From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 7 Jun 2021 13:15:48 +0000 (-0400)
Subject: enforce that 'query' can only be SELECT
X-Git-Tag: release_3_0_23~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2206d998c67ddb43c7510f0c8840e08b49d042b;p=thirdparty%2Ffreeradius-server.git

enforce that 'query' can only be SELECT
---

diff --git a/src/modules/rlm_sql_map/rlm_sql_map.c b/src/modules/rlm_sql_map/rlm_sql_map.c
index e0c0c7adc1d..5443cf3c4f0 100644
--- a/src/modules/rlm_sql_map/rlm_sql_map.c
+++ b/src/modules/rlm_sql_map/rlm_sql_map.c
@@ -63,7 +63,7 @@ typedef struct rlm_sql_map_t {
 static const CONF_PARSER module_config[] = {
 	{ "sql_module_instance", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_REQUIRED, rlm_sql_map_t, sql_instance_name), NULL },
 	{ "multiple_rows", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_sql_map_t, multiple_rows), "no" },
-	{ "query", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT | PW_TYPE_REQUIRED, rlm_sql_map_t, query), NULL },
+	{ "query", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT | PW_TYPE_REQUIRED | PW_TYPE_NOT_EMPTY, rlm_sql_map_t, query), NULL },
 
 	CONF_PARSER_TERMINATOR
 };
@@ -302,10 +302,30 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance)
 		return -1;
 	}
 
+	return 0;
+}
+
+static int mod_bootstrap(CONF_SECTION *conf, void *instance)
+{
+	rlm_sql_map_t *inst = instance;
+	char const *p = inst->query;
+
+	if (!p || !*p) {
+		cf_log_err_cs(conf, "'query' cannot be empty");
+		return -1;
+	}
+
+	while (isspace((int) *p)) p++;
+
+	if (strncasecmp(p, "select", 6) != 0) {
+		cf_log_err_cs(conf, "'query' MUST be 'SELECT ...', not 'INSERT' or 'UPDATE'");
+		return -1;
+	}
 
 	return 0;
 }
 
+
 /** Detach from the SQL server and cleanup internal state.
  *
  */
@@ -384,6 +404,7 @@ module_t rlm_sql_map = {
 	.type		= RLM_TYPE_THREAD_SAFE,
 	.inst_size	= sizeof(rlm_sql_map_t),
 	.config		= module_config,
+	.bootstrap	= mod_bootstrap,
 	.instantiate	= mod_instantiate,
 	.detach		= mod_detach,
 	.methods = {