From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 8 Sep 2009 11:56:54 +0000 (+0200)
Subject: Be less forgiving about the allowed operators.
X-Git-Tag: release_2_1_7~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=86af1937d6b655d2788fee46cfc83390a675adb8;p=thirdparty%2Ffreeradius-server.git

Be less forgiving about the allowed operators.

If they're not a "foo = bar" type of operator, then return
an error
---

diff --git a/src/modules/rlm_sql/sql.c b/src/modules/rlm_sql/sql.c
index 894c1e53a93..e5e15bc0085 100644
--- a/src/modules/rlm_sql/sql.c
+++ b/src/modules/rlm_sql/sql.c
@@ -375,8 +375,13 @@ int sql_userparse(VALUE_PAIR ** first_pair, SQL_ROW row)
 	if (row[4] != NULL && row[4][0] != '\0') {
 		ptr = row[4];
 		operator = gettoken(&ptr, buf, sizeof(buf));
-	}
-	if (operator <= T_EOL) {
+		if ((operator < T_OP_ADD) ||
+		    (operator > T_OP_CMP_EQ)) {
+			radlog(L_ERR, "rlm_sql: Invalid operator \"%s\" for attribute %s", row[4], row[2]);
+			return -1;
+		}
+
+	} else {
 		/*
 		 *  Complain about empty or invalid 'op' field
 		 */