SQL-User-Name in %{sql:..} expansion

Matthew Newton mcn4 at leicester.ac.uk
Thu May 19 01:40:49 CEST 2016

On Wed, May 18, 2016 at 10:18:01AM -0400, Arran Cudbard-Bell wrote:
> > 
> > Probably the easiest way without radius_xlat calling some sort of
> > module "pre-xlat" function before doing the xlat. Or having a
> > "delayed expansion" flag which tells radius_xlat not to expand
> > anything and to let the module do it. But I guess that's what
> > happened before; it was probably fixing all the \\\\\\\\ escaping
> > madness that broke this...
> SQL-User-Name is only useful because it expands to the group
> being processed.  For everything else the xlat escape function
> will prevent injection attacks.


So is it worth removing the sql_set_user() call from sql_xlat so
that the xlat doesn't add SQL-User-Name?

As it's not available to use in the actual xlat it seems like it's
just a side effect that's confusing. It's still available in other
sql calls of course.


Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list