Opened 5 months ago

#11686 new defect

Allows user to login with an empty password

Reported by: jeronimo.borque@… Owned by: sandinak
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords:
Cc: Trac Release:


This seems to happen because _bind_dir does a bind to the just directory when no user AND password are specified instead of using user credential to check them.
I've patched it this way:

--- directoryauthplugin.ori/trunk/tracext/dirauth/       2014-01-11 19:39:26.000000000 -0300
+++ directoryauthplugin/trunk/tracext/dirauth/   2014-04-01 12:38:05.621041560 -0300
@@ -91,7 +91,13 @@
         """Checks the password against LDAP"""

         success = None
         msg = "User Login: %s" % str(user)
+        if not user or not password:
+          msg += " username or password can't be empty!"
+          return success

         user_dn = self._get_user_dn(user, NOCACHE)
         if user_dn:

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

as new .

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.