SQL escaping
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri Sep 21 16:52:35 CEST 2012
On 21 Sep 2012, at 15:05, Phil Mayers <p.mayers at IMPERIAL.AC.UK> wrote:
> On 21/09/12 13:14, Arran Cudbard-Bell wrote:
>
>> I'm presuming that properly escaped strings will be converted back to
>> there unescaped form when they get inserted into the database?
>
> Yes. If the NAS sends:
>
> User-Name = "foo'bar"
> Some-Attr = "some\ntext"
>
> ...then then SQL escape function will generate a string
> (depending on what the DB driver does for escaping):
>
> insert into x (username,msg) values (E'foo''bar', E'some<newline>
> text')
>
> ...and the value in the SQL column will be:
>
> foo'bar
> some<newline>text
This probably won't cause that many issues, but should probably be noted somewhere.
>> Applications that relied on FreeRADIUS to do the escaping of special
>> characters would then be vulnerable to various other kinds of
>> injection attacks.
>
> The idea would be that by using the DB escape code, you eliminate *all* vulnerability to injection attacks. Xlat will always generate correctly quoted strings.
>
> But I think you're talking about other apps that then *read* the data FR has inserted, in which case see below.
I was.
>
>>
>> I've copied the safe character code into another xlat function (could
>> you pull and update that as part of your patch set too). In your
>> second patch set please wrap user modifiable attributes e.g.
>> User-Name/User-Password where they're used in INSERT/UPDATE queries
>> with %{encode:}, this should minimise the risk of administrators
>> inadvertently exposing other applications to raw user provided data.
>
> My intention was to make the escaping mode a setting on the SQL instance that defaults to safe-characters, but can be set to "native".
I've not seen any other application that pre-escapes data that it inserts to the database beyond handling the specific requirements of the protocol/markup language. It's not generally expected behaviour, so I don't think it should be the default behaviour.
However, the SQL module has been around for nearly a decade now, so it'd be good to provide backwards compatibility with the default config, for attribute that commonly contain user input, hence suggesting the default config still escape User-Name/User-Password.
-Arran
More information about the Freeradius-Devel
mailing list