|
Hi All,
I'm new to Radius, now encountered problems with
ldap_escape_func in rlm_ldap. please help me since it's really a bit urgent.
the comments regarding to this function is 'Add an
ldap_escape_func. Escape the * character from the filter so that we can avoid
the trivial DoS of username=*'. if i was not wrong, this function intends to
filter out the * which follows the username, i.e, if username is 'userid*'
in access-request packet, ldapsearch is only based on 'userid'. but what's the
purpose for doing this and is it secure? or did i misunderstand the comments?
the lastest version freeradius-1.0.5 has a slightly
different version for this piece of code,
*****************************************************************
freeradius-1.0.5
if (strchr("*=\\,()", *in))
{
static const char *hex = "0123456789abcdef"; if (outlen <= 3) break;
*(out++) =
'\\';
*(out++) = hex[((*in) >> 4) & 0x0f]; *(out++) = hex[(*in) & 0x0f]; outlen -= 3; continue; } **************************************************************
freeradius-1.0.4 and previous
if (strchr("*", *in))
{
in++; outlen--; continue; } i couldn't figure out what does the change intend
to do, is it to filter out '*', '\\', '()' and '=' from username? and why should
it be in that way? please help me. thanks a lot in advance.
|
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
