Escaping of User Names

Peter Nixon listuser at peternixon.net
Mon Feb 5 13:33:03 CET 2007


Hi Guys

Well, my lovely users have managed to find a bug. I am trying to figure out 
at present if I am doing something wrong in sqlippool or if there is a 
general problem with rlm_sql or more specifically rlm_sql_postgresql.

I have 2 users sending me weird usernames. One is "?AZq?/?" and the other 
is "*?Z?�?-�"

Now, I authorise my users on this system based on other attributes, and do no 
actual authentication so the username is ignored. I could just delete the 
username part from the queries and it would solve the problem for me, but 
thats beside the point.

The main sql auth and acct s working fine, however sqlippool is throwing the 
following error:

Error: sqlippool_command: database query error in: 'UPDATE radippool   SET 
expiry_time = 'now'::timestamp(0) + '3600 seconds'::interval   WHERE 
nasipaddress = '217.31.232.36' AND pool_key = '038153' AND username 
= '?AZq?/?''   AND callingstationid = 'username' AND framedipaddress 
= '10.11.10.28''

The errors Postgresql shows in the log are:
2007-02-05 14:22:59 EET saaas raduser ERROR:  invalid byte sequence for 
encoding "UTF8": 0x85
2007-02-05 14:23:26 EET saaas raduser ERROR:  invalid byte sequence for 
encoding "UTF8": 0x87

The actual query in question is:

 alive-update = "UPDATE radippool \
  SET expiry_time = 'now'::timestamp(0) + '${lease-duration} 
seconds'::interval \
  WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' AND 
username = '%{SQL-User-Name}' \
  AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress 
= '%{Framed-IP-Address}'"

Does anyone know what is going wrong?


-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20070205/47a3c0dd/attachment.pgp>


More information about the Freeradius-Devel mailing list