Modify

Opened 3 years ago

Closed 20 months ago

#11686 closed defect (fixed)

Allows user to login with an empty password

Reported by: jeronimo.borque@… Owned by: branson
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description

This seems to happen because _bind_dir does a bind to the just directory when no user AND password are specified instead of using user credential to check them. I've patched it this way:

--- directoryauthplugin.ori/trunk/tracext/dirauth/auth.py       2014-01-11 19:39:26.000000000 -0300
+++ directoryauthplugin/trunk/tracext/dirauth/auth.py   2014-04-01 12:38:05.621041560 -0300
@@ -91,7 +91,13 @@
         """Checks the password against LDAP"""

         success = None
+
         msg = "User Login: %s" % str(user)
+
+        if not user or not password:
+          msg += " username or password can't be empty!"
+          self.log.info(msg)
+          return success

         user_dn = self._get_user_dn(user, NOCACHE)
         if user_dn:

Attachments (0)

Change History (2)

comment:1 Changed 20 months ago by bebbo

In 14830:

refs #12068
refs #11686
refs #11361
refs #11307
refs #11304
refs #10878
refs #10715
refs #10667
refs #10632
refs #10631
refs #11015

various fixes

comment:2 Changed 20 months ago by bebbo

Resolution: fixed
Status: newclosed

added the suggested fix

Modify Ticket

Action
as closed The owner will remain branson.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.