SQL escaping

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Sep 20 18:45:14 CEST 2012


On 20 Sep 2012, at 17:30, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> On 20/09/12 07:21, Alan DeKok wrote:
> 
>> add REQUEST and context (void*) to the RADIUS_ESCAPE_FUNC.
>> 
>> Add it to the prototypes, to all modules (as UNUSED), and have xlat.c
>> store the context, and pass it and REQUEST to the calling function
>> 
>> then, add the proper pass of the context in LDAP, SQL, etc.
>> individually.  Have it pass the right context, and then use it in the
>> escaping function.
> 
> Actually I've started to have a doubt about this having spent some time looking at it.
> 
> The xlat stuff is a bit more complex than I first appreciated. There are quite a few places where the escape func is just ignored when passed into *_xlat handlers

Hmm ok, yes we should probably pass it into the radius_xlat call in those functions. I'm not sure why it's not currently... I was just following what  was there already.

> , and even in quite a few places in radius_xlat itself (most of the single-string expansions that aren't passed off to valuepair2str).

Oh i've started to kill those off. I've removed all the duplicate ones and i've found a GPLd version of strftime, so i'm just going to add a %{time} expansion. Then there's Request ID %I, which we can just declare a callback for, and %Z, which i'm not convinced there's any real usecase for now we have the detail module.

So you can ignore those safe in the knowledge they'll be gone by the time we release 3.0.

> In addition, literally the only places the escape function are used in the source are rlm_ldap, rlm_sql and rlm_rest, so it's a both a limited-use code path, but very important.

Fewer places to fix it ;)!

> I don't know that I really want to touch it now!
> 
> [I did spot a bug in rlm_ldap though - one-liner pull request submitted]


Yeah i'll pull it as soon as GitHub stops being sucky.

-Arran


More information about the Freeradius-Devel mailing list