Renamed radius_xlat2 to radius_xlat, as the old radius_xlat is now

	gone.

	New typedef for function callback, to escape the attribute string
	values, when doing the radius_xlat.  This is so that SQL, shell, etc
	can escape their magic values, and the user sending RADIUS attributes
	can't play games with them.

	Made radius_xlat take this new function, but it doesn't currently
	do anything with it.

diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index be22258..1abad34 100644 (file)
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -271,8 +271,10 @@ int             simplepaircmp(VALUE_PAIR *, VALUE_PAIR *);
 void           pair_builtincompare_init(void);
 
 /* xlat.c */
-int            radius_xlat2(char * out, int outlen, const char *fmt,
-                            REQUEST * request);
+typedef int (*RADIUS_ESCAPE_STRING)(char *out, int outlen, const char *in);
+
+int            radius_xlat(char * out, int outlen, const char *fmt,
+                          REQUEST * request, RADIUS_ESCAPE_STRING func);
 
 #ifdef WITH_THREAD_POOL
 /* threads.c */

diff --git a/src/main/auth.c b/src/main/auth.c
index 5e63365..08bf17a 100644 (file)
--- a/src/main/auth.c
+++ b/src/main/auth.c
@@ -710,8 +710,8 @@ int rad_authenticate(REQUEST *request)
        seen_callback_id = 0;
        if ((auth_item = pairfind(request->reply->vps, PW_CALLBACK_ID)) != NULL) {
                seen_callback_id = 1;
-               radius_xlat2(buf, sizeof(auth_item->strvalue),
-                               (char *)auth_item->strvalue, request);
+               radius_xlat(buf, sizeof(auth_item->strvalue),
+                           (char *)auth_item->strvalue, request, NULL);
                strNcpy((char *)auth_item->strvalue, buf,
                        sizeof(auth_item->strvalue));
                auth_item->length = strlen((char *)auth_item->strvalue);
@@ -769,13 +769,13 @@ int rad_authenticate(REQUEST *request)
 
        /*
         *      Filter (possibly multiple) Reply-Message attributes
-        *      through radius_xlat2, modifying them in place.
+        *      through radius_xlat, modifying them in place.
         */
        if (user_msg == NULL) {
                reply_item = pairfind(request->reply->vps, PW_REPLY_MESSAGE);
                while (reply_item) {
-                       radius_xlat2(buf, sizeof(reply_item->strvalue),
-                                       (char *)reply_item->strvalue, request);
+                 radius_xlat(buf, sizeof(reply_item->strvalue),
+                             (char *)reply_item->strvalue, request, NULL);
                strNcpy((char *)reply_item->strvalue, buf,
                                sizeof(reply_item->strvalue));
                reply_item->length = strlen((char *)reply_item->strvalue);

diff --git a/src/main/exec.c b/src/main/exec.c
index cb0e9e4..dcb660f 100644 (file)
--- a/src/main/exec.c
+++ b/src/main/exec.c
@@ -96,7 +96,7 @@ int radius_exec_program(const char *cmd, REQUEST *request,
                /*      
                 *      Child
                 */
-               radius_xlat2(answer, sizeof(answer), cmd, request);
+               radius_xlat(answer, sizeof(answer), cmd, request, NULL);
                buf = answer;
 
                /*

diff --git a/src/main/xlat.c b/src/main/xlat.c
index fff3c69..a5f153a 100644 (file)
--- a/src/main/xlat.c
+++ b/src/main/xlat.c
@@ -167,9 +167,6 @@ static void decode_attribute(const char **from, char **to, int freespace, int *o
 
 
 /*
- *     Based on radius_xlat from exec.c
- *     After testing will replace the radius_xlat
- *
  *     Replace %<whatever> in a string.
  *
  *     %a       Protocol (SLIP/PPP)
@@ -201,7 +198,8 @@ static void decode_attribute(const char **from, char **to, int freespace, int *o
  *     ${reply:AttributeName}          Corresponding value for AttributeName in reply
  */
 
