Release 1.0.5?

[Alan DeKok]

Nicolas Baradakis <nbk at sitadelle.com> wrote:
> >   The LDAP module has *always* worked that way, so it's not a priority
> > for 1.0.5.
> 
> That's right, but it seems easy to fix this issue. If I understand
> correctly the code in ldap_pairget(), we should have either "[value]"
> or "[operator] [value]" in a one-to-one-mapped attribute.

  Yes.

> If the statement above is correct, the code should be:
> 
> 	ptr = str_from_ldap;
> 	operator = gettoken(&ptr);
> 	if (operator is valid)
> 		value = ptr;
> 	else
> 		value = str_from_ldap;

  That would work, but would also involve changing the way the module
works in a stable release.  On the other hand, the current method is
arguable buggy.

  I'm fine with fixing it.  Maybe Kostas has opinions?

> On other news, Primoz Bratanic is testing his tool of "automated
> vulnerability search" on the source code of FreeRADIUS. Thanks to him,
> I was able to fix three possible buffer overflows in xlat.c and
> rlm_sqlcounter.c. (see the Automatic CVS report)

  Sounds good to me.

> Primoz also found out that the SQL query in rlm_sqlcounter isn't
> correctly escaped. (possible SQL injection vulnerability) As the
> function 'sql_escape_func' is static in module 'rlm_sql', I don't
> know if we should copy/paste the code or make the function publicly
> available?

  Since rlm_sqlcounter already calls rlm_sql to do it's work, just
export the function.

> We should also fix this in 1.0.5, before the people from Gentoo start
> to make publicity about this.

  Yes.  I'd like to release 1.0.5 soon.

  Alan DeKok.