[gq-commit] gq/src configfile.c,1.46,1.47 configfile.h,1.33,1.34 gq-xml.c,1.8,1.9 prefs.c,1.48,1.49
Status: Beta
Brought to you by:
sur5r
Menu
▾
▴
[gq-commit] gq/src configfile.c,1.46,1.47 configfile.h,1.33,1.34 gq-xml.c,1.8,1.9 prefs.c,1.48,1.49 util.c,1.79,1.80
|
From: <sta...@us...> - 2003-10-23 07:18:46
|
Update of /cvsroot/gqclient/gq/src
In directory sc8-pr-cvs1:/tmp/cvs-serv14562
Modified Files:
configfile.c configfile.h gq-xml.c prefs.c util.c
Log Message:
* SECURITY: The clever guessing of binddn and password when following
referrals can now be turned off
(Had to introduce another preferences tab: Security)
Index: configfile.c
===================================================================
RCS file: /cvsroot/gqclient/gq/src/configfile.c,v
retrieving revision 1.46
retrieving revision 1.47
diff -C2 -d -r1.46 -r1.47
*** configfile.c 18 Oct 2003 08:26:59 -0000 1.46
--- configfile.c 23 Oct 2003 05:26:37 -0000 1.47
***************
*** 591,594 ****
--- 591,596 ----
config_write_bool(wc, cfg->restore_tabs,
"restore-tabs", NULL);
+ config_write_bool(wc, cfg->never_leak_credentials,
+ "never-leak-credentials", NULL);
config_write_string(wc, detokenize(token_ldifformat, cfg->ldifformat),
***************
*** 770,773 ****
--- 772,777 ----
cfg->restore_search_history = DEFAULT_RESTORE_SEARCHES;
cfg->restore_tabs = DEFAULT_RESTORE_TABS;
+
+ cfg->never_leak_credentials = DEFAULT_NEVER_LEAK_CREDENTIALS;
return cfg;
Index: configfile.h
===================================================================
RCS file: /cvsroot/gqclient/gq/src/configfile.h,v
retrieving revision 1.33
retrieving revision 1.34
diff -C2 -d -r1.33 -r1.34
*** configfile.h 20 Oct 2003 08:22:49 -0000 1.33
--- configfile.h 23 Oct 2003 05:26:37 -0000 1.34
***************
*** 68,71 ****
--- 68,75 ----
#define DEFAULT_RESTORE_TABS 0
+ /* SECURITY: The default is to NOT blindly reuse LDAP credentials for
+ referrals */
+ #define DEFAULT_NEVER_LEAK_CREDENTIALS 1
+
/* The following do not _really_ belong in here right now... */
/* LDAP Timeout in seconds */
***************
*** 107,110 ****
--- 111,116 ----
int restore_search_history;
int restore_tabs;
+
+ int never_leak_credentials;
GHashTable *defaultDT;
Index: gq-xml.c
===================================================================
RCS file: /cvsroot/gqclient/gq/src/gq-xml.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -C2 -d -r1.8 -r1.9
*** gq-xml.c 18 Oct 2003 08:26:59 -0000 1.8
--- gq-xml.c 23 Oct 2003 05:26:37 -0000 1.9
***************
*** 229,232 ****
--- 229,241 ----
}
+ static void never_leak_credentialsE(struct parser_context *ctx,
+ struct tagstack_entry *e)
+ {
+ struct gq_config *c = peek_tag(ctx->stack, 1)->data;
+
+ int b = booleanCDATA(ctx, e);
+ if (b >= 0) c->never_leak_credentials = b;
+ }
+
static void ldif_formatE(struct parser_context *ctx,
struct tagstack_entry *e)
***************
*** 652,655 ****
--- 661,669 ----
"restore-tabs", 0,
NULL, restore_tabsE,
+ { "gq-config", NULL },
+ },
+ {
+ "never-leak-credentials", 0,
+ NULL, never_leak_credentialsE,
{ "gq-config", NULL },
},
Index: prefs.c
===================================================================
RCS file: /cvsroot/gqclient/gq/src/prefs.c,v
retrieving revision 1.48
retrieving revision 1.49
diff -C2 -d -r1.48 -r1.49
*** prefs.c 21 Oct 2003 04:51:06 -0000 1.48
--- prefs.c 23 Oct 2003 05:26:37 -0000 1.49
***************
*** 85,88 ****
--- 85,91 ----
