SOURCES: freeradius-sql_injection.patch (NEW) - fix for http://www...

jajcus jajcus at pld-linux.org
Thu Aug 4 18:52:29 CEST 2005 

Author: jajcus                       Date: Thu Aug  4 16:52:29 2005 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- fix for http://www.gentoo.org/security/en/glsa/glsa-200505-13.xml

---- Files affected:
SOURCES:
   freeradius-sql_injection.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/freeradius-sql_injection.patch
diff -u /dev/null SOURCES/freeradius-sql_injection.patch:1.1
--- /dev/null	Thu Aug  4 18:52:29 2005
+++ SOURCES/freeradius-sql_injection.patch	Thu Aug  4 18:52:24 2005
@@ -0,0 +1,111 @@
+===================================================================
+RCS file: /web/pages/us.freeradius.org/cvs/radiusd/src/modules/rlm_sql/rlm_sql.c,v
+retrieving revision 1.131.2.1
+retrieving revision 1.131.2.3
+diff -u -p -r1.131.2.1 -r1.131.2.3
+--- radiusd/src/modules/rlm_sql/rlm_sql.c	2004/09/30 14:54:22	1.131.2.1
++++ radiusd/src/modules/rlm_sql/rlm_sql.c	2005/05/18 13:22:18	1.131.2.3
+@@ -2,7 +2,7 @@
+  * rlm_sql.c		SQL Module
+  * 		Main SQL module file. Most ICRADIUS code is located in sql.c
+  *
+- * Version:	$Id$
++ * Version:	$Id$
+  *
+  *   This program is free software; you can redistribute it and/or modify
+  *   it under the terms of the GNU General Public License as published by
+@@ -24,7 +24,7 @@
+  */
+ 
+ static const char rcsid[] =
+-	"$Id$";
++	"$Id$";
+ 
+ #include "autoconf.h"
+ 
+@@ -158,6 +158,7 @@ static int rlm_sql_init(void) {
+  */
+ static int sql_set_user(SQL_INST *inst, REQUEST *request, char *sqlusername, const char *username);
+ static int generate_sql_clients(SQL_INST *inst);
++static int sql_escape_func(char *out, int outlen, const char *in);
+ 
+ /*
+  *	sql xlat function. Right now only SELECTs are supported. Only
+@@ -184,7 +185,7 @@ static int sql_xlat(void *instance, REQU
+ 	/*
+ 	 * Do an xlat on the provided string (nice recursive operation).
+ 	 */
+-	if (!radius_xlat(querystr, sizeof(querystr), fmt, request, func)) {
++	if (!radius_xlat(querystr, sizeof(querystr), fmt, request, sql_escape_func)) {
+ 		radlog(L_ERR, "rlm_sql (%s): xlat failed.",
+ 		       inst->config->xlat_name);
+ 		return 0;
+@@ -409,18 +410,18 @@ static int sql_escape_func(char *out, in
+ 
+ 	while (in[0]) {
+ 		/*
+-		 *  Only one byte left.
+-		 */
+-		if (outlen <= 1) {
+-			break;
+-		}
+-
+-		/*
+ 		 *	Non-printable characters get replaced with their
+ 		 *	mime-encoded equivalents.
+ 		 */
+ 		if ((in[0] < 32) ||
+ 		    strchr(allowed_chars, *in) == NULL) {
++			/*
++			 *	Only 3 or less bytes available.
++			 */
++			if (outlen <= 3) {
++				break;
++			}
++
+ 			snprintf(out, outlen, "=%02X", (unsigned char) in[0]);
+ 			in++;
+ 			out += 3;
+@@ -430,7 +431,14 @@ static int sql_escape_func(char *out, in
+ 		}
+ 
+ 		/*
+-		 *	Else it's a nice character.
++		 *	Only one byte left.
++		 */
++		if (outlen <= 1) {
++			break;
++		}
++
++		/*
++		 *	Allowed character.
+ 		 */
+ 		*out = *in;
+ 		out++;
+@@ -517,7 +525,7 @@ static int sql_groupcmp(void *instance, 
+ 	 */
+ 	if (sql_set_user(inst, req, sqlusername, 0) < 0)
+ 		return 1;
+-	if (!radius_xlat(querystr, sizeof(querystr), inst->config->groupmemb_query, req, NULL)){
++	if (!radius_xlat(querystr, sizeof(querystr), inst->config->groupmemb_query, req, sql_escape_func)){
+ 		radlog(L_ERR, "rlm_sql (%s): xlat failed.",
+ 		       inst->config->xlat_name);
+ 		/* Remove the username we (maybe) added above */
+@@ -1149,7 +1157,7 @@ static int rlm_sql_checksimul(void *inst
+ 	if(sql_set_user(inst, request, sqlusername, 0) <0)
+ 		return RLM_MODULE_FAIL;
+ 
+-	radius_xlat(querystr, sizeof(querystr), inst->config->simul_count_query, request, NULL);
++	radius_xlat(querystr, sizeof(querystr), inst->config->simul_count_query, request, sql_escape_func);
+ 
+ 	/* initialize the sql socket */
+ 	sqlsocket = sql_get_socket(inst);
+@@ -1193,7 +1201,7 @@ static int rlm_sql_checksimul(void *inst
+ 		return RLM_MODULE_OK;
+ 	}
+ 
+-	radius_xlat(querystr, sizeof(querystr), inst->config->simul_verify_query, request, NULL);
++	radius_xlat(querystr, sizeof(querystr), inst->config->simul_verify_query, request, sql_escape_func);
+ 	if(rlm_sql_select_query(sqlsocket, inst, querystr)) {
+ 		radlog(L_ERR, "rlm_sql (%s): sql_checksimul: Database query error", inst->config->xlat_name);
+ 		sql_release_socket(inst, sqlsocket);
================================================================

More information about the pld-cvs-commit mailing list