safe_characters issue

Wed Jun 17 15:20:28 CEST 2020

On Jun 17, 2020, at 8:55 AM, Fabrice Durand <fdurand at inverse.ca> wrote:
> 
> i am trying to set the safe_characters in a sql configuration and it looks that the safe characters are not working anymore (at least the extra i add).

  I'd suggest avoiding "safe_characters".

  From 3.0.18:

	* Some SQL modules can now use "auto_escape" to escape unsafe strings.
	  See mods-config/sql/main/mysql/queries.conf

> I have the following configuration:
> 
> ```
> 
> sql sql_degraded {
>   ...
>         safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
> }
> 
> ```
> 
> I added (),' as extra char.

  That should still work.

> 
> Followinf the trace from freeradius 3.0.21 (doesn't work) and from freeradius-3.0.13 (works) for exactly the same radius request and exactly the same configuration:

  The key point for the sql_degraded module is:

>      authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{Calling-Station-Id}' ORDER BY id"
>       group_membership_query = ""
>       safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>       auto_escape = no
> 

  So it's not picking up the "safe_characters" string you set.

  Probably because of this:

...
        $INCLUDE ${modconfdir}/${.:name}/main/mysql/reject.conf
        safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
...

  If the "reject.conf" file *also* has "safe_characters" set, that one will be used instead of the extra one you added.

  You can't "over-ride" configuration items by adding a second one.

  Alan DeKok.