Inconsistent behavior dealing with the escaping backslash
Kwak Wookjong
Wookjong.Kwak at gemalto.com
Thu Jan 25 00:32:28 CET 2018
Issue type
Defect - Unexpected behaviour (obvious or verified by project member).
I have found that the backslash in the shared secret interpreted differently
depending on the read_clients option to be set in the /etc/raddb/mods-enable/sql
Case 1.
When the DB is read while its startup only, by setting read_clients option to be yes,
for example, the shared secret, test\123 is read as test\123 and the client is added
with having single backslash.
Case 2.
When the DB is read per each request, by setting read_clients option to be no,
the shared secret, test\123 becomes test\\123 and the client is added
with having double backslashes.
I will put more detail of the Case 2 log, below,
$radiusd -X
(0) server dynamic_client_server {
...........
...........
rlm_sql (sql): Reserved connection (2)
(0) Executing select query: SELECT secret FROM nas WHERE nasname = '192.168.99.1'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sql): Released connection (2)
(0) EXPAND %{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}
(0) --> test\123
(0) FreeRADIUS-Client-Secret = test\123
rlm_sql (sql): Reserved connection (3)
...........
...........
(0) } # server dynamic_client_server
(0) Converting control list to client fields
(0) ipv4addr = 192.168.99.1
(0) secret = test\\123
(0) shortname = Radius Local Test
(0) nas_type = other
Adding client 192.168.99.1/32 with shared secret "test\\123"
In bold, you will see the additional backslash has added when it is converting control list to client fields.
However, in Case 1,
It doesn't even print out the log from rlm_sql, So, I assume that it is adding the client information
from a different path with the different logic.
As a result, the client is added with shared secret test\123, in this case.
Suppose, I want to set the read_clients option to be "no",
as the shared secret can be modified at any time and it should be reflected at every request,
why can't both cases have the same manner of treating escaping backslash?
Thanks!
Best Reagrds,
WJ
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
More information about the Freeradius-Devel
mailing list