FreeRADIUS 3将%{SQL-Group}中的#在组名中存储为= 23

时间:2019-02-10 09:53:44

标签: mysql freeradius

我有一个用户Bipin链接到一个名为#dl#-daily-plan的用户组,该FR可以从mysql DB中读取,但是将其存储为%{SQL-Group} = 23dl = 23-daily-plan。在FR的原始配置中是否有任何特定的原因,例如im,并且似乎发生在

rlm_sql (sql): Reserved connection (7)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'Bipin' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'Bipin' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql:   Cleartext-Password := "bipin"
(1) sql:   Expiration := "Feb 10 2020 00:00:00 +04"
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'Bipin' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'Bipin' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'Bipin' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'Bipin' ORDER BY priority
(1) sql: User found in the group table
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '=23dl=23-daily-plan' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '=23dl=23-daily-plan' ORDER BY id
(1) sql: Group "#dl#-daily-plan": Conditional check items matched
(1) sql: Group "#dl#-daily-plan": Merging assignment check items
(1) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '=23dl=23-daily-plan' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '=23dl=23-daily-plan' ORDER BY id
(1) sql: Group "#dl#-daily-plan": Merging reply items
rlm_sql (sql): Released connection (7)

1 个答案:

答案 0 :(得分:0)

这不是错误,而是预期的行为。为了防止SQL注入,有一个按原样传递的安全字符(safe_characters)列表,所有其他字符在用于查询之前都将转换为该十六进制转义符号。

要解决此问题,有两种选择:

  1. 重命名数据库表中的组以使用此转义形式。
  2. 将#添加到安全字符列表中(后果自负)
  3. 在查询中插入对存储过程的调用,以将= HH转换回字符。
  4. 等待发布3.0.18,然后使用选项auto_escape
相关问题
最新问题