From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Tue, 27 Jun 2023 21:09:29 +0000 (-0400)
Subject: xlat: Don't "cast" octets string to hex.  Leave them in their raw binary form
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d6c39965e6a6d919041529d3ec4863e61007a4b;p=thirdparty%2Ffreeradius-server.git

xlat: Don't "cast" octets string to hex.  Leave them in their raw binary form
---

diff --git a/src/lib/server/tmpl_eval.c b/src/lib/server/tmpl_eval.c
index a5213a59c95..36c89f2ca10 100644
--- a/src/lib/server/tmpl_eval.c
+++ b/src/lib/server/tmpl_eval.c
@@ -1492,16 +1492,6 @@ int tmpl_eval_cast_in_place(fr_value_box_list_t *list, tmpl_t const *vpt)
 		vb = fr_value_box_list_head(list);
 		if (!vb) return 0;
 
-		/*
-		 *	Convert directly to concatenated octets
-		 *	don't go through a string representation
-		 *	first.
-		 */
-		if (fr_type_is_octets((cast))) {
-			return fr_value_box_list_concat_in_place(vb, vb, list, FR_TYPE_OCTETS,
-								FR_VALUE_BOX_LIST_FREE_BOX, true, SIZE_MAX);
-		}
-
 		slen = fr_value_box_list_concat_in_place(vb, vb, list, FR_TYPE_STRING,
 							 FR_VALUE_BOX_LIST_FREE_BOX, true, SIZE_MAX);
 		if (slen < 0) return -1;
diff --git a/src/lib/unlang/xlat_builtin.c b/src/lib/unlang/xlat_builtin.c
index 306a20f5293..9b54e7f0a99 100644
--- a/src/lib/unlang/xlat_builtin.c
+++ b/src/lib/unlang/xlat_builtin.c
@@ -1435,11 +1435,11 @@ static xlat_action_t xlat_func_cast(TALLOC_CTX *ctx, fr_dcursor_t *out,
 		(void) fr_value_box_list_pop_head(args);
 		talloc_free(name);
 
-		FR_SBUFF_TALLOC_THREAD_LOCAL(&agg, 256, 8192);
+		FR_SBUFF_TALLOC_THREAD_LOCAL(&agg, 256, SIZE_MAX);
 
 		MEM(dst = fr_value_box_alloc_null(ctx));
-		if (fr_value_box_list_concat_as_string(NULL, agg, args, NULL, 0, &fr_value_escape_double,
-						       FR_VALUE_BOX_LIST_FREE_BOX, true, true) < 0) {
+		if (fr_value_box_list_concat_as_string(NULL, agg, args, NULL, 0, NULL,
+						       FR_VALUE_BOX_LIST_FREE_BOX, true) < 0) {
 			RPEDEBUG("Failed concatenating string");
 			return XLAT_ACTION_FAIL;
 		}
diff --git a/src/lib/unlang/xlat_expr.c b/src/lib/unlang/xlat_expr.c
index c68fdb7e1e7..8142f36f1bc 100644
--- a/src/lib/unlang/xlat_expr.c
+++ b/src/lib/unlang/xlat_expr.c
@@ -687,7 +687,7 @@ static xlat_action_t xlat_regex_match(TALLOC_CTX *ctx, request_t *request, fr_va
 			 *	Concatenate everything, and escape untrusted inputs.
 			 */
 			if (fr_value_box_list_concat_as_string(NULL, agg, &list, NULL, 0, &regex_escape_rules,
-							       FR_VALUE_BOX_LIST_FREE_BOX, true, false) < 0) {
+							       FR_VALUE_BOX_LIST_FREE_BOX, true) < 0) {
 				RPEDEBUG("Failed concatenating regular expression string");
 				talloc_free(regmatch);
 				return XLAT_ACTION_FAIL;
@@ -760,7 +760,7 @@ static xlat_action_t xlat_regex_resume(TALLOC_CTX *ctx, fr_dcursor_t *out,
 	 *      concatenate it here.  We escape the various untrusted inputs.
 	 */
 	if (fr_value_box_list_concat_as_string(NULL, agg, &rctx->list, NULL, 0, &regex_escape_rules,
-					       FR_VALUE_BOX_LIST_FREE_BOX, true, false) < 0) {
+					       FR_VALUE_BOX_LIST_FREE_BOX, true) < 0) {
 		RPEDEBUG("Failed concatenating regular expression string");
 		return XLAT_ACTION_FAIL;
 	}
@@ -1556,7 +1556,7 @@ static xlat_action_t xlat_exists_resume(TALLOC_CTX *ctx, fr_dcursor_t *out,
 	 *	concatenate it here.  We escape the various untrusted inputs.
 	 */
 	if (fr_value_box_list_concat_as_string(NULL, agg, &rctx->list, NULL, 0, NULL,
-					       FR_VALUE_BOX_LIST_FREE_BOX, true, true) < 0) {
+					       FR_VALUE_BOX_LIST_FREE_BOX, true) < 0) {
 		RPEDEBUG("Failed concatenating attribute name string");
 		return XLAT_ACTION_FAIL;
 	}
diff --git a/src/lib/util/value.c b/src/lib/util/value.c
index 1bcde893181..aaddee70e65 100644
--- a/src/lib/util/value.c
+++ b/src/lib/util/value.c
@@ -5246,7 +5246,7 @@ ssize_t fr_value_box_print(fr_sbuff_t *out, fr_value_box_t const *data, fr_sbuff
 		FR_SBUFF_RETURN(fr_value_box_list_concat_as_string,
 				NULL, &our_out, UNCONST(fr_value_box_list_t *, &data->vb_group),
 				", ", (sizeof(", ") - 1), e_rules,
-				0, false, true);
+				0, false);
 		FR_SBUFF_IN_CHAR_RETURN(&our_out, '}');
 		break;
 
