Hi,
Putting a whitespace prefix or suffix in the username at authentication time
causes :
- acl's based on username to be circumvented
- access.log analysis to be fooled.
This is because a "%20" is put in place of the whitespace :
%20username
or username%20
Is there a rule or option to reject all usernames containing a whitespace ?
Or should I put a special ACL to deny access to those users who put a whitespace
by mistake?
The best would be that Squid asks for a username/passwd until it is valid (good
pair && no whitespace) so that the end-user doesn't get confused.
IE : "my password is accepted , but I get a Forbidden Access page"
(I could'nt find anything in the archives or FAQ, maybe I didn't use the correct
keywords ? - %20, username, whitespace, space, or blank)
Thanks for your help,
Andrew.
Received on Fri Jan 07 2005 - 06:53:22 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST