sql expansion with query string stored in attribute?

Phil Mayers p.mayers at imperial.ac.uk
Wed Oct 19 11:01:36 CEST 2011


On 10/19/2011 08:41 AM, Fajar A. Nugraha wrote:

> has the complete safe_characters needed. Turns out FR uses the
> safe_characters from the LAST instantiated sql instance. Manually
> putting the sql instances in instantiate section of radiusd.conf, with
> the one containing safe_characters I want last, works as expected.

Yeah, that's a tedious bug that's hard to solve. The "sql_xlat" function 
calls "radius_xlat" and supplies "sql_escape_func" as the final 
argument; unfortunately the "escape functions" you can pass to 
"radius_xlat" just get the input string and output buffer - they don't 
get any per-module config, so making the safe_characters per-module is 
tricky.

I did have some patches making the escape function (but not the 
safe_characters) selectable and offering "\xAA" as well as "raw" i.e. no 
escaping. The latter was intended for use with Postgres' dollar-quoted 
strings e.g.

select * from foo where bar=$tag$this is the string$tag$

Are you using postgres? If so, you could try to abuse this feature by 
making EVERY character safe, then perform the escaping yourself by doing 
this:

update request {
   SQL-Query := "select * from foo where bar=$tag$%{User-Name}$tag$"
   SQL-Result := "%{sql:%{SQL-Query}}"
}

It's not the most secure option; someone could contrive to get the 
string "$tag$; drop table foo" into a radius field, but if you can be 
sure this won't happen (e.g. sanitise it) it might work.



More information about the Freeradius-Users mailing list