How to escape values in radclient?
Alan DeKok
aland at deployingradius.com
Sun May 7 07:40:28 UTC 2023
On May 6, 2023, at 4:34 PM, rany <rany2 at riseup.net> wrote:
> This is what I have so far, I seriously doubt it is safe:
radclient is just a program, like any other program you run from the shell. So any values you give to radclient need to be "safe", but only from the perspective of the script which is running radclient.
These safety rules are the same for any programming running from the shell. See https://unix.stackexchange.com/questions/644415/passing-arguments-to-a-command-safely for some examples.
i.e. the issue of "safety" isn't for radclient. It's for the shell script you use to call radclient. So escaping is the responsibility of the shell script.
Once radclient puts the name / password into a RADIUS packet, it's safe. There is no more escaping needed, as the RADIUS packets can contain any data. And FreeRADIUS knows that the name / password are untrusted. So FreeRADIUS never does anything unsafe with those values.
Alan DeKok.
More information about the Freeradius-Users
mailing list