET16(rdlength, p); /* RR data length (16bit) */ if (type == ns_t_srv) { /* SRV record */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl + RR data length\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } NS_GET16(priority, p); /* Priority (16bit) */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } NS_GET16(weight, p); /* Weight (16bit) */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } NS_GET16(port, p); /* Port (16bit) */ if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } if ((size = dn_expand(buffer, buffer + len, p, host, NS_MAXDNAME)) < 0) { error((char *) "%s| %s: ERROR: Error while expanding SRV RR name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); - goto cleanup; + goto finalise; } debug((char *) "%s| %s: DEBUG: Resolved SRV %s record to %s\n", LogTime(), PROGRAM, service, host); hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nh + 1)); @@ -387,7 +387,7 @@ } if (p > buffer + len) { error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port + name\n", LogTime(), PROGRAM, len); - goto cleanup; + goto finalise; } } if (p != buffer + len) { @@ -396,10 +396,10 @@ #else error((char *) "%s| %s: ERROR: Inconsistence message length: %d!=0\n", LogTime(), PROGRAM, buffer + len - p); #endif - goto cleanup; + goto finalise; } -cleanup: +finalise: nhosts = get_hostname_list(margs, &hp, nh, domain); debug("%s| %s: DEBUG: Adding %s to list\n", LogTime(), PROGRAM, domain); @@ -411,6 +411,7 @@ hp[nhosts].weight = -2; ++nhosts; +cleanup: /* Remove duplicates */ for (i = 0; i < nhosts; ++i) { for (j = i + 1; j < nhosts; ++j) { === modified file 'helpers/external_acl/kerberos_ldap_group/support_sasl.cc' --- helpers/external_acl/kerberos_ldap_group/support_sasl.cc 2012-08-28 13:00:30 +0000 +++ helpers/external_acl/kerberos_ldap_group/support_sasl.cc 2012-12-30 07:43:20 +0000 @@ -231,11 +231,7 @@ char *sasl_realm = NULL; char *sasl_authc_id = NULL; char *sasl_authz_id = NULL; -#ifdef HAVE_SUN_LDAP_SDK char *sasl_mech = (char *) "GSSAPI"; -#else - char *sasl_mech = NULL; -#endif /* * Force encryption */ === modified file 'helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc' --- helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc 2012-11-24 03:53:21 +0000 +++ helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc 2012-12-30 07:43:20 +0000 @@ -30,6 +30,7 @@ * Hosted at http://sourceforge.net/projects/squidkerbauth */ #include "squid.h" +#include "rfc1738.h" #include "compat/getaddrinfo.h" #include "compat/getnameinfo.h" @@ -458,10 +459,10 @@ *p = '\0'; } fprintf(stdout, "AF %s %s\n", token, user); - debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, user); + debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, rfc1738_escape(user)); if (log) fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(), - PROGRAM, user); + PROGRAM, rfc1738_escape(user)); goto cleanup; } else { if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log)) @@ -493,10 +494,10 @@ *p = '\0'; } fprintf(stdout, "AF %s %s\n", "AA==", user); - debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", user); + debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", rfc1738_escape(user)); if (log) fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(), - PROGRAM, user); + PROGRAM, rfc1738_escape(user)); } cleanup: