From: Alan T. DeKok Date: Tue, 8 Apr 2025 22:29:12 +0000 (-0400) Subject: we don't allow unresolved xlats X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3c7df6ab464db0abf7bd2ea1db30642bf0f97f08;p=thirdparty%2Ffreeradius-server.git we don't allow unresolved xlats it helps to return errors when there are error cases. Disallow "foo." for list existence. Arguably "foo.[*]" is better. the xlat condition / expression parser already replaces a bare existence check with a %exists() wrapper. So the run-time code doesn't need to expand the entire thing. --- diff --git a/src/lib/unlang/compile.c b/src/lib/unlang/compile.c index 185d56a173f..4bb99e6ffde 100644 --- a/src/lib/unlang/compile.c +++ b/src/lib/unlang/compile.c @@ -3554,8 +3554,9 @@ static unlang_t *compile_if_subsection(unlang_t *parent, unlang_compile_t *unlan .attr = { .dict_def = xr_rules.tr_rules->dict_def, .list_def = request_attr_request, - .allow_unresolved = true, - .allow_unknown = true, + .allow_unresolved = false, + .allow_unknown = false, + .allow_wildcard = true, }, .literals_safe_for = unlang_ctx->rules->literals_safe_for, }; @@ -3584,6 +3585,8 @@ static unlang_t *compile_if_subsection(unlang_t *parent, unlang_compile_t *unlan return NULL; } + fr_assert(!xlat_needs_resolving(head)); + is_truthy = xlat_is_truthy(head, &value); /* diff --git a/src/lib/unlang/xlat_tokenize.c b/src/lib/unlang/xlat_tokenize.c index e5b6cd1ce65..ed099b02532 100644 --- a/src/lib/unlang/xlat_tokenize.c +++ b/src/lib/unlang/xlat_tokenize.c @@ -1950,6 +1950,7 @@ int xlat_resolve(xlat_exp_head_t *head, xlat_res_rules_t const *xr_rules) fr_strerror_printf_push("Failed resolving attribute: %c%s%c", fr_token_quote[node->quote], node->fmt, fr_token_quote[node->quote]); } + return -1; } xlat_flags_merge(&our_flags, &node->flags); @@ -1957,6 +1958,8 @@ int xlat_resolve(xlat_exp_head_t *head, xlat_res_rules_t const *xr_rules) head->flags = our_flags; + fr_assert(!head->flags.needs_resolving); + return 0; } diff --git a/src/tests/keywords/list-existence b/src/tests/keywords/list-existence index 57c36d8d817..309abade2a6 100644 --- a/src/tests/keywords/list-existence +++ b/src/tests/keywords/list-existence @@ -1,24 +1,12 @@ # # List existence checks are "is the list empty" checks. # -if (session-state.) { - test_fail -} - if (session-state.[*]) { test_fail } -if (session-state.) { - test_fail -} - session-state.User-Name := 'foo' -if (!session-state.) { - test_fail -} - if (!session-state.[*]) { test_fail }