Escaping * in ldap filters

Peter Lambrechtsen peter at crypt.nz
Wed Nov 16 04:44:24 CET 2016


On Wed, Nov 16, 2016 at 3:06 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Nov 14, 2016, at 3:33 AM, Peter Lambrechtsen <peter at crypt.nz> wrote:
> >
> > Running 3.0.x head from a few months ago.
> >
> > I'm trying to have a ldap search filter that if I don't have an existing
> > VSA set then default to a *
> >
> > filter = "(&(SIID=%{Alc-Subsc-ID-Str})(Line=%{%{LineID}:-*}))"
> >
> > That in theory should mean if I don't have a LineID included in the
> request
> > then I would return * instead, but it keeps on getting escaped.
>
>   We really need functionality like Perl's "taint" mode.  Data taken from
> a configuration file is "clean".  Data taken from the network is
> "tainted".  Which would solve this issue.
>
>   But... doing that work isn't trivial.  And we're busy with a lot of
> other changes, including 4.0 async support.
>
>   In some cases, you can put the filter into an attribute, and then use
> that.  I'm not sure that works here, though.
>
>   I'll take a look...
>
> I messaged Aaran and he was awesome (as always).

If I build the filter in unlang to a temp VSA, and then use that it works
fine.

ldap {
...
filter = &Tmp-String-9
}



Then update request {
Tmp-String-9 := "(&(SIID=Bla)(Line=*))"
)

And then it doesn't get escaped.

Yay :)


More information about the Freeradius-Users mailing list