Hi All,
I'm new to Radius, now encountered problems with
ldap_escape_func in rlm_ldap. please help me since it's really a bit urgent.
the comments regarding to this function is 'Add an
ldap_escape_func. Escape the * character from the filter so that we can avoid
the trivial DoS of username=*'. if i was not wrong, this function intends to
filter out the * which follows the username, i.e, if username is 'userid*'
in access-request packet, ldapsearch is only based on 'userid'. but what's the
purpose for doing this and is it secure? or did i misunderstand the comments?
the lastest version freeradius-1.0.5 has a slightly
different version for this piece of code,
*****************************************************************
freeradius-1.0.5
if (strchr("*=\\,()", *in))
{
static const char *hex =
"0123456789abcdef";
if (outlen <= 3) break;
*(out++) =
'\\';
*(out++) = hex[((*in) >> 4) &
0x0f];
*(out++) = hex[(*in) &
0x0f];
outlen -=
3;
continue;
}
**************************************************************
freeradius-1.0.4 and previous
if (strchr("*", *in))
{
in++;
outlen--;
continue;
}
i couldn't figure out what does the change intend
to do, is it to filter out '*', '\\', '()' and '=' from username? and why should
it be in that way? please help me. thanks a lot in advance.