-int radius_xlat2(char * out,int outlen, const char *fmt, REQUEST * request)
+int radius_xlat(char *out, int outlen, const char *fmt,
+               REQUEST *request, RADIUS_ESCAPE_STRING func)
 {
        int i, c,freespace;
        const char *p;

diff --git a/src/modules/rlm_detail/rlm_detail.c b/src/modules/rlm_detail/rlm_detail.c
index 8c6ecfb..3eadd28 100644 (file)
--- a/src/modules/rlm_detail/rlm_detail.c
+++ b/src/modules/rlm_detail/rlm_detail.c
@@ -99,10 +99,10 @@ static int detail_accounting(void *instance, REQUEST *request)
         *
         *      Generate the path for the detail file.  Use the
         *      same format, but truncate at the last /.  Then
-        *      feed it through radius_xlat2() to expand the
+        *      feed it through radius_xlat() to expand the
         *      variables.
         */
-       radius_xlat2(buffer, sizeof(buffer), inst->detailfile, request);
+       radius_xlat(buffer, sizeof(buffer), inst->detailfile, request, NULL);
        DEBUG2("rlm_detail: %s expands to %s", inst->detailfile, buffer);
 
        /*

diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c
index 94cf3c4..27b5478 100644 (file)
--- a/src/modules/rlm_sql/rlm_sql.c
+++ b/src/modules/rlm_sql/rlm_sql.c
@@ -195,6 +195,15 @@ static int rlm_sql_authorize(void *instance, REQUEST * request) {
 
        VALUE_PAIR *uservp = NULL;
 
+       /*
+        *      They MUST have a user name to do SQL authorization.
+        */
+       if ((!request->username) ||
+           (request->username->length == 0)) {
+               radlog(L_ERR, "zero length username not permitted\n");
+               return RLM_MODULE_INVALID;
+       }
+
        sqlsocket = sql_get_socket(inst);
 
        /*
@@ -202,30 +211,24 @@ static int rlm_sql_authorize(void *instance, REQUEST * request) {
         */
        uservp = set_userattr(inst, sqlsocket, request->packet->vps, NULL, saveuser, &savelen);
        name = uservp->strvalue;
-       if (name[0] == 0) {
-               radlog(L_ERR, "zero length username not permitted\n");
-               sql_release_socket(inst, sqlsocket);
-               restore_userattr(uservp, saveuser, savelen);
-               return -1;
-       }
 
-       radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->authorize_check_query, request);
+       radius_xlat(querystr, MAX_QUERY_LEN, inst->config->authorize_check_query, request, NULL);
        found = sql_getvpdata(inst, sqlsocket, &check_tmp, querystr, PW_VP_USERDATA);
        /*
         *      Find the entry for the user.
         */
        if (found > 0) {
-               radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->authorize_group_check_query, request);
+               radius_xlat(querystr, MAX_QUERY_LEN, inst->config->authorize_group_check_query, request, NULL);
                sql_getvpdata(inst, sqlsocket, &check_tmp, querystr, PW_VP_GROUPDATA);
-               radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->authorize_reply_query, request);
+               radius_xlat(querystr, MAX_QUERY_LEN, inst->config->authorize_reply_query, request, NULL);
                sql_getvpdata(inst, sqlsocket, &reply_tmp, querystr, PW_VP_USERDATA);
-               radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->authorize_group_reply_query, request);
+               radius_xlat(querystr, MAX_QUERY_LEN, inst->config->authorize_group_reply_query, request, NULL);
                sql_getvpdata(inst, sqlsocket, &reply_tmp, querystr, PW_VP_GROUPDATA);
        } else if (found < 0) {
                radlog(L_ERR, "rlm_sql:  SQL query error; rejecting user");
                sql_release_socket(inst, sqlsocket);
                restore_userattr(uservp, saveuser, savelen);
-               return -1;
+               return RLM_MODULE_INVALID;
 
        } else {
 
@@ -236,9 +239,9 @@ static int rlm_sql_authorize(void *instance, REQUEST * request) {
                 * for a DEFAULT entry
                 */
                set_userattr(inst, sqlsocket, uservp, "DEFAULT", NULL, NULL);
-               radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->authorize_group_check_query, request);
+               radius_xlat(querystr, MAX_QUERY_LEN, inst->config->authorize_group_check_query, request, NULL);
                gcheck = sql_getvpdata(inst, sqlsocket, &check_tmp, querystr, PW_VP_GROUPDATA);
-               radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->authorize_group_reply_query, request);
+               radius_xlat(querystr, MAX_QUERY_LEN, inst->config->authorize_group_reply_query, request, NULL);
                gcheck = sql_getvpdata(inst, sqlsocket, &reply_tmp, querystr, PW_VP_GROUPDATA);
                if (gcheck)
                        found = 1;
@@ -303,7 +306,7 @@ static int rlm_sql_authenticate(void *instance, REQUEST * request) {
         * 3. Replace User-Name attr with saved value
         */
        uservp = set_userattr(inst, sqlsocket, request->packet->vps, NULL, saveuser, &savelen);
-       radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->authenticate_query, request);
+       radius_xlat(querystr, MAX_QUERY_LEN, inst->config->authenticate_query, request, NULL);
        restore_userattr(uservp, saveuser, savelen);
 
