On Jul 18, 2019, at 2:51 AM, belyj@belyj.eu wrote:
... (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'p6suf=2BFyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=3D' ORDER BY id
echo "User-Name="p6suf+FyNBebQgLMTdAXD4q0U/yZVIaxSN/w8LzVMlw=",NAS-Identifier=nas-here" | radclient 127.0.0.1 auth testing123
same with username %{User-Name}, default install just enabled sql module
The SQL module has always performed character escaping. I'm not sure what changed, if anything. The short answer is that you can expose your SQL server to injection attacks by editing the "safe_characters" string in mods-config/sql/main/mysql/queries.conf Alan DeKok.