remove last vestige of %string(...)

and correct the filter_password policy so that it works

diff --git a/raddb/policy.d/filter b/raddb/policy.d/filter
index d4631c2dd7e84716d73c48e81e7af1a0f39e55af..54441a3e28ad97ad5ee7429bf02866a89975a460 100644 (file)
--- a/raddb/policy.d/filter
+++ b/raddb/policy.d/filter
@@ -118,12 +118,18 @@ filter_username {
 #  This policy filters them out.
 #
 filter_password {
-       if (&User-Password && \
-          (&User-Password != "%string(User-Password)")) {
-               string tmp
-               &tmp := %string(User-Password)
-               &request.User-Password := %string(tmp)
-        }
+       if &User-Password {
+               group tmp
+               octets delim
+
+               #
+               #  Because "\000" yields "zero length delimiter is not allowed"
+               #
+               &delim = 0x00
+               &tmp.User-Password := %explode(%{User-Password}, "%{delim}")
+
+               &User-Password := &tmp.User-Password[0]
+       }
 }
 
 filter_inner_identity {

diff --git a/src/tests/keywords/filter_password b/src/tests/keywords/filter_password
new file mode 100644 (file)
index 0000000..1c2c07a
--- /dev/null
+++ b/src/tests/keywords/filter_password
@@ -0,0 +1,31 @@
+#
+# Tests for NUL in the middle of a string
+#
+
+&Reply-Message := "bob\000hello"
+
+#
+#  Commented out because it fails
+#
+#if %length("\000") != 1 {
+#      test_fail
+#}
+
+if &Reply-Message {
+       group tmp
+       octets delim
+
+       #
+       #  Because "\000" yields "zero length delimiter is not allowed"
+       #
+       &delim = 0x00
+       &tmp.Reply-Message := %explode(%{Reply-Message}, "%{delim}")
+
+       &Reply-Message := &tmp.Reply-Message[0]
+}
+
+if &Reply-Message != "bob" {
+       test_fail
+}
+
+success