[packages/freeradius.git] / freeradius-sql_injection.patch

===================================================================
RCS file: /web/pages/us.freeradius.org/cvs/radiusd/src/modules/rlm_sql/rlm_sql.c,v
retrieving revision 1.131.2.1
retrieving revision 1.131.2.3
diff -u -p -r1.131.2.1 -r1.131.2.3
--- radiusd/src/modules/rlm_sql/rlm_sql.c	2004/09/30 14:54:22	1.131.2.1
+++ radiusd/src/modules/rlm_sql/rlm_sql.c	2005/05/18 13:22:18	1.131.2.3
@@ -2,7 +2,7 @@
  * rlm_sql.c		SQL Module
  * 		Main SQL module file. Most ICRADIUS code is located in sql.c
  *
- * Version:	$Id$
+ * Version:	$Id$
  *
  *   This program is free software; you can redistribute it and/or modify
  *   it under the terms of the GNU General Public License as published by
@@ -24,7 +24,7 @@
  */
 
 static const char rcsid[] =
-	"$Id$";
+	"$Id$";
 
 #include "autoconf.h"
 
@@ -158,6 +158,7 @@ static int rlm_sql_init(void) {
  */
 static int sql_set_user(SQL_INST *inst, REQUEST *request, char *sqlusername, const char *username);
 static int generate_sql_clients(SQL_INST *inst);
+static int sql_escape_func(char *out, int outlen, const char *in);
 
 /*
  *	sql xlat function. Right now only SELECTs are supported. Only
@@ -184,7 +185,7 @@ static int sql_xlat(void *instance, REQU
 	/*
 	 * Do an xlat on the provided string (nice recursive operation).
 	 */
-	if (!radius_xlat(querystr, sizeof(querystr), fmt, request, func)) {
+	if (!radius_xlat(querystr, sizeof(querystr), fmt, request, sql_escape_func)) {
 		radlog(L_ERR, "rlm_sql (%s): xlat failed.",
 		       inst->config->xlat_name);
 		return 0;
@@ -409,18 +410,18 @@ static int sql_escape_func(char *out, in
 
 	while (in[0]) {
 		/*
-		 *  Only one byte left.
-		 */
-		if (outlen <= 1) {
-			break;
-		}
-
-		/*
 		 *	Non-printable characters get replaced with their
 		 *	mime-encoded equivalents.
 		 */
 		if ((in[0] < 32) ||
 		    strchr(allowed_chars, *in) == NULL) {
+			/*
+			 *	Only 3 or less bytes available.
+			 */
+			if (outlen <= 3) {
+				break;
+			}
+
 			snprintf(out, outlen, "=%02X", (unsigned char) in[0]);
 			in++;
 			out += 3;
@@ -430,7 +431,14 @@ static int sql_escape_func(char *out, in
 		}
 
 		/*
-		 *	Else it's a nice character.
+		 *	Only one byte left.
+		 */
+		if (outlen <= 1) {
+			break;
+		}
+
+		/*
+		 *	Allowed character.
 		 */
 		*out = *in;
 		out++;
@@ -517,7 +525,7 @@ static int sql_groupcmp(void *instance, 
 	 */
 	if (sql_set_user(inst, req, sqlusername, 0) < 0)
 		return 1;
-	if (!radius_xlat(querystr, sizeof(querystr), inst->config->groupmemb_query, req, NULL)){
+	if (!radius_xlat(querystr, sizeof(querystr), inst->config->groupmemb_query, req, sql_escape_func)){
 		radlog(L_ERR, "rlm_sql (%s): xlat failed.",
 		       inst->config->xlat_name);
 		/* Remove the username we (maybe) added above */
@@ -1149,7 +1157,7 @@ static int rlm_sql_checksimul(void *inst
 	if(sql_set_user(inst, request, sqlusername, 0) <0)
 		return RLM_MODULE_FAIL;
 
-	radius_xlat(querystr, sizeof(querystr), inst->config->simul_count_query, request, NULL);
+	radius_xlat(querystr, sizeof(querystr), inst->config->simul_count_query, request, sql_escape_func);
 
 	/* initialize the sql socket */
 	sqlsocket = sql_get_socket(inst);
@@ -1193,7 +1201,7 @@ static int rlm_sql_checksimul(void *inst
 		return RLM_MODULE_OK;
 	}
 
-	radius_xlat(querystr, sizeof(querystr), inst->config->simul_verify_query, request, NULL);
+	radius_xlat(querystr, sizeof(querystr), inst->config->simul_verify_query, request, sql_escape_func);
 	if(rlm_sql_select_query(sqlsocket, inst, querystr)) {
 		radlog(L_ERR, "rlm_sql (%s): sql_checksimul: Database query error", inst->config->xlat_name);
 		sql_release_socket(inst, sqlsocket);
Commit	Line	Data
a441bef9 JK	1	===================================================================
	2	RCS file: /web/pages/us.freeradius.org/cvs/radiusd/src/modules/rlm_sql/rlm_sql.c,v
	3	retrieving revision 1.131.2.1
	4	retrieving revision 1.131.2.3
	5	diff -u -p -r1.131.2.1 -r1.131.2.3
	6	--- radiusd/src/modules/rlm_sql/rlm_sql.c 2004/09/30 14:54:22 1.131.2.1
	7	+++ radiusd/src/modules/rlm_sql/rlm_sql.c 2005/05/18 13:22:18 1.131.2.3
	8	@@ -2,7 +2,7 @@
	9	* rlm_sql.c SQL Module
	10	* Main SQL module file. Most ICRADIUS code is located in sql.c
	11	*
	12	- * Version: $Id$
	13	+ * Version: $Id$
	14	*
	15	* This program is free software; you can redistribute it and/or modify
	16	* it under the terms of the GNU General Public License as published by
	17	@@ -24,7 +24,7 @@
	18	*/
	19
	20	static const char rcsid[] =
	21	- "$Id$";
	22	+ "$Id$";
	23
	24	#include "autoconf.h"
	25
	26	@@ -158,6 +158,7 @@ static int rlm_sql_init(void) {
	27	*/
	28	static int sql_set_user(SQL_INST inst, REQUEST request, char sqlusername, const char username);
	29	static int generate_sql_clients(SQL_INST *inst);
	30	+static int sql_escape_func(char out, int outlen, const char in);
	31
	32	/*
	33	* sql xlat function. Right now only SELECTs are supported. Only
	34	@@ -184,7 +185,7 @@ static int sql_xlat(void *instance, REQU
	35	/*
	36	* Do an xlat on the provided string (nice recursive operation).
	37	*/
	38	- if (!radius_xlat(querystr, sizeof(querystr), fmt, request, func)) {
	39	+ if (!radius_xlat(querystr, sizeof(querystr), fmt, request, sql_escape_func)) {
	40	radlog(L_ERR, "rlm_sql (%s): xlat failed.",
	41	inst->config->xlat_name);
	42	return 0;
	43	@@ -409,18 +410,18 @@ static int sql_escape_func(char *out, in
	44
	45	while (in[0]) {
	46	/*
	47	- * Only one byte left.
	48	- */
	49	- if (outlen <= 1) {
	50	- break;
	51	- }
	52	-
	53	- /*
	54	* Non-printable characters get replaced with their
	55	* mime-encoded equivalents.
	56	*/
	57	if ((in[0] < 32) \|\|
	58	strchr(allowed_chars, *in) == NULL) {
	59	+ /*
	60	+ * Only 3 or less bytes available.
	61	+ */
	62	+ if (outlen <= 3) {
	63	+ break;
	64	+ }
65	+
66	snprintf(out, outlen, "=%02X", (unsigned char) in[0]);
67	in++;
68	out += 3;
69	@@ -430,7 +431,14 @@ static int sql_escape_func(char *out, in
70	}
71
72	/*
73	- * Else it's a nice character.
74	+ * Only one byte left.
75	+ */
76	+ if (outlen <= 1) {
77	+ break;
78	+ }
79	+
80	+ /*
81	+ * Allowed character.
82	*/
83	out = in;
84	out++;
85	@@ -517,7 +525,7 @@ static int sql_groupcmp(void *instance,
86	*/
87	if (sql_set_user(inst, req, sqlusername, 0) < 0)
88	return 1;
89	- if (!radius_xlat(querystr, sizeof(querystr), inst->config->groupmemb_query, req, NULL)){
90	+ if (!radius_xlat(querystr, sizeof(querystr), inst->config->groupmemb_query, req, sql_escape_func)){
91	radlog(L_ERR, "rlm_sql (%s): xlat failed.",
92	inst->config->xlat_name);
93	/* Remove the username we (maybe) added above */
94	@@ -1149,7 +1157,7 @@ static int rlm_sql_checksimul(void *inst
95	if(sql_set_user(inst, request, sqlusername, 0) <0)
96	return RLM_MODULE_FAIL;
97
98	- radius_xlat(querystr, sizeof(querystr), inst->config->simul_count_query, request, NULL);
99	+ radius_xlat(querystr, sizeof(querystr), inst->config->simul_count_query, request, sql_escape_func);
100
101	/* initialize the sql socket */
102	sqlsocket = sql_get_socket(inst);
103	@@ -1193,7 +1201,7 @@ static int rlm_sql_checksimul(void *inst
104	return RLM_MODULE_OK;
105	}
106
107	- radius_xlat(querystr, sizeof(querystr), inst->config->simul_verify_query, request, NULL);
108	+ radius_xlat(querystr, sizeof(querystr), inst->config->simul_verify_query, request, sql_escape_func);
109	if(rlm_sql_select_query(sqlsocket, inst, querystr)) {
110	radlog(L_ERR, "rlm_sql (%s): sql_checksimul: Database query error", inst->config->xlat_name);
111	sql_release_socket(inst, sqlsocket);