@@ -5316,7 +5316,6 @@ ssize_t fr_value_box_print_quoted(fr_sbuff_t *out, fr_value_box_t const *data, f
  * @param[in] flatten		If true and we encounter a #FR_TYPE_GROUP,
  *				we concat the contents of its children together.
  *      			If false, the contents will be cast to #FR_TYPE_STRING.
- * @param[in] printable		Convert 'octets' to printable strings.
  * @return
  *      - >=0 the number of bytes written to the sbuff.
  *	- <0 how many additional bytes we would have needed to
@@ -5324,7 +5323,7 @@ ssize_t fr_value_box_print_quoted(fr_sbuff_t *out, fr_value_box_t const *data, f
  */
 ssize_t fr_value_box_list_concat_as_string(bool *tainted, fr_sbuff_t *sbuff, fr_value_box_list_t *list,
 					   char const *sep, size_t sep_len, fr_sbuff_escape_rules_t const *e_rules,
-					   fr_value_box_list_action_t proc_action, bool flatten, bool printable)
+					   fr_value_box_list_action_t proc_action, bool flatten)
 {
 	fr_sbuff_t our_sbuff = FR_SBUFF(sbuff);
 	ssize_t slen;
@@ -5337,11 +5336,10 @@ ssize_t fr_value_box_list_concat_as_string(bool *tainted, fr_sbuff_t *sbuff, fr_
 			if (!flatten) goto print;
 			slen = fr_value_box_list_concat_as_string(tainted, &our_sbuff, &vb->vb_group,
 								  sep, sep_len, e_rules,
-								  proc_action, flatten, printable);
+								  proc_action, flatten);
 			break;
 
