From: Alan T. DeKok Date: Wed, 26 Mar 2025 20:10:56 +0000 (-0400) Subject: add unsafe to dict_attr_flags_t X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f7b6c31d90bb792b70d7586d97107bb7ccab2ce;p=thirdparty%2Ffreeradius-server.git add unsafe to dict_attr_flags_t which is mainly for Password.Cleartext. That is user-supplied input, and is unsafe no matter where it comes from. --- diff --git a/share/dictionary/freeradius/dictionary.freeradius.internal.password b/share/dictionary/freeradius/dictionary.freeradius.internal.password index 8b14b116f66..95d0a2b8820 100644 --- a/share/dictionary/freeradius/dictionary.freeradius.internal.password +++ b/share/dictionary/freeradius/dictionary.freeradius.internal.password @@ -18,9 +18,9 @@ FLAGS internal ATTRIBUTE Password 2004 tlv BEGIN Password -ATTRIBUTE With-Header 1 string +ATTRIBUTE With-Header 1 string unsafe -ATTRIBUTE Cleartext 2 string secret +ATTRIBUTE Cleartext 2 string secret,unsafe ATTRIBUTE Crypt 3 string diff --git a/src/lib/util/dict.h b/src/lib/util/dict.h index a9f19a9a518..e3885cec999 100644 --- a/src/lib/util/dict.h +++ b/src/lib/util/dict.h @@ -103,6 +103,8 @@ typedef struct { unsigned int secret : 1; //!< this attribute should be omitted in debug mode + unsigned int unsafe : 1; //!< e.g. Cleartext-Password + /* * @todo - if we want to clean these fields up, make * "subtype" and "type_size" both 4-bit bitfields. That diff --git a/src/lib/util/dict_tokenize.c b/src/lib/util/dict_tokenize.c index 3386e2431f4..892264e479e 100644 --- a/src/lib/util/dict_tokenize.c +++ b/src/lib/util/dict_tokenize.c @@ -700,6 +700,8 @@ static int dict_flag_subtype(fr_dict_attr_t **da_p, char const *value, UNUSED fr return 0; } +FLAG_FUNC(unsafe) + /** A lookup function for dictionary attribute flags * */ @@ -720,7 +722,8 @@ static int CC_HINT(nonnull) dict_process_flag_field(dict_tokenize_ctx_t *dctx, c { L("precision"), { .func = dict_flag_precision, .needs_value = true } }, { L("ref"), { .func = dict_flag_ref, .needs_value = true } }, { L("secret"), { .func = dict_flag_secret } }, - { L("subtype"), { .func = dict_flag_subtype, .needs_value = true } } + { L("subtype"), { .func = dict_flag_subtype, .needs_value = true } }, + { L("unsafe"), { .func = dict_flag_unsafe } }, }; static size_t dict_common_flags_len = NUM_ELEMENTS(dict_common_flags);