On Apr 24, 2008, at 11:57 AM, Alan DeKok wrote:
Chris wrote:
I guess the trick is fixing it (breaking it?) so this works without
opening up any vectors for injection attacks. Would it be safe to
exclude the "control" list from being escaped like this? It seems
that
only attributes in the the request and proxy-request lists would be
the
real problems.
Yes and no. The best way is via a "tainted" flag, like Perl. But
that involves a lot more work.
Certainly better from my perspective to work within the current
capabilities. I've pared what would have been about six different
ldap modules per redundant server down to two, so I'm happy. I
*could* probably get it down to one but I don't think the extra
complexity to do so would outweigh the gains.
Would it have been so difficult to say "man unlang see update"
instead
of just "man unlang"? You spent more time complaining about the
way I
asked the question than it would have taken to answer it. ;)
Exactly.
I wish to emphasize *thinking* and *reading*. Answering questions by
cutting & pasting portions of the documentation is a disservice to
everyone. It has it's appeal, but it's wrong.
Hardly suggesting a cut-and-paste, but okay.
Thanks again for the help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