 		case FR_TYPE_OCTETS:
-			if (printable) goto print; /* even if !tainted */
 
 			/*
 			 *	Copy the raw string over, if necessary with escaping.
@@ -5573,7 +5571,7 @@ int fr_value_box_list_concat_in_place(TALLOC_CTX *ctx,
 			 */
 			if (fr_value_box_list_concat_as_string(&tainted, &sbuff, list,
 							       NULL, 0, NULL,
-							       FR_VALUE_BOX_LIST_REMOVE, flatten, false) < 0) {
+							       FR_VALUE_BOX_LIST_REMOVE, flatten) < 0) {
 				fr_strerror_printf("Concatenation exceeded max_size (%zu)", max_size);
 			error:
 				switch (type) {
@@ -5596,7 +5594,7 @@ int fr_value_box_list_concat_in_place(TALLOC_CTX *ctx,
 			 */
 			if (fr_value_box_list_concat_as_string(&tainted, &sbuff, list,
 							       NULL, 0, NULL,
-							       proc_action, flatten, true) < 0) {
+							       proc_action, flatten) < 0) {
 				fr_value_box_list_insert_head(list, head_vb);
 				goto error;
 			}
@@ -5638,7 +5636,7 @@ int fr_value_box_list_concat_in_place(TALLOC_CTX *ctx,
 		case FR_TYPE_STRING:
 			if (fr_value_box_list_concat_as_string(&tainted, &sbuff, list,
 							       NULL, 0, NULL,
-							       proc_action, flatten, true) < 0) goto error;
+							       proc_action, flatten) < 0) goto error;
 			(void)fr_sbuff_trim_talloc(&sbuff, SIZE_MAX);
 
 			entry = out->entry;
diff --git a/src/lib/util/value.h b/src/lib/util/value.h
index 880a57c0882..233c3431357 100644
--- a/src/lib/util/value.h
+++ b/src/lib/util/value.h
@@ -1032,7 +1032,7 @@ ssize_t		fr_value_box_from_str(TALLOC_CTX *ctx, fr_value_box_t *dst,
  */
 ssize_t 	fr_value_box_list_concat_as_string(bool *tainted, fr_sbuff_t *sbuff, fr_value_box_list_t *list,
 					   	  char const *sep, size_t sep_len, fr_sbuff_escape_rules_t const *e_rules,
-					   	  fr_value_box_list_action_t proc_action, bool flatten, bool printable)
+					   	  fr_value_box_list_action_t proc_action, bool flatten)
 		CC_HINT(nonnull(2,3));
 
 ssize_t		fr_value_box_list_concat_as_octets(bool *tainted, fr_dbuff_t *dbuff, fr_value_box_list_t *list,
diff --git a/src/tests/keywords/truncation b/src/tests/keywords/truncation
index 43fa4f864c5..e95c98e4c03 100644
--- a/src/tests/keywords/truncation
+++ b/src/tests/keywords/truncation
@@ -78,7 +78,7 @@ if (!(%(length:%{Tmp-Octets-0}) == 4083)) {
 }
 
 # Octets are expanded to 8168 hexits
-if !("%{Tmp-Octets-0}" =~ /^0x([0-9a-f]+)$/) {
+if !("0x%{hex:%{Tmp-Octets-0}}" =~ /^0x([0-9a-f]+)$/) {
 	test_fail
 }
 
diff --git a/src/tests/keywords/xlat-integer b/src/tests/keywords/xlat-integer
index c61b0b8717b..57b8a2b8d4e 100644
--- a/src/tests/keywords/xlat-integer
+++ b/src/tests/keywords/xlat-integer
@@ -38,7 +38,7 @@ if ("%(integer:%{Tmp-String-2})") {
 # Octets - network order representation of a 4 byte octet string
 &Tmp-Integer-1 := "%(integer:%{Tmp-Octets-0})"
 
-if (!("%{Tmp-Octets-0}" == "0x%{hex:%{Tmp-Integer-1}}")) {
+if (!(%{Tmp-Octets-0} == <octets>%{Tmp-Integer-1})) {
 	test_fail
 }
 
@@ -49,10 +49,7 @@ if (!(&Tmp-Integer-1 == 959985457)) {
 # Octets - network order representation of a 8 byte octet string
 &Tmp-uint64-0 := "%(integer:%{Tmp-Octets-1})"
 
-#
-#  Handle octets as strings for now.
-#
-if (!("%{Tmp-Octets-1}" == "0x%{hex:%{Tmp-uint64-0}}")) {
+if (!(%{Tmp-Octets-1} == <octets>%{Tmp-uint64-0})) {
 	test_fail
 }
 
diff --git a/src/tests/keywords/xlat-octets b/src/tests/keywords/xlat-octets
index 3fb84c90b7d..a6a403722ab 100644
--- a/src/tests/keywords/xlat-octets
+++ b/src/tests/keywords/xlat-octets
@@ -18,7 +18,7 @@ if (!(&Tmp-Octets-0[0] == 0x0001020304050607)) {
 	test_fail
 }
 
