Opened 8 years ago

Closed 7 years ago

#11686 closed defect (fixed)

Allows user to login with an empty password

Reported by: jeronimo.borque@… Owned by: branson
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords:
Cc: Trac Release:


This seems to happen because _bind_dir does a bind to the just directory when no user AND password are specified instead of using user credential to check them. I've patched it this way:

--- directoryauthplugin.ori/trunk/tracext/dirauth/       2014-01-11 19:39:26.000000000 -0300
+++ directoryauthplugin/trunk/tracext/dirauth/   2014-04-01 12:38:05.621041560 -0300
@@ -91,7 +91,13 @@
         """Checks the password against LDAP"""

         success = None
         msg = "User Login: %s" % str(user)
+        if not user or not password:
+          msg += " username or password can't be empty!"
+          return success

         user_dn = self._get_user_dn(user, NOCACHE)
         if user_dn:

Attachments (0)

Change History (2)

comment:1 Changed 7 years ago by bebbo

In 14830:

refs #12068
refs #11686
refs #11361
refs #11307
refs #11304
refs #10878
refs #10715
refs #10667
refs #10632
refs #10631
refs #11015

various fixes

comment:2 Changed 7 years ago by bebbo

Resolution: fixed
Status: newclosed

added the suggested fix

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain branson.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.