Problem with exec shell_escape option

Alan DeKok aland at deployingradius.com
Wed Dec 21 19:51:28 CET 2016 

On Dec 21, 2016, at 1:42 PM, Brian Candler <b.candler at pobox.com> wrote:
> 
> I'm trying to get exec to pass a string as an argument without any shell quoting, but not succeeding. This is with freeradius 3.0.12 under Ubuntu 16.04.

  Strings are escaped when passed to the shell.  That's a security requirement, and can't be changed.

  The strings *should* be escaped properly.  So that the shell can un-escape them and use them, though.

> testpolicy {
>  update request {
>    &Tmp-String-0 := " foo ' bar \" baz \\ qux "
>    &Tmp-String-1 := "%{exec1:/usr/local/bin/showarg %{Tmp-String-0}}"
>    &Tmp-String-2 := "%{exec1:/usr/local/bin/showarg '%{Tmp-String-0}'}"
>    &Tmp-String-3 := "%{exec2:/usr/local/bin/showarg %{Tmp-String-0}}"
>    &Tmp-String-4 := "%{exec2:/usr/local/bin/showarg '%{Tmp-String-0}'}"
>  }
> }
> 
> # /usr/local/bin/showarg
> 
> #!/bin/sh
> echo "Arg is <$1>" >>/tmp/exec.log
> 
> 
> Results:
> 
> - 1 and 3 fail with "rad_expand_xlat: Invalid string passed as argument"
> 
> - 2 and 4 both apply shell quoting to the argument
> 
> # cat /tmp/exec.log
> Arg is <\ foo\ \'\ bar\ "\ baz\ \ qux\ >
> Arg is <\ foo\ \'\ bar\ "\ baz\ \ qux\ >
> 
> 
> Debug output:
> 
> (0)     policy testpolicy {
> (0)       update request {
> (0)         &Tmp-String-0 := " foo ' bar \" baz \\ qux "
> (0)         Executing: /usr/local/bin/showarg \ foo\ \'\ bar\ "\ baz\ \\ qux\ :
> rad_expand_xlat: Invalid string passed as argument

  Hmm... the string expansion looks OK.  i.e. there are enough backslashes.  The issue seems to be that the string un-expansion is expecting "\ " only here, and is getting upset over the \'

> So it looks like the shell_escape setting isn't doing anything. What am I missing?

  It should work.  I'll see if I can add some tests.

  But in general, passing user input to an exec'd program is a bad idea.  It's useful, but there are just too many opportunities for the user to do something bad.

> However, I can see from the source that it has hooks for the various module lifecycle stages; indeed, the sites-available/default config invokes it in the accounting and post-auth stages:
> 
>        # For Exec-Program and Exec-Program-Wait
>        exec

  That's historical.

> So is the comment that exec is "useful only for 'xlat'" incorrect?

  It's mostly correct.  The Exec-Program and Exec-Program-Wait functionality should be removed in v4.

  Alan DeKok.

More information about the Freeradius-Users mailing list