Hi,
We are using a mysql-backed v3 server and eap / peap / mschapv2.
A new user has come along whose email address contains an apostrophe, ('single quote' if you prefer) which is unusual but legitimate.
By default we allow users to use their email address as a username.
Sure. My mail address is stefan';DROP TABLE radacct;@somedomain.com .
I have found the safe_characters list here: /etc/freeradius/mods-config/sql/main/mysql/queries.conf
Without the apostrophe in the safe_characters list, it gets encoded to =27 and so the db query [1] fails to find a user with that username.
If you allow ' as a "safe character" then you open up yourself to SQL injection attacks like the above.
With the apostrophe in the list, the query fails with "an error in your SQL syntax"...
Is there any way out of this conundrum except putting mime-encoded data in the database?
Your query should use %{SQL-User-Name} instead of just %{User-Name}. This contains the escaped version of the username, so they should match. However, as I write this I realise for just how long I haven't worked on that aspect of the server. I might be right though, it's worth a try :-). Greetings, Stefan Winter
[1] authorize_check_query from sql/mysql/dialup.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66