James J J Hooper <[EMAIL PROTECTED]> wrote: > Does FreeRADIUS taint check (i.e. escape certain characters)? If not, > does the plain text password auth bit of the page have security > considerations?
No. It doesn't need to. That's the responsibility of the program being executed. i.e. FreeRADIUS calls the "execve" function, not "system", so the shell is never used, and *no* input characters are special. i.e. Try passing the string "$$" as the User-Name in the examples on the web page. You will see "$$" being passed as an argument, and not the PID of the shell. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
