Hi,
while playing with my own status.net installation I found out that I can log
into the web frontend with /any/ valid account as long as I leave the password
field empty. That should not happen, of course. I use LDAP authentication
against an Active Directory, if this matters. You can find my config in the
forum
(http://forum.status.net/discussion/938/active-directory-ampty-passwords-are-allowed/)
Anyway, I patched actions/login.php, and now an empty passsword is no longer
accepted. Here is the glorious patch:
--- login.php.org 2010-09-19 07:23:10.000000000 +0200
+++ login.php 2010-09-19 07:19:27.000000000 +0200
@@ -149,6 +149,11 @@
return;
}
+ if (!$password) {
+ $this->showForm(_('Incorrect username or password.'));
+ return;
+ }
+
// success!
if (!common_set_user($user)) {
$this->serverError(_('Error setting user. You are probably not
authorized.'));
Rainer
_______________________________________________
StatusNet-dev mailing list
StatusNet-dev@lists.status.net
http://lists.status.net/mailman/listinfo/statusnet-dev
