search

versat / cntlm

Cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy intended to help you break free from the chains of Microsoft proprietary world. More info on http://cntlm.sourceforge.net/ website. This version also supports: SSPI (on Windows, NTLM authentication only), Kerberos authentication, IPv6, proxy PAC files.
GNU General Public License v2.0
118 stars 41 forks source link

Misleading comments in cntlm.conf #115

Closed hongxuchen closed 4 weeks ago

hongxuchen commented 1 month ago

In the default cntlm.conf, there are comments like:

# NOTE: all values are parsed literally, do NOT escape spaces, # do not quote. Use 0600 perms if you use plaintext password.

Despite that it is true there is no need to use URL escape characters (e.g., %40 for @), it is however needed to double quote some special characters like #, ;, , which is mentioned clearly in cntlm's man page.

Proxy account password. As with any other option, the value (password) can be enclosed in double quotes (") in case it contains special characters like spaces, pound signs, etc.

Configuration file is basically an INI file, except there are no "=" between keys and values. It comprises of whitespace delimited keyword and value pairs. Apart from that, there are sections as well, they have the usual "[section_name]" syntax. Comment begins with a hash "#" or a semicolon ";" and can be anywhere in the file. Everything after the mark up until EOL is a comment. Values can contain any characters, including whitespace. You can use double quotes around the value to set a string containing special characters like spaces, pound signs, etc. No escape sequences are allowed in quoted strings.

Therefore when password contains some special characters like #, ;, it will ignore the subsequent characters afterwards. So Password XXX#YYY will be treated as Password XXX; and the correct configuration is Password "XXX#YYY".

fralken commented 1 month ago

Hello @hongxuchen, how would you correct the comments in the cntlm.conf?

hongxuchen commented 1 month ago

@fralken I prefer to provide more valid configuration examples in the comments, especially for those necessary options like Password; for the comprehensive usage, it's better to direct users to the man page or online documentation. For Password, I suggest:

No URL escape encoding is needed. For example, 123@xyz is parsed literally, do not use 123%40xyz where %40 is the encoding of @. In case the password contains special characters like spaces(`), pound signs(#), etc, it should be enclosed in double quotes ("). For examples,123#xyzshould be"123#xyz"`. See cntlm's man page for more details.

fralken commented 1 month ago

Hello @hongxuchen, would you like to prepare a PR with this change?

hongxuchen commented 4 weeks ago

Hello @hongxuchen, would you like to prepare a PR with this change?

PR added

fralken commented 4 weeks ago

thanks! fixed by #117