1.1.7 sqlippool %{SQL-User-Name}
Alan DeKok
aland at deployingradius.com
Tue Jul 17 11:52:50 CEST 2007
Peter Nixon wrote:
> Alan. Can you help out here? From memory I am seeing the same thing in cvs
> head. I ended up commenting out the username part of the query as I don't
> actually do anything based on username in my system. It definitely needs to
> be %{SQL-User-Name} though, as I was getting escape characters as the
> username from some users and it was blowing up the sql queries. (HUGE
> GAPPING SECURITY HOLE)
>
> Is there something special we need to do in rlm_sqlippool to get access
> to %{SQL-User-Name}?
Yes. Call sql_set_user(). Patch is attached.
Also, the sqlippool_expand() function could be done better. The use
of single-character values is awkward. Instead, it should register an
xlat() function, to allow things like %{sqlippool:Pool-Name}.
Hmm... that could be in the server core, come to think of it.
Alan DeKok.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sql.patch
Type: text/x-patch
Size: 2461 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070717/e4af227c/attachment.bin>
More information about the Freeradius-Users
mailing list