Can unlang do this?

Chris cjl at viptalk.net
Thu Apr 24 19:53:11 CEST 2008


On Apr 24, 2008, at 4:21 AM, Alan DeKok wrote:
> Chris wrote:
>> gets me closer, but I have quoting issues:
>>
>> expand: %{control:Tmp-String-1} -> ou\3daccounts\2cdc\3dviptalk\2cdc 
>> \3dnet
>
>  Hmm... OK, to fix that you'll have to update the LDAP module.  Or,
> ensure that the *dynamic* portions of the basedn don't contain '='.

Or any of these, for that matter:  ",+\"\\<>;*=()"

I guess the trick is fixing it (breaking it?) so this works without  
opening up any vectors for injection attacks.  Would it be safe to  
exclude the "control" list from being escaped like this?  It seems  
that only attributes in the the request and proxy-request lists would  
be the real problems.

I am pretty sure I can accomplish this by limiting the dynamic  
portions of basedn and filter as suggested.  Thanks.

>> I couldn't get anything to set the variable until I used an update
>> section.
>
>  Which is what the documentation says.  "update sections updates an
> attribute list".  Nothing else says that.

Would it have been so difficult to say "man unlang see update" instead  
of just "man unlang"?  You spent more time complaining about the way I  
asked the question than it would have taken to answer it. ;)

Thanks again.




More information about the Freeradius-Users mailing list