1.1.7 sqlippool %{SQL-User-Name}

Peter Nixon listuser at peternixon.net
Tue Jul 17 21:15:42 CEST 2007


On Tue 17 Jul 2007, Alan DeKok wrote:
> Peter Nixon wrote:
> > Alan. Can you help out here? From memory I am seeing the same thing in
> > cvs head. I ended up commenting out the username part of the query as I
> > don't actually do anything based on username in my system. It definitely
> > needs to be %{SQL-User-Name} though, as I was getting escape characters
> > as the username from some users and it was blowing up the sql queries.
> > (HUGE GAPPING SECURITY HOLE)
> >
> > Is there something special we need to do in rlm_sqlippool to get access
> > to %{SQL-User-Name}?
>
>   Yes.  Call sql_set_user().  Patch is attached.
>
>   Also, the sqlippool_expand() function could be done better.  The use
> of single-character values is awkward.  Instead, it should register an
> xlat() function, to allow things like %{sqlippool:Pool-Name}.
>
>   Hmm... that could be in the server core, come to think of it.

As it turns out I was just looking at rlm_sqlcounter and it has a 
sqlcounter_expand() function which is very similar. I think if we were to go 
through rlm_sql, rlm_sqlcounter and rlm_sqlippool there is a fair bit that 
could be refactored..

Cheers

-- 

Peter Nixon
http://peternixon.net/



More information about the Freeradius-Users mailing list