On Tue 17 Jul 2007, Alan DeKok wrote:
Peter Nixon wrote:
Alan. Can you help out here? From memory I am seeing the same thing in cvs head. I ended up commenting out the username part of the query as I don't actually do anything based on username in my system. It definitely needs to be %{SQL-User-Name} though, as I was getting escape characters as the username from some users and it was blowing up the sql queries. (HUGE GAPPING SECURITY HOLE)
Is there something special we need to do in rlm_sqlippool to get access to %{SQL-User-Name}?
Yes. Call sql_set_user(). Patch is attached.
Also, the sqlippool_expand() function could be done better. The use of single-character values is awkward. Instead, it should register an xlat() function, to allow things like %{sqlippool:Pool-Name}.
Hmm... that could be in the server core, come to think of it.
As it turns out I was just looking at rlm_sqlcounter and it has a sqlcounter_expand() function which is very similar. I think if we were to go through rlm_sql, rlm_sqlcounter and rlm_sqlippool there is a fair bit that could be refactored.. Cheers -- Peter Nixon http://peternixon.net/