Products.LDAPUserFolder

Exception on login with trailing space

Reported by Mihnea Simian on 2012-10-02
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Products.LDAPUserFolder
Medium
Jens Vagelpohl

Bug Description

Occurs on logging in with a trailing space in username.
Authentication succeeds because the syntax of DN accepts optional spaces before and after "," separator.
LDAPUserFolder code however uses the uid which lacks the space provided by the user input.

I would suggest stripping the uid before using it.

Exception found in Zope log:
Traceback (innermost last):
  Module ZPublisher.Publish, line 116, in publish
  Module ZPublisher.BaseRequest, line 591, in traverse
  Module AccessControl.User, line 662, in validate
  Module Products.LDAPUserFolder.LDAPUserFolder, line 849, in authenticate
  Module Products.LDAPUserFolder.LDAPUserFolder, line 801, in getUser
  Module Products.LDAPUserFolder.LDAPUserFolder, line 757, in getUserByAttr
IndexError: list index out of range

OBS: Please note that test included in patch fails! It fails because the dataflake fakeldap has different behavior than a real open ldap server: search returns no result when trailing space present.

It's now that I notice that spaces are optional on both sides of attribute value

<attribute> ::= <string>
           | <key> <optional-space> "=" <optional-space> <string>

So login also succeeds with leading space. Changed rstrip to strip in patch.

Changed in ldapuserfolder:
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jens Vagelpohl (dataflake)
Jens Vagelpohl (dataflake) wrote :
Changed in ldapuserfolder:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers