Alan DeKok wrote:
- A post on the mailing list suggests to change the case-insensitive searches for PostgreSQL. We need someone who has a setup with PostgreSQL to test these changes and sends a patch for postgresql.conf.
Peter Nixon?
Thor Spruyt is familiar with PostgreSQL, and has sent a few patches to fix known issues with postgresql.conf and db_postgresql.sql.
- I'm not running LDAP on my site, but if bug #261 is reproductible, it should be fixed in 1.0.5 (attributes retrieved from ldap are truncated at first space)
It's more complicated than that. It gets excited over '=', too.
The LDAP module has *always* worked that way, so it's not a priority for 1.0.5.
That's right, but it seems easy to fix this issue. If I understand correctly the code in ldap_pairget(), we should have either "[value]" or "[operator] [value]" in a one-to-one-mapped attribute. If the statement above is correct, the code should be: ptr = str_from_ldap; operator = gettoken(&ptr); if (operator is valid) value = ptr; else value = str_from_ldap;
Maybe bug #73, too ? (libldap and libsasl problems)
Sounds good. I don't use LDAP, so I can't test it.
I've had a wonderful time with autoconf... but it should be fixed now. On other news, Primoz Bratanic is testing his tool of "automated vulnerability search" on the source code of FreeRADIUS. Thanks to him, I was able to fix three possible buffer overflows in xlat.c and rlm_sqlcounter.c. (see the Automatic CVS report) Primoz also found out that the SQL query in rlm_sqlcounter isn't correctly escaped. (possible SQL injection vulnerability) As the function 'sql_escape_func' is static in module 'rlm_sql', I don't know if we should copy/paste the code or make the function publicly available? We should also fix this in 1.0.5, before the people from Gentoo start to make publicity about this. -- Nicolas Baradakis