]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
projects / thirdparty / freeradius-server.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f58a479)
more sanity checks on operators
authorAlan T. DeKok <aland@freeradius.org>
Mon, 25 Dec 2023 15:01:37 +0000 (10:01 -0500)
committerAlan T. DeKok <aland@freeradius.org>
Mon, 25 Dec 2023 15:01:37 +0000 (10:01 -0500)
src/lib/server/map.c patch | blob | blame | history
src/modules/rlm_attr_filter/rlm_attr_filter.c patch | blob | blame | history
src/modules/rlm_files/rlm_files.c patch | blob | blame | history
src/tests/modules/attr_filter/filter patch | blob | blame | history

diff --git a/src/lib/server/map.c b/src/lib/server/map.c
index acdd88b3f53d9923959803ae7ff8335c9dfdf630..06c6cc198b47b8fbaddc83ad2dc92cae50857008 100644 (file)
--- a/src/lib/server/map.c
+++ b/src/lib/server/map.c
@@ -527,15 +527,17 @@ ssize_t map_afrom_substr(TALLOC_CTX *ctx, map_t **out, map_t **parent_p, fr_sbuf
                fr_strerror_const("Invalid operator");
                goto error_adj;
        }
-
+       
        /*
-        *      This function is ONLY called for legacy operators.
+        *      Validate operators for check items.
+        *
+        *      We can have comparison operators for reply items, as the rlm_attr_filter module
+        *      uses that.
         *
-        *      radius_legacy_map_cmp() and radius_legacy_map_apply() do not support complex
-        *      comparisons or updates.
+        *      However, we can't do comparisons on structural entries, except for existence checks.
         */
-       if (tmpl_attr_tail_da_is_structural(map->lhs)) {
-               if (fr_comparison_op[map->op]) {
+       if (!parent_p && tmpl_attr_tail_da_is_structural(map->lhs)) {
+               if (fr_comparison_op[map->op] && (map->op != T_OP_CMP_TRUE) && (map->op != T_OP_CMP_FALSE)) {
                        fr_sbuff_set(&our_in, &m_op);
                        fr_strerror_const("Comparison operators cannot be used inside of structural data types");
                        goto error;
@@ -563,6 +565,7 @@ ssize_t map_afrom_substr(TALLOC_CTX *ctx, map_t **out, map_t **parent_p, fr_sbuf
                case FR_TYPE_STRUCTURAL:
                        if ((map->op == T_OP_REG_EQ) || (map->op == T_OP_REG_NE)) {
                                fr_sbuff_set(&our_in, &m_op);
+                               fr_assert(0);
                                fr_strerror_const("Regular expressions cannot be used for structural attributes");
                                goto error;
                        }
diff --git a/src/modules/rlm_attr_filter/rlm_attr_filter.c b/src/modules/rlm_attr_filter/rlm_attr_filter.c
index ce29cd97f8bc39c1104101d53ff5c3b6280f0efd..c8ff1fbae3a42d9e5ec089d5ccb3857f5cbd5396 100644 (file)
--- a/src/modules/rlm_attr_filter/rlm_attr_filter.c
+++ b/src/modules/rlm_attr_filter/rlm_attr_filter.c
@@ -137,6 +137,12 @@ static int attr_filter_getfile(TALLOC_CTX *ctx, module_inst_ctx_t const *mctx, c
                                return -1;
                        }
 
+                       if (fr_assignment_op[map->op]) {
+                               ERROR("%s[%d] Filter %s contains invalid operator '%s'",
+                                     filename, entry->lineno, map->lhs->name, fr_tokens[map->op]);
+                               return -1;
+                       }
+
                        /*
                         *      Make sure that bad things don't happen.
                         */
diff --git a/src/modules/rlm_files/rlm_files.c b/src/modules/rlm_files/rlm_files.c
index bbf6d3be99bc95ccba67592e1035995b61f22211..6a1c8e93f2d35136c1f393ace24a8aa87b515617 100644 (file)
--- a/src/modules/rlm_files/rlm_files.c
+++ b/src/modules/rlm_files/rlm_files.c
@@ -203,7 +203,6 @@ static int getrecv_filename(TALLOC_CTX *ctx, char const *filename, fr_htrie_t **
                     map != NULL;
                     map = next_map) {
                        next_map = map_list_next(&entry->reply, map);
-
                        if (!tmpl_is_attr(map->lhs)) {
                                ERROR("%s[%d] Left side of reply item %s is not an attribute",
                                      entry->filename, entry->lineno, map->lhs->name);
@@ -211,9 +210,9 @@ static int getrecv_filename(TALLOC_CTX *ctx, char const *filename, fr_htrie_t **
                        }
                        da = tmpl_attr_tail_da(map->lhs);
 
-                       if (map->op == T_OP_CMP_FALSE) {
-                               ERROR("%s[%d] Invalid operator '!*' for reply item %s",
-                                     entry->filename, entry->lineno, map->lhs->name);
+                       if (fr_comparison_op[map->op] && (map->op != T_OP_LE) && (map->op != T_OP_GE)) {
+                               ERROR("%s[%d] Invalid operator reply item %s %s ...",
+                                     entry->filename, entry->lineno, map->lhs->name, fr_tokens[map->op]);
                                return -1;
                        }
 
diff --git a/src/tests/modules/attr_filter/filter b/src/tests/modules/attr_filter/filter
index 443b8f50f0c6d4ad9b60ea43b0806e0f5860d13c..8686fcba558ddb2a7bf8320bbb4693547771aea5 100644 (file)
--- a/src/tests/modules/attr_filter/filter
+++ b/src/tests/modules/attr_filter/filter
@@ -23,6 +23,7 @@ DEFAULT
        Error-Cause =* ANY,
        Reply-Message =* ANY,
        Vendor-Specific.Microsoft.CHAP-Error =* ANY,
+       Digest-Attributes =* ANY,
        Proxy-State =* ANY,
        Error-Cause =* ANY,
        User-Name =* ANY,
Mirror of https://github.com/FreeRADIUS/freeradius-server.git