Modify

Opened 5 months ago

#11686 new defect

Allows user to login with an empty password

Reported by: jeronimo.borque@… Owned by: sandinak
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description

This seems to happen because _bind_dir does a bind to the just directory when no user AND password are specified instead of using user credential to check them.
I've patched it this way:

--- directoryauthplugin.ori/trunk/tracext/dirauth/auth.py       2014-01-11 19:39:26.000000000 -0300
+++ directoryauthplugin/trunk/tracext/dirauth/auth.py   2014-04-01 12:38:05.621041560 -0300
@@ -91,7 +91,13 @@
         """Checks the password against LDAP"""

         success = None
+
         msg = "User Login: %s" % str(user)
+
+        if not user or not password:
+          msg += " username or password can't be empty!"
+          self.log.info(msg)
+          return success

         user_dn = self._get_user_dn(user, NOCACHE)
         if user_dn:

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.