From: Nick Porter <nick@portercomputing.co.uk>
Date: Thu, 18 Jan 2024 10:06:16 +0000 (+0000)
Subject: Ensure values are strings before attempting SQL escaping
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6f33e22bfd995ad712f8a3d881f6802b93f52b8;p=thirdparty%2Ffreeradius-server.git

Ensure values are strings before attempting SQL escaping
---

diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c
index b7b957c80d9..3c4df2eef29 100644
--- a/src/modules/rlm_sql/rlm_sql.c
+++ b/src/modules/rlm_sql/rlm_sql.c
@@ -200,10 +200,16 @@ static int sql_xlat_escape(request_t *request, fr_value_box_t *vb, void *uctx)
 
 	handle = fr_pool_connection_get(inst->pool, request);
 	if (!handle) {
+	error:
 		fr_value_box_clear_value(vb);
 		return -1;
 	}
 
+	/*
+	 *	Escaping functions work on strings - ensure the box is a string
+	 */
+	if ((vb->type != FR_TYPE_STRING) && (fr_value_box_cast_in_place(vb, vb, FR_TYPE_STRING, NULL) < 0)) goto error;
+
 	/*
 	 *	Maximum escaped length is 3 * original - if every character needs escaping
 	 */