On Monday 02.02.2009 10:37:59 Alan DeKok wrote:
> Matej Vadnjal wrote:
> > I'm having trouble getting the value of auth_pool of a realm. Realms are
> > defined as regular expressions matched by suffix module against the
> > domain portion of users username.
>
> Ok... *why* are you doing that?
>
> > if ("%{config:realm[%{Realm}].auth_pool}" =~ /%{client-shortname}/i) {
> > reject
> > }
>
> That's odd. What do you think that configuration does, and why do you
> want it to do that?
>
I have a server that receives requests from radius servers and forwards them
to other radius servers (we are a national top-level radius for eduroam
project).
I'd like to check if a request that I received from a radius server will be
proxied back to that same server resulting in a proxy loop.
The way I see things there is no other way to find out to which server the
request will be proxied to.
My idea is that if I keep the names of servers in clients.conf and server
pools in proxy.conf similar enough, I could compare them with a regexp and if
they match reject the request, preventing a loop.
> > Is this a bug or a safety feature (preventing some sort of injection
> > attacks)? I tried all sorts of combination of single quites, double
> > quotes, no quotes, but to no avail.
>
> Escaping characters is a security feature.
As I suspected. However in my case the value of Realm variable is one of
predefined values in proxy.conf and not supplied by users.
Regards,
Matej Vadnjal
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
