1.1.7 sqlippool %{SQL-User-Name}

Alan DeKok aland at deployingradius.com
Tue Jul 17 11:52:50 CEST 2007


Peter Nixon wrote:
> Alan. Can you help out here? From memory I am seeing the same thing in cvs 
> head. I ended up commenting out the username part of the query as I don't 
> actually do anything based on username in my system. It definitely needs to 
> be %{SQL-User-Name} though, as I was getting escape characters as the 
> username from some users and it was blowing up the sql queries. (HUGE 
> GAPPING SECURITY HOLE)
> 
> Is there something special we need to do in rlm_sqlippool to get access 
> to %{SQL-User-Name}?

  Yes.  Call sql_set_user().  Patch is attached.

  Also, the sqlippool_expand() function could be done better.  The use
of single-character values is awkward.  Instead, it should register an
xlat() function, to allow things like %{sqlippool:Pool-Name}.

  Hmm... that could be in the server core, come to think of it.

  Alan DeKok.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sql.patch
Type: text/x-patch
Size: 2461 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070717/e4af227c/attachment.bin>


More information about the Freeradius-Users mailing list