Can unlang do this?
Chris
cjl at viptalk.net
Thu Apr 24 19:53:11 CEST 2008
On Apr 24, 2008, at 4:21 AM, Alan DeKok wrote:
> Chris wrote:
>> gets me closer, but I have quoting issues:
>>
>> expand: %{control:Tmp-String-1} -> ou\3daccounts\2cdc\3dviptalk\2cdc
>> \3dnet
>
> Hmm... OK, to fix that you'll have to update the LDAP module. Or,
> ensure that the *dynamic* portions of the basedn don't contain '='.
Or any of these, for that matter: ",+\"\\<>;*=()"
I guess the trick is fixing it (breaking it?) so this works without
opening up any vectors for injection attacks. Would it be safe to
exclude the "control" list from being escaped like this? It seems
that only attributes in the the request and proxy-request lists would
be the real problems.
I am pretty sure I can accomplish this by limiting the dynamic
portions of basedn and filter as suggested. Thanks.
>> I couldn't get anything to set the variable until I used an update
>> section.
>
> Which is what the documentation says. "update sections updates an
> attribute list". Nothing else says that.
Would it have been so difficult to say "man unlang see update" instead
of just "man unlang"? You spent more time complaining about the way I
asked the question than it would have taken to answer it. ;)
Thanks again.
More information about the Freeradius-Users
mailing list