SQL-User-Name in %{sql:..} expansion
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed May 18 16:18:01 CEST 2016
>
> Probably the easiest way without radius_xlat calling some sort of
> module "pre-xlat" function before doing the xlat. Or having a
> "delayed expansion" flag which tells radius_xlat not to expand
> anything and to let the module do it. But I guess that's what
> happened before; it was probably fixing all the \\\\\\\\ escaping
> madness that broke this...
SQL-User-Name is only useful because it expands to the group being processed. For everything else the xlat escape function will prevent injection attacks.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160518/3aad8123/attachment.sig>
More information about the Freeradius-Users
mailing list