Modify

Opened 2 years ago

Closed 15 months ago

#11686 closed defect (fixed)

Allows user to login with an empty password

Reported by: jeronimo.borque@… Owned by: sandinak
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description

This seems to happen because _bind_dir does a bind to the just directory when no user AND password are specified instead of using user credential to check them. I've patched it this way:

--- directoryauthplugin.ori/trunk/tracext/dirauth/auth.py       2014-01-11 19:39:26.000000000 -0300
+++ directoryauthplugin/trunk/tracext/dirauth/auth.py   2014-04-01 12:38:05.621041560 -0300
@@ -91,7 +91,13 @@
         """Checks the password against LDAP"""

         success = None
+
         msg = "User Login: %s" % str(user)
+
+        if not user or not password:
+          msg += " username or password can't be empty!"
+          self.log.info(msg)
+          return success

         user_dn = self._get_user_dn(user, NOCACHE)
         if user_dn:

Attachments (0)

Change History (2)

comment:1 Changed 15 months ago by bebbo

In 14830:

refs #12068
refs #11686
refs #11361
refs #11307
refs #11304
refs #10878
refs #10715
refs #10667
refs #10632
refs #10631
refs #11015

various fixes

comment:2 Changed 15 months ago by bebbo

  • Resolution set to fixed
  • Status changed from new to closed

added the suggested fix

Add Comment

Modify Ticket

Action
as closed The owner will remain sandinak.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.