On Sat, 22 Apr 2000, Brian Morris wrote:
> The error occurs when the user places an apostrophy somewhere in their
> username - even though there is not one in their user record on our system,
> Radiator will still let them in. (eg: Username johnsmith logs in as
> johnsmit'h )
>
> The accounting record is written as johnsmit'h so effectively the user does
> not get billed for their usage.
And I thought it was just our external auth program.
Actually, what I noticed was that if they use a string of random
characters other than [a-z], [0-9], [-], [_], they are being allowed.
Among the successful logins were accounts with more than 15 characters,
and those with characters other than those allowed.
We only discovered it about two weeks ago, so you can imagine how many
successful logins were made without being accounted. Tsktsk. What I did
was pruned the username strings to its barest minimum, removing all
characters which are not allowed and THEN check our database for auth and
acct purposes.
RewriteUsername tr/[A-Z]/[a-z]/
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/0-9|a-z|\-|_//cd
Seemed to work. Whereas ours pops were usually 95% full, it went down to
at most 85%.
Sincerely,
Froilan C. Mendoza
Manager - Systems Management
Tridel Technologies, Inc.
http://www.tridel.net
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
