safe_characters issue
Alan DeKok
aland at deployingradius.com
Wed Jun 17 21:59:10 CEST 2020
On Jun 17, 2020, at 3:23 PM, Fabrice Durand <fdurand at inverse.ca> wrote:
> sorry to bother you.
Fixing bugs is what I do...
> I did one last test and built new binary and revert few commits in 3.0.21 (attached to this email) in the rlm_sql modules and now freeradius take the safe_characters values from sql_degraded{...} section and not the sql {...} section anymore. (like it worked in freeradius 3.0.13)
>
> My skills in C are not good enough to find the issue but it looks that the "sql_escape_func" use the main sql section.
The sql_escape_func() uses whatever configuration is in the SQL connection that it's using.
i.e. If you configure sql_degraded to use the connection pool from the main SQL module, then the escaping is done using that configuration.
So you have:
sql sql_degraded {
...
pool = sql
}
Which means that the "safe_characters" is taken from the main "sql" module.
I admit that this behaviour is somewhat surprising, but.. I also have to ask, why use different "safe_characters" for connections to the same back-end database? Do the safe_characters really change, depending on the SQL module, and not the database?
My $0.02 is to just set "auto_escape = yes", and the problem goes away. All escaping is done via the database library (not FreeRADIUS), and everything Just Works.
Alan DeKok.
More information about the Freeradius-Users
mailing list