On Sun, Sep 19, 2010 at 1:37 AM, Rainer Sokoll <rai...@sokoll.com> wrote: > Hi, > > while playing with my own status.net installation I found out that I can log > into the web frontend with /any/ valid account as long as I leave the > password field empty. That should not happen, of course. I use LDAP > authentication against an Active Directory, if this matters. You can find my > config in the forum > (http://forum.status.net/discussion/938/active-directory-ampty-passwords-are-allowed/) > Anyway, I patched actions/login.php, and now an empty passsword is no longer > accepted. Here is the glorious patch: > > > --- login.php.org 2010-09-19 07:23:10.000000000 +0200 > +++ login.php 2010-09-19 07:19:27.000000000 +0200 > @@ -149,6 +149,11 @@ > return; > } > > + if (!$password) { > + $this->showForm(_('Incorrect username or password.')); > + return; > + } > + > // success! > if (!common_set_user($user)) { > $this->serverError(_('Error setting user. You are probably not > authorized.')); > > > Rainer
I can confirm this bug. A blank password works with LDAP authentication. Wow, am I glad I read this thread! Thanks, PLA _______________________________________________ StatusNet-dev mailing list StatusNet-dev@lists.status.net http://lists.status.net/mailman/listinfo/statusnet-dev
