Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 10:24:09AM -0400, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. Debug output: radius_xlat: 'test=23test' Something is escaping '#' to '=23', probably in the SQL module. Yeah. The Problem is that the allowed_chars string in 0.9.3 included '=', but the one in 1.0.1 does not. The pitty is that omitting '=' from allowed chars is obviously correct, cause its the char used to quote stuff. Like you need to use %% to get one %, an unescaped = should become a =3D. But cause radius_xlat (or whatever else...) does not know if a value of a pair is already escaped (as SQL-User-Name is), this creates some ugly double escaping. So the correct solution is to change the sql.conf and remove SQL-User-Name from it, cause freeradius 1.0.1 will escape pairs used inside queries always correctly, as it seems. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Wed, Sep 29, 2004 at 08:10:45AM +0200, Oliver Graf wrote: On Fri, Sep 24, 2004 at 10:24:09AM -0400, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: Something is escaping '#' to '=23', probably in the SQL module. Yeah. The Problem is that the allowed_chars string in 0.9.3 included '=', but the one in 1.0.1 does not. But cause radius_xlat (or whatever else...) does not know if a value of a pair is already escaped (as SQL-User-Name is), this creates some ugly double escaping. So the correct solution is to change the sql.conf and remove SQL-User-Name from it, cause freeradius 1.0.1 will escape pairs used inside queries always correctly, as it seems. Wrong. Correct is: sql_set_user does NOT need to use sql_escape_func in radius_xlat. That way the SQL-User-Name pair is unescaped, as any other pair, and the radius_xlat (with sql_escape_func) that is run on the query will escape that pair correctly, as it does it for any other pair. Diff vs 1.0.1 attached. Oliver. --- freeradius-1.0.1/src/modules/rlm_sql/rlm_sql.c.orig 2004-09-29 08:15:55.0 +0200 +++ freeradius-1.0.1/src/modules/rlm_sql/rlm_sql.c 2004-09-29 08:16:37.0 +0200 @@ -459,7 +459,7 @@ if (username != NULL) { strNcpy(tmpuser, username, MAX_STRING_LEN); } else if (strlen(inst-config-query_user)) { - radius_xlat(tmpuser, sizeof(tmpuser), inst-config-query_user, request, sql_escape_func); + radius_xlat(tmpuser, sizeof(tmpuser), inst-config-query_user, request, NULL); } else { return 0; }
Re: Double quoting in sql?
On Wed, Sep 29, 2004 at 08:10:45AM +0200, Oliver Graf wrote: On Fri, Sep 24, 2004 at 10:24:09AM -0400, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. Debug output: radius_xlat: 'test=23test' Something is escaping '#' to '=23', probably in the SQL module. Yeah. The Problem is that the allowed_chars string in 0.9.3 included '=', but the one in 1.0.1 does not. I'll take a risk to remind these threads... http://lists.cistron.nl/pipermail/freeradius-devel/2003-May/thread.html#4836 http://lists.cistron.nl/pipermail/freeradius-devel/2003-June/thread.html#4954 http://lists.cistron.nl/pipermail/freeradius-devel/2003-July/thread.html#5539 -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 09:39:07AM +0200, Oliver Graf wrote: I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. Am I just missing a config change? From the sample config I can see no difference. Fix: I use %{User-Name} in the queries instead of %{SQL-User-Name} Test Command: /usr/bin/radtest test#test test localhost 1 testing123 1 127.0.0.1 Config: sql_user_name = %{User-Name} authorize_check_query = SELECT id,name,attr,value,op FROM ${authcheck_table} WHERE name = '%{SQL-User-Name}' AND kind = 'user' AND type = 'check' ORDER BY id Debug output: radius_xlat: 'test=23test' rlm_sql (sql): sql_set_user escaped user -- 'test=23test' radius_xlat: 'SELECT id,name,attr,value,op FROM radiususers WHERE name = 'test=3D23test' AND kind = 'user' AND type = 'check' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 9 rlm_sql_mysql: query: SELECT id,name,attr,value,op FROM radiususers WHERE name = 'test=3D23test' AND kind = 'user' AND type = 'check' ORDER BY id rlm_sql (sql): User test=23test not found in radcheck Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 09:39:07AM +0200, Oliver Graf wrote: Hi! I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. IIRC this behavour is here since SQL-User-Name attribute is handled by rlm_sql, because it's being escaped twice. Two ways I see: 1. avoid using %{SQL-User-Name} in queries. 2. patch rlm_sql.c::sql_set_user to pass func=NULL to radius_xlat. However, in second case, radius_xlat uses own copy function (xlat_copy), which has FIXME: Do escaping of bad stuff! comment... -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 02:31:47PM +0400, Alexander M. Pravking wrote: On Fri, Sep 24, 2004 at 09:39:07AM +0200, Oliver Graf wrote: Hi! I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. IIRC this behavour is here since SQL-User-Name attribute is handled by rlm_sql, because it's being escaped twice. Two ways I see: 1. avoid using %{SQL-User-Name} in queries. 2. patch rlm_sql.c::sql_set_user to pass func=NULL to radius_xlat. It does not seem that the change which causes this is in rlm_sql.c. I guess it is to search in variable expansion of main/xlat.c. But I currently fail to see the change between 0.9.3 and 1.0.1 where this happened... perhaps I will take a deeper look later. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 12:39:09PM +0200, Oliver Graf wrote: It does not seem that the change which causes this is in rlm_sql.c. I guess it is to search in variable expansion of main/xlat.c. But I currently fail to see the change between 0.9.3 and 1.0.1 where this happened... perhaps I will take a deeper look later. Hmm... 0.9.3 did escaping for anything except: @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: =/, and the default setting of safe-characters is the same now, so the '#' char should have been escaped in 0.9.3 too. Didn't you patch rlm_sql.c of 0.9.3 to modify safe char list? ;-) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 03:04:56PM +0400, Alexander M. Pravking wrote: On Fri, Sep 24, 2004 at 12:39:09PM +0200, Oliver Graf wrote: It does not seem that the change which causes this is in rlm_sql.c. I guess it is to search in variable expansion of main/xlat.c. But I currently fail to see the change between 0.9.3 and 1.0.1 where this happened... perhaps I will take a deeper look later. Hmm... 0.9.3 did escaping for anything except: @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: =/, and the default setting of safe-characters is the same now, so the '#' char should have been escaped in 0.9.3 too. Didn't you patch rlm_sql.c of 0.9.3 to modify safe char list? ;-) Nope. I have a database with test=23test instead of test#test... :) Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
Oliver Graf [EMAIL PROTECTED] wrote: I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. Am I just missing a config change? From the sample config I can see no difference. I spent some time fixing xlat.c, so that it would only quote things ONCE. The issue I saw was escaping of backslashes, and doing: User-Name = DOMAIN\\user Filter-Id = %{User-Name} would get Filter-Id = DOMAINuser, which is wrong. That *shouldn't* have affected anything else. Debug output: radius_xlat: 'test=23test' Something is escaping '#' to '=23', probably in the SQL module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html