- Remove all synchronous expansions. data, uri, username, password are now passed in as a call_envs
- Perform uri escaping within call_env evaluation for module section calls
- Split config items into request/response sections, and document which config items can't be used as xlats
- Remove legacy uri expansion and escaping
- Have test json-api endpoints echo back headers, args, and body data, and fix up xlat tests to check what we sent over
- Start of response header parsing and output
- Support taking body data, and headers, from ANY tmpl type not just xlats
Make fr_uri_escape work as a value box escape function
No major changes here, we just record the current uri_part in a new fr_uri_escape_ctx_t struct. The original function is retained as fr_uri_escape_list which processes a list of value boxes.
In fr_value_box_from_substr(), the first switch on dst_type handles
the FR_TYPE_COMBO_IP_{ADDR, PREFIX} cases, so that dst_type can't
have those values when the second switch on dst_type is executed.
Nick Porter [Thu, 18 Jan 2024 17:03:06 +0000 (17:03 +0000)]
sqlite3_prepare functions prepare only the next query in the string
and return a pointer to the character after what was parsed - so this
provides a more robust method of parsing the SQL to execute than simply
looking for ';' followed by '\n' or '\0'.
E.g. if there are comments which end the line with a ';' that fails with
the old parsing.
In addition, if there were ';' in data inside a string, the previous
parsing would have thrown away the portion of the string before that.
James Jones [Tue, 7 Nov 2023 18:54:54 +0000 (12:54 -0600)]
Tweak mod_read() range check on packet code (CID #1419883?)
buffer[0] is used as index into fr_radius_packet_names[], so
allowing FR_PACKET_CODE_MAX will fall off the end. This may
placate coverity, but I believe it is needed in any case.
James Jones [Wed, 8 Nov 2023 22:29:49 +0000 (16:29 -0600)]
Make IN_RANGE_INTEGER_*() nontrivial iff it can actually fail (CID #1445201)
The range check can only fail if PTRDIFF_MAX < INT64_MAX. Since
that's not the case for the Coverity run, you get a defect of the
result_independent_of_operands flavor, just like the range checks
for fr_sbuff_out_[u]int64() used to.
The floating point version, I believe, will notice +/-infinity
and denormalized numbers, so Coverity wouldn't complain about it.
James Jones [Fri, 12 Jan 2024 21:30:08 +0000 (15:30 -0600)]
Attempt to fix test_condition_levels_max() issue
test_condition_levels_max() seemingly randomly fails the check for
preq_a->{completed, freed} being true. It happens to work locally,
so submitting to try to provoke it again.
Previous trunk tests needed virtual time to pass to work, so we're
trying that here.
James Jones [Mon, 27 Nov 2023 20:19:23 +0000 (14:19 -0600)]
Annotate return when exfile_open() fails (CID #1206498, #1206499)
Unfortunately, this is in the callers of exfile_open(), not
exfile_open() itself. Coverity doesn't notice that the mutex
is unlocked in exfile_open() if it fails, and we haven't been
able to model it, hence the annotations.
James Jones [Mon, 27 Nov 2023 19:52:00 +0000 (13:52 -0600)]
Annotate missing unlock in connection_spawn() (CID #1414434)
Coverity insists on unlocking mutexes in the same function
invocation the lock occurs in, but there are times when you
want exclusive use of a resource and thus lock it on allocation
and free on release, hence the annotation.
James Jones [Thu, 16 Nov 2023 20:42:44 +0000 (14:42 -0600)]
Revise a couple of uses of FR_TYPE_STRUCTURAL
FR_TYPE_STRUCTURAL has a name of the same form as the values of
fr_type_t, but is carefully #defined so it can appear in a switch
statement looking like a single value but underneath expanding to
multiple cases, making some of its uses counterintuitive.
Recent versions of OpenSSL appear to create keys with owner-only
permissions. Allow owning group to read the created default files
in raddb/certs, so that they stay the same as with older OpenSSL, and
that the server can read its key, and the p12 / pem files.
projects / thirdparty / freeradius-server.git / log
