Nicolas Baradakis <nbk@sitadelle.com> wrote:
The LDAP module has *always* worked that way, so it's not a priority for 1.0.5.
That's right, but it seems easy to fix this issue. If I understand correctly the code in ldap_pairget(), we should have either "[value]" or "[operator] [value]" in a one-to-one-mapped attribute.
Yes.
If the statement above is correct, the code should be:
ptr = str_from_ldap; operator = gettoken(&ptr); if (operator is valid) value = ptr; else value = str_from_ldap;
That would work, but would also involve changing the way the module works in a stable release. On the other hand, the current method is arguable buggy. I'm fine with fixing it. Maybe Kostas has opinions?
On other news, Primoz Bratanic is testing his tool of "automated vulnerability search" on the source code of FreeRADIUS. Thanks to him, I was able to fix three possible buffer overflows in xlat.c and rlm_sqlcounter.c. (see the Automatic CVS report)
Sounds good to me.
Primoz also found out that the SQL query in rlm_sqlcounter isn't correctly escaped. (possible SQL injection vulnerability) As the function 'sql_escape_func' is static in module 'rlm_sql', I don't know if we should copy/paste the code or make the function publicly available?
Since rlm_sqlcounter already calls rlm_sql to do it's work, just export the function.
We should also fix this in 1.0.5, before the people from Gentoo start to make publicity about this.
Yes. I'd like to release 1.0.5 soon. Alan DeKok.