On 10/19/2011 08:41 AM, Fajar A. Nugraha wrote:
has the complete safe_characters needed. Turns out FR uses the
safe_characters from the LAST instantiated sql instance. Manually
putting the sql instances in instantiate section of radiusd.conf, with
the one containing safe_characters I want last, works as expected.
Yeah, that's a tedious bug that's hard to solve. The "sql_xlat" function
calls "radius_xlat" and supplies "sql_escape_func" as the final
argument; unfortunately the "escape functions" you can pass to
"radius_xlat" just get the input string and output buffer - they don't
get any per-module config, so making the safe_characters per-module is
tricky.
I did have some patches making the escape function (but not the
safe_characters) selectable and offering "\xAA" as well as "raw" i.e. no
escaping. The latter was intended for use with Postgres' dollar-quoted
strings e.g.
select * from foo where bar=$tag$this is the string$tag$
Are you using postgres? If so, you could try to abuse this feature by
making EVERY character safe, then perform the escaping yourself by doing
this:
update request {
SQL-Query := "select * from foo where bar=$tag$%{User-Name}$tag$"
SQL-Result := "%{sql:%{SQL-Query}}"
}
It's not the most secure option; someone could contrive to get the
string "$tag$; drop table foo" into a radius field, but if you can be
sure this won't happen (e.g. sanitise it) it might work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
