When using DOUBLE_QUOTED_STRING, passwords with '\"' may not work

Alan DeKok aland at deployingradius.com
Mon Sep 11 00:13:34 UTC 2023 

On Sep 10, 2023, at 7:59 PM, 平林 哲 <Satoshi.Hirabayashi at soliton.co.jp> wrote:
> When using DOUBLE_QUOTED_STRING, passwords with '\"' may not work.

  They should work everywhere.  They're just double quoted strings, and the rules are the same pretty much everywhere.

> Register a user in ActiveDirectory with the password "pass\"word at 2022",
> the following LDAP settings.



> ===
> # cat /usr/local/etc/raddb/mods-enabled/ldap1
> ldap {
>        server = '192.168.1.6'
>        identity = 'cn=tkt10886-3,cn=users,dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp'
>        password = "pass\"word at 2022"

  That works when I test it.

> We also tried several patterns and summarised the results.
> 
>   Password        |   Configration        | Result
> -------------------|-----------------------|-------
> pass"word at 2022     | "pass\"word at 2022"     |  OK

  Yes, the rules for double quoted strings are the same everywhere.  If you want a double quote inside of a double quoted string, you have to escape it with a backslash: \"

> pass\"word at 2022    | "pass\\"word at 2022"    |  Syntax error

  Yes, that doesn't work.  It's not supposed work, and it shouldn't work.

  That string is parsed as:

	"pass\\"

  and then

	word at 2022"

  This is how escaping works with backslashes in all languages which support double quoted strings.

> pass\\"word at 2022   | "pass\\\"word at 2022"   |  OK

  Yes, the two backslashes are un-escaped to one backslash.  And then the \" is converted to "

  This is how all double-quoted strings work.

> pass\\\"word at 2022  | "pass\\\\"word at 2022"  |  Syntax error
> 
> As mentioned above, a Syntax Error occurs when '\' is an even number in the configuration.

  Yes.  Because if you have an even number of backslashes, every double-backslash is un-escaped to one backslash.  And then if the parser sees a double quote after that, the double quote is interpreted as the end of the double quoted string.

> Is this the right approach?

  No.

> Any advice would be appreciated.

  See the rules for escaping in double quoted strings.  This is the same for all languages, including the shell.  Try passing those string to the shell:

$ echo "pass\"word at 2022"
pass"word at 2022

$ echo pass\\"word at 2022"
pass\word at 2022

$ echo "pass\\\"word at 2022"
pass\"word at 2022

$ echo "pass\\\\"word at 2022"

  And that one doesn't output anything, because she shell is waiting for final quote.

  That final string is parsed as:

	"		--> start double quoted string
	pass 	-->  4 characters
	\\ 		--> one \
	\\		--> another \
	"		--> end of the double quoted string
	word at 2022	--> more text
	"		--> start of new double quoted string.

  Alan DeKok.

More information about the Freeradius-Users mailing list