-if (!("%{Tmp-Octets-0[*]}" == '0x00010203040506070x0706050403020100')) {
+if (!("%{Tmp-Octets-0[*]}" == 0x00010203040506070706050403020100)) {
 	test_fail
 }
 
diff --git a/src/tests/keywords/xlat-virtual-attr b/src/tests/keywords/xlat-virtual-attr
index a434c5edbdb..f75693c700a 100644
--- a/src/tests/keywords/xlat-virtual-attr
+++ b/src/tests/keywords/xlat-virtual-attr
@@ -22,7 +22,7 @@ if (!("%{Packet-Type}" == 'Access-Request')) {
 #  Response hasn't been set yet, but reply.Packet-Type
 #  is virtual, and always exists.
 
-if (!("%{Packet-Authentication-Vector}" == '0x00000000000000000000000000000000')) {
+if (!("%{Packet-Authentication-Vector}" == 0x00000000000000000000000000000000)) {
 	test_fail
 }
 
diff --git a/src/tests/unit/xlat/cond_base.txt b/src/tests/unit/xlat/cond_base.txt
index 2e01602cced..41646f9fb8f 100644
--- a/src/tests/unit/xlat/cond_base.txt
+++ b/src/tests/unit/xlat/cond_base.txt
@@ -262,9 +262,10 @@ match ERROR offset 1: Failed parsing string as type 'uint32'
 xlat_purify <ipaddr>127.0.0.1 == "127.0.0.1"
 match true
 
-# LHS is IPaddr, RHS is string.
+# LHS is IPaddr, RHS is string (malformed IP address).
+# Condition code attempts to cast md4 hash to IP address resulting in an invalid comparison
 xlat_purify <ipaddr>127.0.0.1 == "%{md4: 127.0.0.1}"
-match false
+match NULL
 
 #
 #  Bare %{...} is allowed.
@@ -351,12 +352,6 @@ match (&User-Name == "bob")
 xlat_purify (&User-Name == %{md4: blah})
 match (&User-Name == 0x544924d05ec4481925ba3749a096a0a7)
 
-xlat_purify (&User-Name == (string) %{md4: blah})
-match (&User-Name == "0x544924d05ec4481925ba3749a096a0a7")
-
-xlat_purify (&User-Name == "%{md4: blah}")
-match (&User-Name == "0x544924d05ec4481925ba3749a096a0a7")
-
 #  and without the double quotes.
 xlat_purify (&User-Name == %{md4: blah})
 match (&User-Name == 0x544924d05ec4481925ba3749a096a0a7)
@@ -794,4 +789,4 @@ xlat_purify (192.168.0.1 !== 192.168.0.2)
 match true
 
 count
-match 334
+match 330
diff --git a/src/tests/xlat/expr.txt b/src/tests/xlat/expr.txt
index fc97dbe4517..f27d3c498cb 100644
--- a/src/tests/xlat/expr.txt
+++ b/src/tests/xlat/expr.txt
@@ -1,3 +1,7 @@
+#  this is "foo" + PRINTABLE version of &Packet-Authentication-Vector
+xlat_expr "foo%{Packet-Authentication-Vector}"
+match foo\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
+
 xlat_expr 1 && 2
 match 2
 
@@ -103,16 +107,12 @@ match 0x666f6f7f000001
 #  any escaping.
 #
 xlat_expr "foo" + (string)&Packet-Authentication-Vector
-match foo0x00000000000000000000000000000000
+match foo\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
 
 # string + octets gets promoted to octets
 xlat_expr "foo" + &Packet-Authentication-Vector
 match 0x666f6f00000000000000000000000000000000
 
-#  this is "foo" + PRINTABLE version of &Packet-Authentication-Vector
-xlat_expr "foo%{Packet-Authentication-Vector}"
-match foo0x00000000000000000000000000000000
-
 # no escaping!
 xlat_expr 'foo%{Packet-Authentication-Vector}'
 match foo%{Packet-Authentication-Vector}