On Wed, May 18, 2016 at 10:18:01AM -0400, Arran Cudbard-Bell wrote:
Probably the easiest way without radius_xlat calling some sort of module "pre-xlat" function before doing the xlat. Or having a "delayed expansion" flag which tells radius_xlat not to expand anything and to let the module do it. But I guess that's what happened before; it was probably fixing all the \\\\\\\\ escaping madness that broke this...
SQL-User-Name is only useful because it expands to the group being processed. For everything else the xlat escape function will prevent injection attacks.
OK. So is it worth removing the sql_set_user() call from sql_xlat so that the xlat doesn't add SQL-User-Name? As it's not available to use in the actual xlat it seems like it's just a side effect that's confusing. It's still available in other sql calls of course. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>