FreeRadius replaces characters in '%{User-Password}' after upgrade 3.0.16->3.0.19
Herwin Weststrate
herwin at quarantainenet.nl
Thu Jul 18 14:55:14 CEST 2019
On 18-07-19 14:48, Dom Latter wrote:
> On 18/07/2019 12:21, Alan DeKok wrote:
>> The SQL module has always performed character escaping. I'm not
>> sure what changed, if anything.
>>
>> The short answer is that you can expose your SQL server to
>> injection attacks by editing the "safe_characters" string in
>> mods-config/sql/main/mysql/queries.conf
>
> Is using parameterised queries instead anywhere on the roadmap?
https://github.com/FreeRADIUS/freeradius-server/issues/830
There is an issue to do it, but it looks like nobody had any time to fix it.
Meanwhile, Postgresql and Mysql have an option driver_specific_escape
that uses driver specific escapes and should fix the problem. It was
introduced pretty recently, so I guess 3.0.19 should have it available.
(Other drivers can be rewritten to include a specific include as well,
it's just that nobody ever did that).
--
Herwin Weststrate
More information about the Freeradius-Users
mailing list