xlat expansion of absent VPs
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Jun 18 00:55:38 CEST 2013
On 17 Jun 2013, at 23:40, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> On Mon, Jun 17, 2013 at 02:19:02PM -0400, Alan DeKok wrote:
>> Arran Cudbard-Bell wrote:
>>> I have to agree. If an attribute doesn't exist then it should expand to "",
>>> that's the behaviour i'm used to too.
>>
>> For me, it's a major security issue. Silently missing an attribute is
>> bad.
>
> Having empty attributes replaced by "_" could be incredibly
> annoying depending on the circumstance. But then I hope I'd also
> have the sense to check what I'm doing to make sure that if an
> attribute did end up empty it was handled correctly.
>
> And what happens if an attribute actually has the value "_"?
> Unlikely I guess, but possible?
>
> Couldn't it just be configurable? Something just like
>
> xlat_empty_attribute = "_"
>
> for default, but could be set to any string? Gives some possible
> protection by default, but can be overridden if needed in a global
> way.
There are only a few places where this is useful for preventing security issues (like rlm_exec and exec.).
Other places it's unnecessary and an annoyance. I don't see there's value in setting it globally, but I do see value is specifying it on a call by call basis so that appropriate values can be used for the string being built.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
More information about the Freeradius-Devel
mailing list