Ensure values are strings before attempting SQL escaping

author Nick Porter <nick@portercomputing.co.uk>

Thu, 18 Jan 2024 10:06:16 +0000 (10:06 +0000)

committer Nick Porter <nick@portercomputing.co.uk>

Thu, 18 Jan 2024 18:12:54 +0000 (18:12 +0000)
author Nick Porter <nick@portercomputing.co.uk>
Thu, 18 Jan 2024 10:06:16 +0000 (10:06 +0000)
committer Nick Porter <nick@portercomputing.co.uk>
Thu, 18 Jan 2024 18:12:54 +0000 (18:12 +0000)
diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c

index b7b957c80d97eb925330fb24c5be220c7928de34..3c4df2eef2979e6eeaa323f7957385af28a21cc6 100644 (file)
--- a/src/modules/rlm_sql/rlm_sql.c
+++ b/src/modules/rlm_sql/rlm_sql.c
@@ -200,10 +200,16 @@ static int sql_xlat_escape(request_t *request, fr_value_box_t *vb, void *uctx)
  
         handle = fr_pool_connection_get(inst->pool, request);
         if (!handle) {
+       error:
                 fr_value_box_clear_value(vb);
                 return -1;
         }
  
+       /*
+        *      Escaping functions work on strings - ensure the box is a string
+        */
+       if ((vb->type != FR_TYPE_STRING) && (fr_value_box_cast_in_place(vb, vb, FR_TYPE_STRING, NULL) < 0)) goto error;
+
         /*
          *      Maximum escaped length is 3 * original - if every character needs escaping
          */
author	Nick Porter <nick@portercomputing.co.uk>
	Thu, 18 Jan 2024 10:06:16 +0000 (10:06 +0000)
committer	Nick Porter <nick@portercomputing.co.uk>
	Thu, 18 Jan 2024 18:12:54 +0000 (18:12 +0000)