"+" string converted to "=2B" in SQL request

Alan DeKok aland at deployingradius.com
Tue Mar 6 14:41:33 CET 2018


On Mar 6, 2018, at 4:37 AM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
> Alan and I have had long discussions about the advantages and disadvantages of tainted values. I can see having to explicitly taint or escape any dynamic inputs to queries in the default config to get them to work reliably for everyone, at which point the scheme seems to lose some of its value.
> 
> The one big advantage is that it lets users easily control which values are escaped and which aren't via %{taint:} %{untaint:}, without needing to call explicit escape and unescape functions.

  TBH, it might be good to have something like an "update" section handle this...

	verify {
		User-Name =~ /^abcd$/
		...	
	}

* for regexes, *all* of the attribute has to match
* for '==', it has to match exactly
* all other comparisons are disallowed...

  If the attribute matches, then it's marked as "untainted".  That's likely simpler than a generic %{untaint:..} expansion.

> Anyway if anyone wants to help out with the prepared statement stuff it is at the stage where its per-driver code that needs writing, i.e. all the infrastructure has been completed, someone just needs to look through and figure out the correct API functions to call.

  That would be almost magical in it's usefulness...

  Alan DeKok.




More information about the Freeradius-Users mailing list