is it dangerous to change sql safe_characters ?
hi: we are using freeradius 3.0.9. and we want to make the sql accounting data easier to read/process. currently the characters below we may use are escaped by default '\' => for windows account like "domain\user". "+","=" => for base64 encoding these two characters are used is it safe the add these characters to query.conf "safe_characters"? PS: by default the method to escap the "\" character seems not correct. when user use "domain\user" to login, if I check with "radiusd -X", the name sometimes present as 'domain\user', and sometimes present as "domain\\user". but finally when it write to sql, it becomes "domain=5C=5Cuser". I think the correct escaped string should be "domain=5Cuser" ? thanks a lot for help!! Regards, tbskyd
On Jul 30, 2015, at 8:11 AM, d tbsky <tbskyd@gmail.com> wrote:
we are using freeradius 3.0.9. and we want to make the sql accounting data easier to read/process. currently the characters below we may use are escaped by default
'\' => for windows account like "domain\user". "+","=" => for base64 encoding these two characters are used
is it safe the add these characters to query.conf "safe_characters"?
No.
PS: by default the method to escap the "\" character seems not correct. when user use "domain\user" to login, if I check with "radiusd -X", the name sometimes present as 'domain\user', and sometimes present as "domain\\user". but finally when it write to sql, it becomes "domain=5C=5Cuser". I think the correct escaped string should be "domain=5Cuser" ?
It depends where the string comes from. See the debug output for details. Alan DeKok.
Hi,
'\' => for windows account like "domain\user". "+","=" => for base64 encoding these two characters are used
is it safe the add these characters to query.conf "safe_characters"?
No.
ok. then I will give up the idea. I am curious is "\" dangerous?
yes. backslash can be used for injection of arbitrary SQL commands if not escaped properly...as can several other characters.... ' and " come to mind straight away alan
On 30-07-15 14:51, d tbsky wrote:
Hi Alan:
ok. then I will give up the idea. I am curious is "\" dangerous?
Say we have a logging function that writes succesful authentications to a database: INSERT INTO logging (timestamp, username) VALUES (now(), '%{User-Name}%') With using the username "foo\" the query would become: INSERT INTO logging (timestamp, username) VALUES (now(), 'foo\') Now the last "'" is escaped and the query generates a syntax error. -- Herwin Weststrate
2015-07-30 21:21 GMT+08:00 Herwin Weststrate <herwin@quarantainenet.nl>:
On 30-07-15 14:51, d tbsky wrote:
Hi Alan:
ok. then I will give up the idea. I am curious is "\" dangerous?
Say we have a logging function that writes succesful authentications to a database:
INSERT INTO logging (timestamp, username) VALUES (now(), '%{User-Name}%')
With using the username "foo\" the query would become:
INSERT INTO logging (timestamp, username) VALUES (now(), 'foo\')
Now the last "'" is escaped and the query generates a syntax error.
but in 3.0.9 reality, if I add "\" to safe_character, freeradius will present it with "\\" when write to sql, and all other special characters are escaped by default, so everything seems fine. so I am curious what will go wrong. but I now only have username attribute which will have "\" character. I don't know if freeradius will present all the "\" with "\\" correctly for all the attributes Regards, tbskyd.
Hi,
but in 3.0.9 reality, if I add "\" to safe_character, freeradius will present it with "\\" when write to sql, and all other special characters are escaped by default, so everything seems fine. so I am
in 3.0.9 reality (and since early 3.0.x days), there is another setting to change how FreeRADIUS deals with backslashes alan
2015-07-30 22:45 GMT+08:00 <A.L.M.Buxey@lboro.ac.uk>:
Hi,
but in 3.0.9 reality, if I add "\" to safe_character, freeradius will present it with "\\" when write to sql, and all other special characters are escaped by default, so everything seems fine. so I am
in 3.0.9 reality (and since early 3.0.x days), there is another setting to change how FreeRADIUS deals with backslashes
grep the config file I only saw "correct_escapes = true". but it seems only related to backslashes in config files. not about sql.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
d tbsky -
Herwin Weststrate