SMBC_parse_path doesn't seem to handle special characters
eduardo at kienetz.com
Sat Jan 23 23:32:25 MST 2010
On Sat, Jan 23, 2010 at 5:31 AM, Volker Lendecke
<Volker.Lendecke at sernet.de>wrote:
> On Tue, Jan 19, 2010 at 05:30:09PM -0600, Eduardo Kienetz wrote:
> > Everything was just perfect on my tests, until my boss took my code to
> > put in the production server. He tested and it wouldn't work, which we
> > soon figured to be due to his password containing a special character
> > (in this case a slash /).
> While your patch does solve a problem, and we probably have
> to solve this, putting the password into the url is from my
> point of view almost never a good idea.
Agreed, but the bottom line is that that's supported, because some developer
had [good?] reasons to do so, and it doesn't work right :)
Whoever uses it that way should make sure all proper security measures are
in place, etc.
BTW, many people use it (plaintext passwords) in a much worse way, like
saving it in cron jobs (for backups), etc.
> declares some smbclient_auth_func. I could not see the
> definition of that function, but that is the recommended way
> to catch the password.
It doesn't really matter since at the end (smbc_opendir, etc) I'll still
need to pass it in plaintext, besides it's a web-based application anyway.
However I wouldn't recommend its use without encryption (SSL or in a VPN).
What am I missing?
Right now I'm using it for a web-based shares browser, completely locked
from the outside world (internal network/VPN only).
> How is that supposed to work in libsmbclient-php?
Like I said, I forked this from the previous maintainer and adapted to my
needs (extra functions + warnings fixed). Since it worked perfectly for what
I wanted (this Friday I just made it hide passwords when printing logs), I
didn't bother analyzing anything else. I'll take a look and try to find out
how smbclient_auth_func can benefit libsmbclient-php.
If you have anything to contribute in that sense, please let me know, I'm
new to the "samba development world".
Anyway, I don't know if I'm bothering 'incentivising' discussions about
libsmbclient-php, so I've created a Google Group for it at
http://groups.google.com/group/libsmbclient-php just in case, so if someone
feels bothered let me/us know.
P.S.: it looks like I'll have to create a
"get_last_token_no_ltrim_talloc()", so that I can use at libsmb_path.c
instead of next_token_no_ltrim_talloc(ctx, &p, &userinfo, "@"). That's to
support parsing URLs with passwords containing @ (clarifying what I said in
my first e-mail).
Eduardo Bacchi Kienetz
More information about the samba-technical