When using DOUBLE_QUOTED_STRING, passwords with '\"' may not work
平林 哲
Satoshi.Hirabayashi at soliton.co.jp
Mon Sep 11 01:16:56 UTC 2023
On 2023/09/11 9:13, Alan DeKok wrote:
> On Sep 10, 2023, at 7:59 PM, 平林 哲 <Satoshi.Hirabayashi at soliton.co.jp> wrote:
>> ===
>> # cat /usr/local/etc/raddb/mods-enabled/ldap1
>> ldap {
>> server = '192.168.1.6'
>> identity = 'cn=tkt10886-3,cn=users,dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp'
>> password = "pass\"word at 2022"
>
> That works when I test it.
sorry.
I had made a mistake.
The following settings cause the error:
===
# cat /usr/local/etc/raddb/mods-enabled/ldap1
ldap {
server = '192.168.1.6'
identity =
'cn=tkt10886-3,cn=users,dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp'
password = "pass\\"word at 2022"
base_dn = 'dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp'
===
>> pass\\"word at 2022 | "pass\\\"word at 2022" | OK
>
> Yes, the two backslashes are un-escaped to one backslash. And
then the \" is converted to "
>
> This is how all double-quoted strings work.
That's how FreeRADIUS currently works.
However, it behaves differently in the shell.
===
$ echo "pass\\\"word at 2022"
pass\"word at 2022
===
Maybe the two backslashes need to be escaped into one backslash?
>> We also tried several patterns and summarised the results.
>>
>> Password | Configration | Result
>> -------------------|-----------------------|-------
>> pass"word at 2022 | "pass\"word at 2022" | OK
>
> Yes, the rules for double quoted strings are the same everywhere. If you want a double quote inside of a double quoted string, you have to escape it with a backslash: \"
>
>> pass\"word at 2022 | "pass\\"word at 2022" | Syntax error
>
> Yes, that doesn't work. It's not supposed work, and it shouldn't work.
>
> That string is parsed as:
>
> "pass\\"
>
> and then
>
> word at 2022"
>
> This is how escaping works with backslashes in all languages which support double quoted strings.
>
>> pass\\"word at 2022 | "pass\\\"word at 2022" | OK
>
> Yes, the two backslashes are un-escaped to one backslash. And then the \" is converted to "
>
> This is how all double-quoted strings work.
>
>> pass\\\"word at 2022 | "pass\\\\"word at 2022" | Syntax error
>>
>> As mentioned above, a Syntax Error occurs when '\' is an even number in the configuration.
>
> Yes. Because if you have an even number of backslashes, every double-backslash is un-escaped to one backslash. And then if the parser sees a double quote after that, the double quote is interpreted as the end of the double quoted string.
>
>> Is this the right approach?
>
> No.
>
>> Any advice would be appreciated.
>
> See the rules for escaping in double quoted strings. This is the same for all languages, including the shell. Try passing those string to the shell:
>
> $ echo "pass\"word at 2022"
> pass"word at 2022
>
> $ echo pass\\"word at 2022"
> pass\word at 2022
>
> $ echo "pass\\\"word at 2022"
> pass\"word at 2022
>
> $ echo "pass\\\\"word at 2022"
>
> And that one doesn't output anything, because she shell is waiting for final quote.
>
> That final string is parsed as:
>
> " --> start double quoted string
> pass --> 4 characters
> \\ --> one \
> \\ --> another \
> " --> end of the double quoted string
> word at 2022 --> more text
> " --> start of new double quoted string.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list