If anyone is interested I updated the workaround ftp credential patch for
2.10.1.1. The previous one bombed on urls with email addresses in them. This
one will probably bomb someplace else :)

7/9/2009 ftp patch:

--- /root/dans-bak/src/HTTPHeader.cpp 2009-06-13 14:10:15.000000000 -0500
+++ /root/dansguardian-2.10.1.1/src/HTTPHeader.cpp 2009-07-09 17:29:16.000000000
-0500
@@ -402,7 +402,7 @@
// modifies the URL in all relevant header lines after a regexp search and
replace
// setURL Code originally from from Ton Gorter 2004
void HTTPHeader::setURL(String &url) {
- String hostname;
+ String hostname,credentials;
bool https = (url.before("://") == "https");
int port = (https ? 443 : 80);

@@ -420,12 +420,18 @@
}
hostname = hostname.before(":"); // chop off the port bit
}
+ //Restore stripped credentials
+ credentials="";
+ if (header.front().after("://").before(hostname.toCharArray()).contains("@"))
{ // Contains a username:password combo
+ credentials = header.front().after("://").before(hostname.toCharArray());
+ }
+

#ifdef DGDEBUG
std::cout << "setURL: header.front() changed from: " << header.front() <<
std::endl;
#endif
if (!https)
- header.front() = header.front().before(" ") + " " + url + " " +
header.front().after(" ").after(" ");
+ header.front() = header.front().before(" ") + " " + url.before("://") + "://"
+ credentials + url.after("://") + " " + header.front().after(" ").after(" ");
else
// Should take form of "CONNECT example.com:443 HTTP/1.0" for SSL
header.front() = header.front().before(" ") + " " + hostname + ":" +
String(port) + " " + header.front().after(" ").after(" ");



--- In dansguardian@yahoogroups.com, "brentwilliams" <brentwilliams@...> wrote:
>
> Thanks to some helpful insight from Chuck Kollars here's what I have so far.
This pertains to dansguardian-2.10.1.1.
>
> In HTTPHeader.cpp, checkheader seems to be calling seturl more frequently than
in the previous version. It looks like it now calls it for all outgoing while
previously it only did for a url that ended in a dot (so the credentials being
stripped would be less noticeable).
>
> I did a stock compile of dansguardian-2.10.1.1 with debug on using both the
current HTTPHeader and the previous HTTPHeader and could see that user:pass@ is
stripped from ftp://user:pass@... in the latest version by seturl.
>
> Below is a demonstrative workaround/patch for HTTPHeader (remember I said
demonstrative - it worked on the three sites I checked :). I am not using this
workaround in production yet.
>
> I am leaning toward this being a bug. Does anyone else see this problem?
Does anyone see potential pitfalls to the workaround below?
>
> Thanks!
>
> --- /root/dans-bak/src/HTTPHeader.cpp 2009-06-13 14:10:15.000000000 -0500
> +++ HTTPHeader.cpp 2009-06-13 21:03:21.000000000 -0500
> @@ -402,7 +402,7 @@
> // modifies the URL in all relevant header lines after a regexp search and
replace
> // setURL Code originally from from Ton Gorter 2004
> void HTTPHeader::setURL(String &url) {
> - String hostname;
> + String hostname,credentials;
> bool https = (url.before("://") == "https");
> int port = (https ? 443 : 80);
>
> @@ -420,12 +420,17 @@
> }
> hostname = hostname.before(":"); // chop off the port bit
> }
> + // Save user:pass
> + credentials="";
> + if (header.front().contains("@")) {
> + credentials = header.front().after("://").before("@")+"@";
> + }
>
> #ifdef DGDEBUG
> std::cout << "setURL: header.front() changed from: " << header.front() <<
std::endl;
> #endif
> if (!https)
> - header.front() = header.front().before(" ") + " " + url + " " +
header.front().after(" ").after(" ");
> + header.front() = header.front().before(" ") + " " + url.before("://") +
"://" + credentials + url.after("://") + " " + header.front().after(" ").after("
");
> else
> // Should take form of "CONNECT example.com:443 HTTP/1.0" for SSL
> header.front() = header.front().before(" ") + " " + hostname + ":" +
String(port) + " " + header.front().after(" ").after(" ");
>
>
>
> --- In dansguardian@yahoogroups.com, "brentwilliams" <brentwilliams@> wrote:
> >
> > Additional info: this is on single homed CentOS 5.3 system non-transparent
setup
> >
> > --- In dansguardian@yahoogroups.com, "brentwilliams" <brentwilliams@> wrote:
> > >
> > > I had just recently been using dansguardian 2.10.1.1 and encountered a
problem where ftp urls in this form ftp://user:pass@ were showing the squid
can't login in error page (it shows user anonymous in the error) . I use dans
and squid on the same box and when I packet captured 127.0.0.1 it looks like
dans is stripping out the user:pass. I rolled back to 2.10.0.3 and do not have
the error. Exact same configs for both versions. Am I missing something or is
this a possible bug?
> > >
> > > Thanks!
> > >
> >
>