Verified as well. But api doesn't go through action/login.php, didn't have time to test if the same happens via api. > On Sun, Sep 19, 2010 at 1:37 AM, Rainer Sokoll <rai...@sokoll.com> wrote: >> Hi, >> >> while playing with my own status.net installation I found out that I can log into the web frontend with /any/ valid account as long as I leave the password field empty. That should not happen, of course. I use LDAP authentication against an Active Directory, if this matters. You can find my config in the forum ( http://forum.status.net/discussion/938/active-directory-ampty-passwords-are-allowed/ ) >> Anyway, I patched actions/login.php, and now an empty passsword is no longer accepted. Here is the glorious patch: >> >> >> --- login.php.org 2010-09-19 07:23:10.000000000 +0200 >> +++ login.php 2010-09-19 07:19:27.000000000 +0200 >> @@ -149,6 +149,11 @@ >> return; >> } >> >> + if (!$password) { >> + $this->showForm(_('Incorrect username or password.')); >> + return; >> + } >> + >> // success! >> if (!common_set_user($user)) { >> $this->serverError(_('Error setting user. You are probably not authorized.')); >> >> >> Rainer > > > I can confirm this bug. A blank password works with LDAP > authentication. Wow, am I glad I read this thread! > > Thanks, PLA > _______________________________________________ > StatusNet-dev mailing list > StatusNet-dev@lists.status.net > http://lists.status.net/mailman/listinfo/statusnet-dev
_______________________________________________ StatusNet-dev mailing list StatusNet-dev@lists.status.net http://lists.status.net/mailman/listinfo/statusnet-dev
