safe_characters issue

Alan DeKok aland at
Wed Jun 17 18:10:02 CEST 2020

On Jun 17, 2020, at 11:11 AM, Fabrice Durand <fdurand at> wrote:
> I am not sure it's the case, the only place i defined safe_characters is in mods-enabled/sql


> I attached 2 debug outputs and the sql files used , the one with safe_characters defined in the sql {...} section (who works) and the other one with safe_characters defined in sql sql_degraded{...} (that doesn't works)
> For me it looks that even if you define safe_characters in another section than the sql {...} one the code doesn't use it and use the one from the sql {...} section instead.

  Except that the code *always* looks at definition of safe_characters in the current configuration.

  There's nothing in the rlm_sql source which says "search for the base SQL module and use that".

> I did exactly the same tests on the FreeRADIUS version 3.0.13 (i am using another path for the configuration files than /etc/radiusd, so the files didn't changed) and it takes the safe_characters defined in the sql_degraded section.
> Btw setting the safe_characters in sql{...} fixed my issue, but it looks to be a regression.

  I just took the current v3.0.x head, and created a "sql sql2" module, which uses MySQL.  The main "sql" module is using sqlite.  I edited the safe_characters definition in mods-config, and I see:

$ radiusd -X | grep safe
  	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  	safe_characters = "YYY at abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  	safe_characters = "XXX at abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"

  The first one is from rlm_expr.  The second is from the sqlite definition that I edited.  The third one is from the MySQL definition that I edited.

  And from the debug output you posted:

  # Loading module "sql_degraded" from file /usr/local/pf/raddb/mods-enabled/sql
  sql sql_degraded {
  	driver = "rlm_sql_mysql"
  	server = ""
  	port = 3306
  	login = "pf"
  	password = <<< secret >>>
  	radius_db = "pf"
  	read_groups = yes
  	read_profiles = yes
  	read_clients = no
  	delete_stale_sessions = yes
  	sql_user_name = "%{User-Name}"
  	default_user_profile = ""
  	client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
  	group_membership_query = ""
  	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"

  So that seems to work.

  Alan DeKok.

More information about the Freeradius-Users mailing list