[POLL] Escaping behaviour in SQL/LDAP/regexes
Alan DeKok
aland at deployingradius.com
Wed Mar 12 05:12:57 UTC 2025
To put it another way...
We don't want to trust the data we get from the network. User-Names can be mangled with SQL syntax. And we don't want users to be able to type in "funny" names, and have the database go down.
v3 fixes this by escaping just about everything, always. There are some places where the data isn't escaped, but not many. We've gradually fixed most of the weird things over the years, so that it mostly works, and mostly does what you expect. We'd like to do better for v4.
So the question is what needs to be escaped, and when? For me, we'll assume that everything from the network is escaped or sanitized. Which leaves two cases:
1) an in-line SQL query
foo = %sql("SELECT foo from bar where username='%{User-Name}'")
2) a constructed SQL query:
stub = "SELECT foo"
foo = %sql("%{stub} from bar where username='%{User-Name}'")
Should the "stub" variable here be escaped?
I know in this case it's safe, but that's not the point. SQL queries can contain quotes, = signs, etc. Administrators may want to put SQL queries in-place in the configuration, or they may want to construct SQL queries through intermediate variables.
So should the contents of "stub" be escaped?
Alan DeKok.
More information about the Freeradius-Users
mailing list