Description: ------------ The putStandardAttributes() function, invariably called by start(), is hardcoding a set of attributes into every request, some of which may not be useful for all users. For example, it's setting the Service-Type attribute to Framed-User, whereas people might reasonably wish to use Authenticate-Only. To do that now, one has to avoid start() and instead write one's own version, which is pointless and repetitive. Please make the putStandardAttributes() function optional, or allow its attribute values to be changed via parameters or something like that.

Another couple of problems I noticed in putStandardAttributes(): It sets RADIUS_NAS_IDENTIFIER to the $_SERVER['HTTP_HOST'] variable, which could be tainted as it contains the Host: header value in the request. It would be much better to not rely on those kinds of things and avoid passing rogue user input to the RADIUS server, and instead set RADIUS_NAS_IP_ADDRESS using the value of $_SERVER['SERVER_ADDR'] (if any; otherwise 127.0.0.1). It also sets RADIUS_CALLING_STATION_ID to the $_SERVER['REMOTE_HOST'] variable, which is just wrong, because it depends on the web server doing a reverse DNS lookup on $_SERVER['REMOTE_ADDR'], and people generally don't do that any more (it's expensive). The code should just use the latter variable instead.

putStandardAttributes may now be turned off by setting the useStandardAttributes property to false

Thank you for your bug report. This issue has been fixed in the latest released version of the package, which you can download at http://pear.php.net/get/Auth_RADIUS