xlat expansion of absent VPs

Matthew Newton mcn4 at leicester.ac.uk
Tue Jun 18 00:40:06 CEST 2013


On Mon, Jun 17, 2013 at 02:19:02PM -0400, Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
> > I have to agree. If an attribute doesn't exist then it should expand to "",
> > that's the behaviour i'm used to too.
> 
>   For me, it's a major security issue.  Silently missing an attribute is
> bad.

Having empty attributes replaced by "_" could be incredibly
annoying depending on the circumstance. But then I hope I'd also
have the sense to check what I'm doing to make sure that if an
attribute did end up empty it was handled correctly.

And what happens if an attribute actually has the value "_"?
Unlikely I guess, but possible?

Couldn't it just be configurable? Something just like

xlat_empty_attribute = "_"

for default, but could be set to any string? Gives some possible
protection by default, but can be overridden if needed in a global
way.

Cheers

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Devel mailing list