Apostrophe in username

Stefan Winter stefan.winter at restena.lu
Tue Oct 30 16:39:54 CET 2018


Hi,

> We are using a mysql-backed v3 server and eap / peap / mschapv2.
> 
> A new user has come along whose email address contains an apostrophe,
> ('single quote' if you prefer) which is unusual but legitimate.
> 
> By default we allow users to use their email address as a username.

Sure. My mail address is stefan';DROP TABLE radacct;@somedomain.com .
> I have found the safe_characters list here:
> /etc/freeradius/mods-config/sql/main/mysql/queries.conf
> 
> Without the apostrophe in the safe_characters list, it gets encoded to
> =27 and so the db query [1] fails to find a user with that username.

If you allow ' as a "safe character" then you open up yourself to SQL
injection attacks like the above.

> With the apostrophe in the list, the query fails with "an error in your
> SQL syntax"...
> 
> Is there any way out of this conundrum except putting mime-encoded
> data in the database?

Your query should use %{SQL-User-Name} instead of just %{User-Name}.
This contains the escaped version of the username, so they should match.

However, as I write this I realise for just how long I haven't worked on
that aspect of the server. I might be right though, it's worth a try :-).

Greetings,

Stefan Winter

> 
> [1] authorize_check_query from sql/mysql/dialup.conf
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20181030/f5b7b42d/attachment.sig>


More information about the Freeradius-Users mailing list