xlat expansion of absent VPs

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Jun 18 00:55:38 CEST 2013

On 17 Jun 2013, at 23:40, Matthew Newton <mcn4 at leicester.ac.uk> wrote:

> On Mon, Jun 17, 2013 at 02:19:02PM -0400, Alan DeKok wrote:
>> Arran Cudbard-Bell wrote:
>>> I have to agree. If an attribute doesn't exist then it should expand to "",
>>> that's the behaviour i'm used to too.
>>  For me, it's a major security issue.  Silently missing an attribute is
>> bad.
> Having empty attributes replaced by "_" could be incredibly
> annoying depending on the circumstance. But then I hope I'd also
> have the sense to check what I'm doing to make sure that if an
> attribute did end up empty it was handled correctly.
> And what happens if an attribute actually has the value "_"?
> Unlikely I guess, but possible?
> Couldn't it just be configurable? Something just like
> xlat_empty_attribute = "_"
> for default, but could be set to any string? Gives some possible
> protection by default, but can be overridden if needed in a global
> way.

There are only a few places where this is useful for preventing security issues (like rlm_exec and exec.).

Other places it's unnecessary and an annoyance. I don't see there's value in setting it globally,  but I do see value is specifying it on a call by call basis so that appropriate values can be used for the string being built.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Devel mailing list