regex 'fun'

Alexander Clouter alex at digriz.org.uk
Tue Nov 3 10:21:08 CET 2009


Hi,

Whilst trawling my logs to see what new interesting ways in which our 
userbase has gone and borked their workstations, I noticed that we are 
proxying realms upstream (to eduroam) that we should not be.....in this 
case it seems to be realms with spaces in them.

If anyone reads the guff I dump out onto this mailing list you might 
have stumbled onto a policy definition I use to catch completely broken 
realms:
----
# only needs to be close enough to catch unroutable guff
validate_username {
        if (User-Name !~ /@/ \
                        || ( \  
                                User-Name !~ /@.*@/ \
                                && User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \
                        ) \
        ) {
                ok
        }
        else {  
                update reply {
                        Reply-Message := "Invalid User-Name Syntax"
                }
                reject
        }
}
----

This pretty such deals with 'double' realms, and badly formed usernames 
(the NULL realm condition is blocked elsewhere).  It is then used as so:
----
authorize {
        preprocess

        rewrite.called_station_id   <---- sanitiser
        rewrite.calling_station_id  <---- sanitiser

        rewrite.quirk.wlc           <---- sanitiser

        validate_username

        suffix

        ....
}
----

The sanitising entries to not touch the User-Name field at all.

Now if I fake some of the cruft I see I get:
----
rad_recv: Access-Request packet from host 172.31.3.41 port 1645, id=85, length=242
        User-Name = "dsadadasda at Globalsign Root CA"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-19-30-78-60-A5"
        Calling-Station-Id = "00-12-3F-E5-55-3C"
        EAP-Message = 
0x02010022016473616461646173646140476c6f62616c7369676e20526f6f74204341
        Message-Authenticator = 0x1f4ef372e5c3cb6ab4c2354ac9ce36d0
        Cisco-AVPair = "audit-session-id=AC1F04BD000019806FAB0F27"
        NAS-Port-Type = Ethernet
        NAS-Port = 50133
        NAS-Port-Id = "FastEthernet1/0/33"
        NAS-IP-Address = 172.31.3.41
server dot1x {
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy rewrite.called_station_id {...}
[RFCise the Called-Station-ID]
++- policy rewrite.called_station_id returns ok
++- entering policy rewrite.calling_station_id {...}
[RFCise the Calling-Station-ID]
++- policy rewrite.calling_station_id returns ok
++- entering policy rewrite.quirk.wlc {...}
[RFCise the crap Cisco's WLC 4400 returns]
++- policy rewrite.quirk.wlc returns noop
++- entering policy validate_username {...}
+++? if (User-Name !~ /@/                               || (                                    
User-Name !~ /@.*@/                                     && User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/                              )               )
? Evaluating (User-Name !~ /@/) -> FALSE
?? Evaluating (User-Name !~ /@.*@/) -> TRUE
?? Evaluating (User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/) -> TRUE
+++? if (User-Name !~ /@/                               || (                                    User-Name !~ /@.*@/                                     && User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/                              )               ) -> TRUE
+++- entering if (User-Name !~ /@/                              || (                                    User-Name !~ /@.*@/                                     && User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/                              )               ) {...}
++++[ok] returns ok
+++- if (User-Name !~ /@/                               || (                                    User-Name !~ /@.*@/                                     && User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/                              )               ) returns ok
+++ ... skipping else for request 103: Preceding "if" was taken
++- policy validate_username returns ok
[suffix] Looking up realm "Globalsign Root CA" for User-Name = "dsadadasda at Globalsign Root CA"
[suffix] Found realm "DEFAULT"
[suffix] Adding Realm = "DEFAULT"
[suffix] Proxying request from user dsadadasda to realm DEFAULT
[suffix] Preparing to proxy authentication request to realm "DEFAULT"
++[suffix] returns updated
----

Okay, maybe my regex is bad...so I tested it:
----
alex at berk:~$ cat moo 
xwFMNc02QnAbZlQ9wI9tiG at GlobalSignRootCA.test
xwFMNc02QnAbZlQ9wI9tiG at GlobalSign Root CA
wobble at example.com
wibble at example.co.uk

alex at berk:~$ grep '[[:graph:]]*@\([-[:alnum:]]\+\.\)\+[[:alpha:]]\{2,\}' moo
xwFMNc02QnAbZlQ9wI9tiG at GlobalSignRootCA.test
wobble at example.com
wibble at example.co.uk
----

Any ideas?  Bug?  Feature?

Cheers

-- 
Alexander Clouter
.sigmonster says: They're only trying to make me LOOK paranoid!




More information about the Freeradius-Users mailing list