How to escape values in radclient?
rany
rany2 at riseup.net
Sun May 7 09:23:51 UTC 2023
Thank you, so I believe that radclient would just take care of this
after escaping it.
However I was trying to understand the rules of escaping exactly, what
are they?
Currently I'm removing CR and LF and escaping double quotes and
backslashes as you typically would. Is there anything else I should keep
in mind when it comes to putting an input in double quotes?
val="${2//\\/\\\\}" # escape \
val="${val//\"/\\\"}" # escape "
val="${val//$'\n'/}" # drop lf
val="${val//$'\r'/}" # drop cr
RAD_MSG="${RAD_MSG}${1} = \"${val}\""$'\r\n'
On 5/7/23 10:40, Alan DeKok wrote:
> On May 6, 2023, at 4:34 PM, rany <rany2 at riseup.net> wrote:
>> This is what I have so far, I seriously doubt it is safe:
> radclient is just a program, like any other program you run from the shell. So any values you give to radclient need to be "safe", but only from the perspective of the script which is running radclient.
>
> These safety rules are the same for any programming running from the shell. See https://unix.stackexchange.com/questions/644415/passing-arguments-to-a-command-safely for some examples.
>
> i.e. the issue of "safety" isn't for radclient. It's for the shell script you use to call radclient. So escaping is the responsibility of the shell script.
>
> Once radclient puts the name / password into a RADIUS packet, it's safe. There is no more escaping needed, as the RADIUS packets can contain any data. And FreeRADIUS knows that the name / password are untrusted. So FreeRADIUS never does anything unsafe with those values.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list