> Hi, > > while playing with my own status.net installation I found out that I can > log into the web frontend with /any/ valid account as long as I leave the > password field empty. That should not happen, of course. I use LDAP > authentication against an Active Directory, if this matters. You can find > my config in the forum > (http://forum.status.net/discussion/938/active-directory-ampty-passwords-are-allowed/) > Anyway, I patched actions/login.php, and now an empty passsword is no > longer accepted. Here is the glorious patch: > > > --- login.php.org 2010-09-19 07:23:10.000000000 +0200 > +++ login.php 2010-09-19 07:19:27.000000000 +0200 > @@ -149,6 +149,11 @@ > return; > } > > + if (!$password) { > + $this->showForm(_('Incorrect username or password.')); > + return; > + } > + > // success! > if (!common_set_user($user)) { > $this->serverError(_('Error setting user. You are probably > not authorized.')); > > > Rainer
Thank you for reporting this issue! I have committed a fix to the 0.9.x and 1.0.x branches. The problem is that Net_LDAP2 assumes an anonymous bind is desired if both the username and password are not specified. Anonymous binds tend to always succeeded, so any blank password attempts cause a successful bind, which the LDAP plugin interprets as a good login. Here are the links the commits on gitorious: http://gitorious.org/statusnet/mainline/commit/8d019c03ee7a2a3a25bfb3f2afa25951eac06428 http://gitorious.org/statusnet/mainline/commit/2db8aa3ec3f6804f8f16efe754aafb149f4035c9 So there is no need to modify the login page or api auth system. Thanks, ~Craig _______________________________________________ StatusNet-dev mailing list StatusNet-dev@lists.status.net http://lists.status.net/mailman/listinfo/statusnet-dev
