Products.LDAPUserFolder

Exception on login with trailing space

Bug #1060080 reported by Mihnea Simian
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Products.LDAPUserFolder
Fix Released
Medium
Unassigned

Bug Description

Occurs on logging in with a trailing space in username.
Authentication succeeds because the syntax of DN accepts optional spaces before and after "," separator.
LDAPUserFolder code however uses the uid which lacks the space provided by the user input.

I would suggest stripping the uid before using it.

Exception found in Zope log:
Traceback (innermost last):
  Module ZPublisher.Publish, line 116, in publish
  Module ZPublisher.BaseRequest, line 591, in traverse
  Module AccessControl.User, line 662, in validate
  Module Products.LDAPUserFolder.LDAPUserFolder, line 849, in authenticate
  Module Products.LDAPUserFolder.LDAPUserFolder, line 801, in getUser
  Module Products.LDAPUserFolder.LDAPUserFolder, line 757, in getUserByAttr
IndexError: list index out of range

OBS: Please note that test included in patch fails! It fails because the dataflake fakeldap has different behavior than a real open ldap server: search returns no result when trailing space present.

Tags: login sanitize
Revision history for this message
Mihnea Simian (8mabmzqcnyc1g4i7-mcmth4f-clubl5mz6ldresgv) wrote :
Revision history for this message
Mihnea Simian (8mabmzqcnyc1g4i7-mcmth4f-clubl5mz6ldresgv) wrote :

It's now that I notice that spaces are optional on both sides of attribute value

<attribute> ::= <string>
           | <key> <optional-space> "=" <optional-space> <string>

So login also succeeds with leading space. Changed rstrip to strip in patch.

Jens Vagelpohl (dataflake-deactivatedaccount-deactivatedaccount)
Changed in ldapuserfolder:
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jens Vagelpohl (dataflake)
Revision history for this message
Jens Vagelpohl (dataflake-deactivatedaccount-deactivatedaccount) wrote :

https://git.dataflake.org/cgit/Products.LDAPUserFolder/commit/?h=2&id=a0955f2c631a7b8a675ef2a6b71087b416c29da3

Changed in ldapuserfolder:
status: Triaged → Fix Committed
Revision history for this message
Jens Vagelpohl (dataflake-deactivatedaccount-deactivatedaccount) wrote :

See http://pypi.python.org/pypi/Products.LDAPUserFolder/2.24 and http://pypi.python.org/pypi/dataflake.fakeldap/1.1

Changed in ldapuserfolder:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.