23 Sep
2006
23 Sep
'06
4:20 p.m.
James J J Hooper <jjj.hooper@bristol.ac.uk> wrote:
Does FreeRADIUS taint check (i.e. escape certain characters)? If not, does the plain text password auth bit of the page have security considerations?
No. It doesn't need to. That's the responsibility of the program being executed. i.e. FreeRADIUS calls the "execve" function, not "system", so the shell is never used, and *no* input characters are special. i.e. Try passing the string "$$" as the User-Name in the examples on the web page. You will see "$$" being passed as an argument, and not the PID of the shell. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog