]>
Commit | Line | Data |
---|---|---|
a441bef9 JK |
1 | =================================================================== |
2 | RCS file: /web/pages/us.freeradius.org/cvs/radiusd/src/modules/rlm_sql/rlm_sql.c,v | |
3 | retrieving revision 1.131.2.1 | |
4 | retrieving revision 1.131.2.3 | |
5 | diff -u -p -r1.131.2.1 -r1.131.2.3 | |
6 | --- radiusd/src/modules/rlm_sql/rlm_sql.c 2004/09/30 14:54:22 1.131.2.1 | |
7 | +++ radiusd/src/modules/rlm_sql/rlm_sql.c 2005/05/18 13:22:18 1.131.2.3 | |
8 | @@ -2,7 +2,7 @@ | |
9 | * rlm_sql.c SQL Module | |
10 | * Main SQL module file. Most ICRADIUS code is located in sql.c | |
11 | * | |
12 | - * Version: $Id$ | |
13 | + * Version: $Id$ | |
14 | * | |
15 | * This program is free software; you can redistribute it and/or modify | |
16 | * it under the terms of the GNU General Public License as published by | |
17 | @@ -24,7 +24,7 @@ | |
18 | */ | |
19 | ||
20 | static const char rcsid[] = | |
21 | - "$Id$"; | |
22 | + "$Id$"; | |
23 | ||
24 | #include "autoconf.h" | |
25 | ||
26 | @@ -158,6 +158,7 @@ static int rlm_sql_init(void) { | |
27 | */ | |
28 | static int sql_set_user(SQL_INST *inst, REQUEST *request, char *sqlusername, const char *username); | |
29 | static int generate_sql_clients(SQL_INST *inst); | |
30 | +static int sql_escape_func(char *out, int outlen, const char *in); | |
31 | ||
32 | /* | |
33 | * sql xlat function. Right now only SELECTs are supported. Only | |
34 | @@ -184,7 +185,7 @@ static int sql_xlat(void *instance, REQU | |
35 | /* | |
36 | * Do an xlat on the provided string (nice recursive operation). | |
37 | */ | |
38 | - if (!radius_xlat(querystr, sizeof(querystr), fmt, request, func)) { | |
39 | + if (!radius_xlat(querystr, sizeof(querystr), fmt, request, sql_escape_func)) { | |
40 | radlog(L_ERR, "rlm_sql (%s): xlat failed.", | |
41 | inst->config->xlat_name); | |
42 | return 0; | |
43 | @@ -409,18 +410,18 @@ static int sql_escape_func(char *out, in | |
44 | ||
45 | while (in[0]) { | |
46 | /* | |
47 | - * Only one byte left. | |
48 | - */ | |
49 | - if (outlen <= 1) { | |
50 | - break; | |
51 | - } | |
52 | - | |
53 | - /* | |
54 | * Non-printable characters get replaced with their | |
55 | * mime-encoded equivalents. | |
56 | */ | |
57 | if ((in[0] < 32) || | |
58 | strchr(allowed_chars, *in) == NULL) { | |
59 | + /* | |
60 | + * Only 3 or less bytes available. | |
61 | + */ | |
62 | + if (outlen <= 3) { | |
63 | + break; | |
64 | + } | |
65 | + | |
66 | snprintf(out, outlen, "=%02X", (unsigned char) in[0]); | |
67 | in++; | |
68 | out += 3; | |
69 | @@ -430,7 +431,14 @@ static int sql_escape_func(char *out, in | |
70 | } | |
71 | ||
72 | /* | |
73 | - * Else it's a nice character. | |
74 | + * Only one byte left. | |
75 | + */ | |
76 | + if (outlen <= 1) { | |
77 | + break; | |
78 | + } | |
79 | + | |
80 | + /* | |
81 | + * Allowed character. | |
82 | */ | |
83 | *out = *in; | |
84 | out++; | |
85 | @@ -517,7 +525,7 @@ static int sql_groupcmp(void *instance, | |
86 | */ | |
87 | if (sql_set_user(inst, req, sqlusername, 0) < 0) | |
88 | return 1; | |
89 | - if (!radius_xlat(querystr, sizeof(querystr), inst->config->groupmemb_query, req, NULL)){ | |
90 | + if (!radius_xlat(querystr, sizeof(querystr), inst->config->groupmemb_query, req, sql_escape_func)){ | |
91 | radlog(L_ERR, "rlm_sql (%s): xlat failed.", | |
92 | inst->config->xlat_name); | |
93 | /* Remove the username we (maybe) added above */ | |
94 | @@ -1149,7 +1157,7 @@ static int rlm_sql_checksimul(void *inst | |
95 | if(sql_set_user(inst, request, sqlusername, 0) <0) | |
96 | return RLM_MODULE_FAIL; | |
97 | ||
98 | - radius_xlat(querystr, sizeof(querystr), inst->config->simul_count_query, request, NULL); | |
99 | + radius_xlat(querystr, sizeof(querystr), inst->config->simul_count_query, request, sql_escape_func); | |
100 | ||
101 | /* initialize the sql socket */ | |
102 | sqlsocket = sql_get_socket(inst); | |
103 | @@ -1193,7 +1201,7 @@ static int rlm_sql_checksimul(void *inst | |
104 | return RLM_MODULE_OK; | |
105 | } | |
106 | ||
107 | - radius_xlat(querystr, sizeof(querystr), inst->config->simul_verify_query, request, NULL); | |
108 | + radius_xlat(querystr, sizeof(querystr), inst->config->simul_verify_query, request, sql_escape_func); | |
109 | if(rlm_sql_select_query(sqlsocket, inst, querystr)) { | |
110 | radlog(L_ERR, "rlm_sql (%s): sql_checksimul: Database query error", inst->config->xlat_name); | |
111 | sql_release_socket(inst, sqlsocket); |