From the changelog for 3.3 -
"Important Security Update: Removed support for the %Eval special character syntax due to security issues that can effect AuthBy SQL and AuthBy LDAP*. We recommend that all operators of Radiator 3.0, 3.1 and 3.2 upgrade to this version immediately"
However, it doesn't state what specific issue prompted this; does anybody know?
From Util.pm -
# Need to convert single character % formats _and_ positional args all
# in one go, else may get unpleasant interactions, especially when the
# the resulting string contains a %
$s =~ s/%([%abcCdDefghHiIjklLmMNopqQnPrRsStTUuvVwWyYz]|\d+)/{my $a = $1; $a =~ m@^\d@ ? $extras[$a] : &{$conversions{$a}}()}/egs
;
$s =~ s/%\{GlobalVar:([^{]+)\}/{&main::getVariable($1)}/egs;
$s =~ s/%\{Reply:([^{]+)\}/{$rpacket ? $rpacket->get_attr($1) : ''}/egs;
$s =~ s/%\{Client:([^{]+)\}/{$p ? $p->{Client}{$1} : ''}/egs;
$s =~ s/%\{Handler:([^{]+)\}/{$p ? $p->{Handler}{$1} : ''}/egs;
# $s =~ s/%\{Eval:([^{]+)\}/{eval($1)}/egs;
$s =~ s/%\{([^{]+)\}/{$p ? $p->get_attr($1) : ''}/egs;
I really don't think this is optimal; I wonder whether Eval would be OK if the parser was modified to only do a single pass for the substitution (might produce a speed increas as well); this also avoids, say, a maliciously crafted username/password/whatever doing unpleasant things when it gets re-parsed. This would be critical, I think, to any re-introduction of Eval syntax.
Even without that, I'm somewhat hamstrung in the creation of, say, SQL statements by the fact that there's no way to compensate for a missing value. I think a simplified syntax for this would be useful as well - Wim Bonis' extendedMacros.patch is a good thought for formatting, but is still for Radiator 2.12, and hard-codes more than I'd like. I'd be more interested in a general system that allows %{Anything:data} in the same way as we can currently simply add %X as a special substitution where X is any alpha character. The following patch (against Radius/Util.pm from Radiator 3.5) seems to work OK, although I've not tested it extensively since it's just a first draft -
*** Util.pm.orig Thu Jan 16 17:58:36 2003
--- Util.pm Fri Jan 17 13:32:25 2003
***************
*** 97,102 ****
--- 97,111 ----
);
+ my %substitutions = (
+ 'GlobalVar' => sub { &main::getVariable($2) },
+ 'Reply' => sub { ($rpacket ? $rpacket->get_attr($2) : '') },
+ 'Client' => sub { ($rpacket ? $rpacket->get_attr($2) : '') },
+ 'Handler' => sub { ($cpacket ? $cpacket->{Handler}{$2} : '') },
+ 'Foo' => sub { "foo=$2"; }
+ );
+ # 'Eval' => sub { eval($2) },
+
my %strftime_conversion =
(
'%', sub { '%' },
***************
*** 328,342 ****
# Need to convert single character % formats _and_ positional args all
# in one go, else may get unpleasant interactions, especially when the
# the resulting string contains a %
- $s =~ s/%([%abcCdDefghHiIjklLmMNopqQnPrRsStTUuvVwWyYz]|\d+)/{my $a = $1; $a =~ m@^\d@ ? $extras[$a] : &{$conversions{$a}}()}/egs;
! $s =~ s/%\{GlobalVar:([^{]+)\}/{&main::getVariable($1)}/egs;
! $s =~ s/%\{Reply:([^{]+)\}/{$rpacket ? $rpacket->get_attr($1) : ''}/egs;
! $s =~ s/%\{Client:([^{]+)\}/{$p ? $p->{Client}{$1} : ''}/egs;
! $s =~ s/%\{Handler:([^{]+)\}/{$p ? $p->{Handler}{$1} : ''}/egs;
! # $s =~ s/%\{Eval:([^{]+)\}/{eval($1)}/egs;
! $s =~ s/%\{([^{]+)\}/{$p ? $p->get_attr($1) : ''}/egs;
!
return $s;
}
--- 337,345 ----
# Need to convert single character % formats _and_ positional args all
# in one go, else may get unpleasant interactions, especially when the
# the resulting string contains a %
! $s =~ s/%([%abcCdDefghHiIjklLmMNopqQnPrRsStTUuvVwWyYz]|\d+)/{my $a = $1; $a =~ m@^\d@ ? $extras[$a] : &{$conversions{$a}}()}/egs;
! $s =~ s!%\{(?:([^:]+):)?(.+?(?<\!\\)(?:\\\\)*)\}!( (defined $substitutions{$1}) ? &{$substitutions{$1}}() : ($cpacket ? $cpacket->get_attr($1) : '') )!egs;
return $s;
}
- Matt S Trout
Internet Systems Developer
Business Serve plc
E-mail : [EMAIL PROTECTED]
Tel : 0870 759 2041
The Stapler is Behind You
