Null SQL user
Michael Griego
mgriego at utdallas.edu
Thu Sep 21 18:03:12 CEST 2006
There is a risk with this patch of running queries where the WHERE
clause becomes WHERE UserName = ''... Which, I guess isn't really
all that bad...
I'm not sure I have any real problem with it, but we'll probably want
to make the default sql_user_name configuration item %{User-Name:-
DEFAULT} if we make the change this way.
--Mike
On Sep 21, 2006, at 8:20 AM, Peter Nixon wrote:
>>> As you can see a request with NULL username is quite valid for
>>> me, and
>>> may be proxied or accepted based (from inside the sql procedure)
>>> based on
>>> information in the request other than username/password and should
>>> therefore go through the normal sql queries.
>>
>> Oh, absolutely. There are many instances where a User-Name attribute
>> may not/need not be present that are completely valid and should be
>> handled by the sql module.
>
> Can someone please test the attached patch before I commit it. It
> works ok for
> us with Postgresql but its possible that it may cause suprises for
> other
> database types.
>
> Cheers
>
> --
>
> Peter Nixon
> http://www.peternixon.net/
> PGP Key: http://www.peternixon.net/public.asc
> <nullsqluser.patch>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> devel.html
More information about the Freeradius-Devel
mailing list