Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 1103 by phofstetter: ActiveDirectory: email-address issue /  

While trying to get ActiveDirectory integration working, I noticed that  
get_or_create_user failed
with a MySQL syntax error.

Enabling query logging on the server turned out this to be sent to MySQL:

INSERT INTO `auth_user` (`username`, `first_name`, `last_name`, `email`,  
`is_staff`, `is_active`, `is_superuser`, `last_login`, `date_joined`)  
VALUES ('pilif', 'Philip',
'Hofstetter', ("''",), '!', 0, 1, 0, '2009-05-04  
10:15:23', '2009-05-04

aside of the fact that the email address isn't valid, shouldn't the value  
be escaped before being
sent to the database?

While this is certainly hard to exploit, sending non-escaped SQL leading to  
syntax errors to the
database feels wrong.

Also, what could cause this kind of query to be generated?

The AD is a default AD domain with the addition of the Exchange 2007 schema  

What version are you running?
1.0rc1 (updating from beta got me to rc1 - clean installing rc1 resulted in  

What steps will reproduce the problem?
1. configure AD integration
2. try to login

What is the expected output? What do you see instead?

Expexted: user is logged in.
Actual: User is not logged in. No information in error log, but error  
message posted above in
MySQL query log

What operating system are you using? What browser?

Ubuntu Hardy. Firefox and Safari - doesn't matter though


You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:

You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

Reply via email to