        if ((inst->module->sql_select_query)(sqlsocket, inst->config, querystr) < 0) {
@@ -363,7 +366,7 @@ static int rlm_sql_accounting(void *instance, REQUEST * request) {
        if ((pair = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE)) != NULL) {
                acctstatustype = pair->lvalue;
        } else {
-               radius_xlat2(logstr, MAX_QUERY_LEN, "rlm_sql:  packet has no account status type.  [user '%{User-Name}', nas '%{NAS-IP-Address}']", request);
+               radius_xlat(logstr, MAX_QUERY_LEN, "rlm_sql:  packet has no account status type.  [user '%{User-Name}', nas '%{NAS-IP-Address}']", request, NULL);
                radlog(L_ERR, logstr);
                return 0;
        }
@@ -379,7 +382,7 @@ static int rlm_sql_accounting(void *instance, REQUEST * request) {
                acctsessiontime = pair->lvalue;
 
        if ((acctsessiontime <= 0) && (acctstatustype == PW_STATUS_STOP)) {
-               radius_xlat2(logstr, MAX_QUERY_LEN, "rlm_sql:  Stop packet with zero session" " length.  (user '%{User-Name}', nas '%{NAS-IP-Address}')", request);
+               radius_xlat(logstr, MAX_QUERY_LEN, "rlm_sql:  Stop packet with zero session" " length.  (user '%{User-Name}', nas '%{NAS-IP-Address}')", request, NULL);
                radlog(L_ERR, logstr);
                return 0;
        }
@@ -393,7 +396,7 @@ static int rlm_sql_accounting(void *instance, REQUEST * request) {
                case PW_STATUS_ACCOUNTING_ON:
                case PW_STATUS_ACCOUNTING_OFF:
                        radlog(L_INFO, "rlm_sql:  received Acct On/Off packet");
-                       radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->accounting_onoff_query, request);
+                       radius_xlat(querystr, MAX_QUERY_LEN, inst->config->accounting_onoff_query, request, NULL);
                        query_log(inst, querystr);
 
                        if (querystr) {
@@ -409,7 +412,7 @@ static int rlm_sql_accounting(void *instance, REQUEST * request) {
                         */
                case PW_STATUS_ALIVE:
 
-                       radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->accounting_update_query, request);
+                       radius_xlat(querystr, MAX_QUERY_LEN, inst->config->accounting_update_query, request, NULL);
                        query_log(inst, querystr);
 
                        if (querystr) {
@@ -425,7 +428,7 @@ static int rlm_sql_accounting(void *instance, REQUEST * request) {
                         */
                case PW_STATUS_START:
 
-                       radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->accounting_start_query, request);
+                       radius_xlat(querystr, MAX_QUERY_LEN, inst->config->accounting_start_query, request, NULL);
                        query_log(inst, querystr);
 
                        if (querystr) {
@@ -438,7 +441,7 @@ static int rlm_sql_accounting(void *instance, REQUEST * request) {
                                         * the stop record came before the start.  We try an
                                         * our alternate query now (typically an UPDATE)
                                         */
-                                       radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->accounting_start_query_alt, request);
+                                       radius_xlat(querystr, MAX_QUERY_LEN, inst->config->accounting_start_query_alt, request, NULL);
                                        query_log(inst, querystr);
 
                                        if (querystr) {
@@ -456,7 +459,7 @@ static int rlm_sql_accounting(void *instance, REQUEST * request) {
                         */
                case PW_STATUS_STOP:
 
-                       radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->accounting_stop_query, request);
+                       radius_xlat(querystr, MAX_QUERY_LEN, inst->config->accounting_stop_query, request, NULL);
                        query_log(inst, querystr);
 
                        if (querystr) {
@@ -474,7 +477,7 @@ static int rlm_sql_accounting(void *instance, REQUEST * request) {
                                 * matching Start record.  So we have to
                                 * insert this stop rather than do an update
                                 */
-                               radius_xlat2(querystr, MAX_QUERY_LEN, inst->config->accounting_stop_query_alt, request);
+                               radius_xlat(querystr, MAX_QUERY_LEN, inst->config->accounting_stop_query_alt, request, NULL);
                                query_log(inst, querystr);
 
                                if (querystr) {