SQL escaping
Phil Mayers
p.mayers at imperial.ac.uk
Wed Sep 26 12:36:56 CEST 2012
On 25/09/12 20:16, Alan DeKok wrote:
>
> The only thing for me is that the escaping has to be done recursively.
> e.g. SQL asking for an expansion of "foo %{Bar}" means that the "foo"
> portion should be copied as-is. But the %{Bar} portion is untrusted,
> and MUST be escaped.
It should do that - I tested it locally with a pretty big variety of
xlats on the SQL and LDAP modules, including nested xlats.
However - TBH I find the code in decode_attribute() and
rad_copy_variable() a bit hairy. It wasn't obvious to me for example
that this:
%{some %{var}:-other %{text}}
...isn't legal syntax. I can think of circumstances that might be useful.
So, that being the case, if someone could compile and test the xlat
stuff to destruction to check I haven't missed anything, that would be a
good thing (tm).
If the general approach is ok, I'll apply this patch to our testing
radius server, and might work up a branch with SQL-native escaping to
really give it a torture test.
>
> From looking at the code, it looks pretty good. My only $0.02 is:
>
> https://github.com/philmayers/freeradius-server/commit/08de5a57f202aebabdbd0a50a99574aca79a130d
>
> It does a malloc. I'd just declare (or re-use) a buffer on the stack.
> malloc() is slow and painful for temporary storage.
The main reason I used a malloc there was that I didn't want to truncate
any output, since all the code upward of the stack uses pointer/length
arguments. And variable-length arrays:
char buf[freespace];
...are a GCC-ism. But I take your point, and I guess a static buffer is
OK - we're reading from a "char buf[8192]" at that point anyway.
Do you want me to re-do the patch stream or just modify the commit
if/when it gets merged?
More information about the Freeradius-Devel
mailing list