xlat expansion of absent VPs

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Jun 17 20:53:35 CEST 2013


On 17 Jun 2013, at 19:19, Alan DeKok <aland at deployingradius.com> wrote:

> Arran Cudbard-Bell wrote:
>> I have to agree. If an attribute doesn't exist then it should expand to "",
>> that's the behaviour i'm used to too.
> 
>  For me, it's a major security issue.  Silently missing an attribute is
> bad.

I guess for things like command line arguments, yes, it would be.

If it's a security issue arguably the entire expansion should fail, and we should force the user to deal with cases where an attribute may be NULL by specifying alternative static values.

In a rather contrived case you could have someone using a shell script to verify an unsupported type of hash.

They pass

/bin/mysuperhash %{sql:SELECT user FROM users WHERE username='%{User-Name}'} %{Hashed-Password-Attribute}

Username isn't found. /bin/mysuperhash _ 0x1111111111

Anywhere that wants to expand config:Cleartext-Password would have the same issue. If it's not going to be null string it shouldn't be anything else either.

I don't see this as a usability issue because in the majority of cases an '_' isn't going to be what the admin wanted either.

> 
>> Previously the xlat code wrongly treated zero length expansions as errors,
>> this might of been the original reason for returning a one char expansion.
> 
>  No, the zero-length expansion issue was a temporary problem during the
> re-write of the new code.

No, in a bunch of places radius_xlat()! was treated as an error. 

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team



More information about the Freeradius-Devel mailing list