SQL-User-Name in %{sql:..} expansion
Matthew Newton
mcn4 at leicester.ac.uk
Thu May 19 01:40:49 CEST 2016
On Wed, May 18, 2016 at 10:18:01AM -0400, Arran Cudbard-Bell wrote:
>
> >
> > Probably the easiest way without radius_xlat calling some sort of
> > module "pre-xlat" function before doing the xlat. Or having a
> > "delayed expansion" flag which tells radius_xlat not to expand
> > anything and to let the module do it. But I guess that's what
> > happened before; it was probably fixing all the \\\\\\\\ escaping
> > madness that broke this...
>
> SQL-User-Name is only useful because it expands to the group
> being processed. For everything else the xlat escape function
> will prevent injection attacks.
OK.
So is it worth removing the sql_set_user() call from sql_xlat so
that the xlat doesn't add SQL-User-Name?
As it's not available to use in the actual xlat it seems like it's
just a side effect that's confusing. It's still available in other
sql calls of course.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list