Escaping * in ldap filters
Peter Lambrechtsen
peter at crypt.nz
Wed Nov 16 04:44:24 CET 2016
On Wed, Nov 16, 2016 at 3:06 AM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Nov 14, 2016, at 3:33 AM, Peter Lambrechtsen <peter at crypt.nz> wrote:
> >
> > Running 3.0.x head from a few months ago.
> >
> > I'm trying to have a ldap search filter that if I don't have an existing
> > VSA set then default to a *
> >
> > filter = "(&(SIID=%{Alc-Subsc-ID-Str})(Line=%{%{LineID}:-*}))"
> >
> > That in theory should mean if I don't have a LineID included in the
> request
> > then I would return * instead, but it keeps on getting escaped.
>
> We really need functionality like Perl's "taint" mode. Data taken from
> a configuration file is "clean". Data taken from the network is
> "tainted". Which would solve this issue.
>
> But... doing that work isn't trivial. And we're busy with a lot of
> other changes, including 4.0 async support.
>
> In some cases, you can put the filter into an attribute, and then use
> that. I'm not sure that works here, though.
>
> I'll take a look...
>
> I messaged Aaran and he was awesome (as always).
If I build the filter in unlang to a temp VSA, and then use that it works
fine.
ldap {
...
filter = &Tmp-String-9
}
Then update request {
Tmp-String-9 := "(&(SIID=Bla)(Line=*))"
)
And then it doesn't get escaped.
Yay :)
More information about the Freeradius-Users
mailing list