"+" string converted to "=2B" in SQL request

Tony LEMEUNIER Tony.Lemeunier at novelcom.fr
Mon Mar 5 17:28:33 CET 2018


Hi Alan,

And thanks for your reply.
My radius is on private LAN, so no risk.

Best Regards,

Tony LEMEUNIER
 
Le 05/03/2018 17:23, « Freeradius-Users au nom de Alan DeKok » <freeradius-users-bounces+tony.lemeunier=novelcom.fr at lists.freeradius.org au nom de aland at deployingradius.com> a écrit :

    On Mar 5, 2018, at 11:13 AM, Tony LEMEUNIER <Tony.Lemeunier at novelcom.fr> wrote:
    > I'am using Freeradius 3.0.12 with backend MySQL.
    > 
    > I customized my SQL groupreply request like this:
    > 
    > authorize_group_reply_query = "\
    > 	SELECT id, groupname, attribute, \
    > 	value, op \
    > 	FROM ${groupreply_table} \
    > 	WHERE groupname = '%{${group_attribute}}' AND value LIKE '%%%{Called-Station-Id}%%' \
    > 	ORDER BY id"
    > 
    > %(Called-Station-Id) can be phone number like +33567897654, and the request sent to MySQL is:
    > 
    > SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = GROUP' AND value LIKE '%=2B33567897654%' ORDER BY id
    > 
    > '+' string was converted to "=2B'.
    
      Yes.  For security.  Otherwise, any user could do an SQL injection attack.
    
    > How can I do to preserve + string
    
      See raddb/mods-config/sql/main/mysql/queries.conf
    
      Uncomment, and edit the "safe_characters" string.
    
      And then watch people pwn your database.  Because there's no separate list of safe characters for SELECT versus INSERT.
    
      We're working on fixing this for v4.
    
      i.e. you're better off *not* putting the "+" into the DB.
    
      Alan DeKok.
    
    
    -
    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list