1.1.7 sqlippool %{SQL-User-Name}
Peter Nixon
listuser at peternixon.net
Tue Jul 17 15:00:41 CEST 2007
On Tue 17 Jul 2007, Alan DeKok wrote:
> Peter Nixon wrote:
> > Alan. Can you help out here? From memory I am seeing the same thing in
> > cvs head. I ended up commenting out the username part of the query as I
> > don't actually do anything based on username in my system. It definitely
> > needs to be %{SQL-User-Name} though, as I was getting escape characters
> > as the username from some users and it was blowing up the sql queries.
> > (HUGE GAPPING SECURITY HOLE)
> >
> > Is there something special we need to do in rlm_sqlippool to get access
> > to %{SQL-User-Name}?
>
> Yes. Call sql_set_user(). Patch is attached.
Hugh
I have applied Alan's patch to the 1.1.x branch. Can you test and see
if %{SQL-User-Name} works in rlm_sqlippool for MySQL now?
Cheers
--
Peter Nixon
http://peternixon.net/
More information about the Freeradius-Users
mailing list