uspot: don't publish radius secrets

Now that accounting.uc no longer needs the per-client radius server information, there is no reason to publish these sensitive secrets in cleartext in spotfiler data. Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
2025-10-29 17:42:41 +00:00 · 2023-05-24 19:58:25 +02:00
parent 395e98dc66
commit e561f4a82e
2 changed files with 7 additions and 0 deletions
--- a/feeds/ucentral/uspot/files/usr/share/uspot/handler-uam.uc
+++ b/feeds/ucentral/uspot/files/usr/share/uspot/handler-uam.uc
@@ -32,6 +32,9 @@ function auth_client(ctx) {
 	if (radius['access-accept']) {
 		if (ctx.config.final_redirect_url == 'uam')
 			ctx.query_string.userurl = portal.uam_url(ctx, 'success');
+
+		delete payload.server;
+		delete payload.acct_server;	// don't publish server secrets
 		portal.allow_client(ctx, { radius: { reply: radius.reply, request: payload } } );

 		payload = portal.radius_init(ctx);
--- a/feeds/ucentral/uspot/files/usr/share/uspot/handler.uc
+++ b/feeds/ucentral/uspot/files/usr/share/uspot/handler.uc
@@ -29,6 +29,8 @@ function request_start(ctx) {
 			if (radius['access-accept']) {
 				if (ctx.config.final_redirect_url == 'uam')
 					ctx.query_string.userurl = portal.uam_url(ctx, 'success');
+				delete payload.server;
+				delete payload.acct_server;	// don't publish radius secrets
 				portal.allow_client(ctx, { radius: { reply: radius.reply, request: payload } } );
 				return;
 			}
@@ -118,6 +120,8 @@ function request_radius(ctx) {

        let radius = portal.radius_call(ctx, payload);
 	if (radius['access-accept']) {
+		delete payload.server;
+		delete payload.acct_server;	// don't publish radius secrets
                portal.allow_client(ctx, { username: ctx.form_data.username, radius: { reply: radius.reply, request: payload } } );
                return;
        }