/* servers tab */
GtkWidget *serverstab_server_clist;
+
+ /* security */
+ GtkWidget *never_leak_credentials;
};
***************
*** 119,122 ****
--- 122,126 ----
struct server_windata *sw);
static void create_guitab(GtkWidget *target, struct prefs_windata *);
+ static void create_security_tab(GtkWidget *target, struct prefs_windata *);
static void template_new_callback(GtkWidget *widget, struct prefs_windata *);
***************
*** 1214,1217 ****
--- 1218,1224 ----
CONFIG_TOGGLE_BUTTON(config, pw, restore_tabs);
+ /* never_leak_credentials */
+ CONFIG_TOGGLE_BUTTON(config, pw, never_leak_credentials);
+
/* LDIF: format */
for(type = 0; type < sizeof(pw->ldif_format)/sizeof(pw->ldif_format[0]);
***************
*** 1248,1251 ****
--- 1255,1259 ----
GtkWidget *vbox_search_options, *vbox_browse_options;
GtkWidget *vbox_servers, *vbox_templates, *vbox_ldif, *vbox_gui;
+ GtkWidget *vbox_sec;
GtkWidget *hbox_buttons, *okbutton, *cancelbutton;
***************
*** 1362,1365 ****
--- 1370,1382 ----
gtk_notebook_append_page(GTK_NOTEBOOK(notebook), vbox_gui, label);
+ /* Security tab */
+ vbox_sec = gtk_vbox_new(FALSE, 0);
+ gtk_container_border_width(GTK_CONTAINER(vbox_sec),
+ CONTAINER_BORDER_WIDTH);
+ create_security_tab(vbox_sec, pw);
+ gtk_widget_show(vbox_sec);
+ label = gq_label_new(_("Securit_y"));
+ gtk_widget_show(label);
+ gtk_notebook_append_page(GTK_NOTEBOOK(notebook), vbox_sec, label);
/* OK and Cancel buttons outside notebook */
***************
*** 1952,1955 ****
--- 1969,2010 ----
}
+
+ static void create_security_tab(GtkWidget *target, struct prefs_windata *pw)
+ {
+ GtkWidget *frame;
+ GtkWidget *vbox1, *button;
+ GtkTooltips *tips;
+
+ tips = gtk_tooltips_new();
+
+ /* Persistency frame */
+ frame = gtk_frame_new(_("Security"));
+ gtk_widget_show(frame);
+ gtk_box_pack_start(GTK_BOX(target), frame, FALSE, TRUE, 5);
+
+ vbox1 = gtk_vbox_new(FALSE, 0);
+ gtk_container_border_width(GTK_CONTAINER(vbox1),
+ CONTAINER_BORDER_WIDTH);
+ gtk_container_add(GTK_CONTAINER(frame), vbox1);
+ gtk_widget_show(vbox1);
+
+ /* Restore Window Sizes checkbox */
+ button = gq_check_button_new_with_label(_("_Never leak credentials"));
+ pw->never_leak_credentials = button;
+
+ if(config->never_leak_credentials)
+ gtk_toggle_button_set_state(GTK_TOGGLE_BUTTON(button), TRUE);
+ #ifdef OLD_FOCUS_HANDLING
+ GTK_WIDGET_UNSET_FLAGS(GTK_CHECK_BUTTON(button), GTK_CAN_FOCUS);
+ #endif
+ gtk_widget_show(button);
+ gtk_box_pack_start(GTK_BOX(vbox1), button, FALSE, TRUE, 5);
+
+ gtk_tooltips_set_tip(tips, button,
+ _("Turn off if you want to use heuristics to find the credentials needed to follow referrals. The problems with these heuristics is that they may leak credential information: If you follow a referral to some untrusted server, then your currently used credentials might get sent to this untrusted server. This might allow an attacker to sniff credentials during transit to or on the untrusted server. If turned on, a referral will always use an anonymous bind."),
+ S_("tooltip|")
+ );
+
+ }
Index: util.c
===================================================================
RCS file: /cvsroot/gqclient/gq/src/util.c,v
retrieving revision 1.79
retrieving revision 1.80
diff -C2 -d -r1.79 -r1.80
*** util.c 21 Oct 2003 21:01:02 -0000 1.79
--- util.c 23 Oct 2003 05:26:37 -0000 1.80
***************
*** 374,405 ****
newserver = new_ldapserver();
! copy_ldapserver(newserver, parent);
!
