Alan DeKok wrote:
Primoz also found out that the SQL query in rlm_sqlcounter isn't correctly escaped. (possible SQL injection vulnerability) As the function 'sql_escape_func' is static in module 'rlm_sql', I don't know if we should copy/paste the code or make the function publicly available?
Since rlm_sqlcounter already calls rlm_sql to do it's work, just export the function.
Thinking about it, I don't like the idea to make rlm_sql export sql_escape_func. And I'm afraid of linkage issues, too. A links to B. A links to C. That's not rocket science, but will C be able to find a symbol in B on systems with stupid linker? I'd like to move sql_escape_func in the server core, in src/main/xlat.c for example. However, I noticed this function uses a global variable 'allowed_chars', so we'd need to bring it in the server core, too. -- Nicolas Baradakis