Can unlang do this?

Chris cjl at viptalk.net
Thu Apr 24 21:42:38 CEST 2008


On Apr 24, 2008, at 11:57 AM, Alan DeKok wrote:

> Chris wrote:
>> I guess the trick is fixing it (breaking it?) so this works without
>> opening up any vectors for injection attacks.  Would it be safe to
>> exclude the "control" list from being escaped like this?  It seems  
>> that
>> only attributes in the the request and proxy-request lists would be  
>> the
>> real problems.
>
>  Yes and no.  The best way is via a "tainted" flag, like Perl.  But
> that involves a lot more work.
>

Certainly better from my perspective to work within the current  
capabilities.  I've pared what would have been about six different  
ldap modules per redundant server down to two, so I'm happy.  I  
*could* probably get it down to one but I don't think the extra  
complexity to do so would outweigh the gains.

>> Would it have been so difficult to say "man unlang see update"  
>> instead
>> of just "man unlang"?  You spent more time complaining about the  
>> way I
>> asked the question than it would have taken to answer it. ;)
>
>  Exactly.
>
>  I wish to emphasize *thinking* and *reading*.  Answering questions by
> cutting & pasting portions of the documentation is a disservice to
> everyone.  It has it's appeal, but it's wrong.

Hardly suggesting a cut-and-paste, but okay.

Thanks again for the help.




More information about the Freeradius-Users mailing list