! g_free_and_dup(newserver->name, new_uri->str);
! g_free_and_dup(newserver->ldaphost, new_uri->str);
! g_free_and_dup(newserver->basedn, desc->lud_dn);
!
! /* some sensible settings for the "usual" case:
! Anonymous bind. Also show referrals */
! newserver->ask_pw = 0;
! newserver->show_ref = 1;
! newserver->quiet = 1;
!
! if (open_connection_ex(newserver, &ld_err)) {
! close_connection(newserver, FALSE);
!
! statusbar_msg(_("Initialized temporary server-definition '%1$s' from existing server '%2$s'"), new_uri->str, parent->name);
!
! goto done;
! }
! if (ld_err == LDAP_SERVER_DOWN) {
! goto done;
! }
!
! /* check: do we have this server around already??? */
! s = server_by_canon_name(new_uri->str, TRUE);
!
! if (s) {
! copy_ldapserver(newserver, s);
g_free_and_dup(newserver->name, new_uri->str);
--- 374,379 ----
newserver = new_ldapserver();
! if (! config->never_leak_credentials) {
! copy_ldapserver(newserver, parent);
g_free_and_dup(newserver->name, new_uri->str);
***************
*** 415,423 ****
if (open_connection_ex(newserver, &ld_err)) {
close_connection(newserver, FALSE);
! statusbar_msg(_("Initialized temporary server-definition '%1$s' from existing server '%2$s'"), new_uri->str, s->name);
goto done;
}
if (ld_err == LDAP_SERVER_DOWN) {
goto done;
}
}
--- 389,425 ----
if (open_connection_ex(newserver, &ld_err)) {
close_connection(newserver, FALSE);
!
! statusbar_msg(_("Initialized temporary server-definition '%1$s' from existing server '%2$s'"), new_uri->str, parent->name);
!
goto done;
}
if (ld_err == LDAP_SERVER_DOWN) {
goto done;
+ }
+
+ /* check: do we have this server around already??? */
+ s = server_by_canon_name(new_uri->str, TRUE);
+
+ if (s) {
+ copy_ldapserver(newserver, s);
+
+ g_free_and_dup(newserver->name, new_uri->str);
+ g_free_and_dup(newserver->ldaphost, new_uri->str);
+ g_free_and_dup(newserver->basedn, desc->lud_dn);
+
+ /* some sensible settings for the "usual" case:
+ Anonymous bind. Also show referrals */
+ newserver->ask_pw = 0;
+ newserver->show_ref = 1;
+ newserver->quiet = 1;
+
+ if (open_connection_ex(newserver, &ld_err)) {
+ close_connection(newserver, FALSE);
+ statusbar_msg(_("Initialized temporary server-definition '%1$s' from existing server '%2$s'"), new_uri->str, s->name);
+ goto done;
+ }
+ if (ld_err == LDAP_SERVER_DOWN) {
+ goto done;
+ }
}
}
|
