Chris wrote: > I guess the trick is fixing it (breaking it?) so this works without > opening up any vectors for injection attacks. Would it be safe to > exclude the "control" list from being escaped like this? It seems that > only attributes in the the request and proxy-request lists would be the > real problems.
Yes and no. The best way is via a "tainted" flag, like Perl. But that involves a lot more work. > Would it have been so difficult to say "man unlang see update" instead > of just "man unlang"? You spent more time complaining about the way I > asked the question than it would have taken to answer it. ;) Exactly. I wish to emphasize *thinking* and *reading*. Answering questions by cutting & pasting portions of the documentation is a disservice to everyone. It has it's appeal, but it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
