From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 30 Nov 2015 16:01:24 +0000 (-0500)
Subject: Notes on embedded zeros in passwords
X-Git-Tag: release_3_0_11~128
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=244a0f3dc3cb0dbfd2c52bd94f9542616fb8894a;p=thirdparty%2Ffreeradius-server.git

Notes on embedded zeros in passwords
---

diff --git a/raddb/policy.d/filter b/raddb/policy.d/filter
index 31b12b5feb4..7acf12f265c 100644
--- a/raddb/policy.d/filter
+++ b/raddb/policy.d/filter
@@ -93,3 +93,19 @@ filter_username {
 		reject
 	}
 }
+
+#
+#	Filter the User-Password
+#
+#  Some equipment sends passwords with embedded zeros.
+#  This poliocy filters them out.
+#
+filter_password {
+	if (&User-Password &&
+	   (&User-Password != "%{string:User-Password}")) {
+		update request {
+			&Tmp-String-0 := "%{string:User-Password}"
+			&User-Password := "%{string:Tmp-String-0}"
+		}
+	 }
+}
diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index e16363f12d3..84b34dcd3bf 100644
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -261,6 +261,16 @@ authorize {
 	#
 	filter_username
 
+	#
+	#  Some broken equipment sends passwords with embedded zeros.
+	#  i.e. the debug output will show
+	#
+	#	User-Password = "password\000\000"
+	#
+	#  This policy will fix it to just be "password".
+	#
+#	filter_password
+
 	#
 	#  The preprocess module takes care of sanitizing some bizarre
 	#  attributes in the request, and turning them into attributes
diff --git a/src/main/xlat.c b/src/main/xlat.c
index 87c206fe409..31410b06b2a 100644
--- a/src/main/xlat.c
+++ b/src/main/xlat.c
@@ -623,6 +623,10 @@ static ssize_t xlat_string(UNUSED void *instance, REQUEST *request,
 		len = fr_prints(out, outlen, (char const *) p, vp->vp_length, '"');
 		break;
 
+		/*
+		 *	Note that "%{string:...}" is NOT binary safe!
+		 *	It is explicitly used to get rid of embedded zeros.
+		 */
 	case PW_TYPE_STRING:
 		len = strlcpy(out, vp->vp_strvalue, outlen);
 		break;