Details
-
Type:
Bug
-
Status:
Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.5.2
-
Fix Version/s: None
-
Component/s: Authentication
-
Labels:None
-
Environment:Linux
-
Affected Branches:MOODLE_15_STABLE
Description
When Moodle authentification is set to be done by LDAP, apparently you cannot pass through the login page if the password includes ' (a single quote). Can anyone confirm the same problem at your own site?
–
KITA
From Toshihiro KITA (t-kita at cc.kumamoto-u.ac.jp) Wednesday, 14 September 2005, 11:58 PM:
I belive I finally find the reason.
Moodle always put backslashes before single quotes (') in the data strings submitted by HTML forms.
That is, a password like
abc'def
will always become
abc\'def
when it is passed to authenticate_user_login().
A quick hack might be a modification in auth/ldap/lib.php
around L73 :
// Try to bind with current username and password
$ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, $password);
ldap_close($ldapconnection);
the middle line should be
$ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, stripslashes($password));
if you want use a password from a LDAP server including ' or or \ .
From Martin Langhoff (martin at catalyst.net.nz) Thursday, 6 October 2005, 10:18 AM:
Fixed in HEAD and STABLE – thanks for a superb report & patch!
- by addslashes_deep() defined around L250 in lib/setup.php.
That is, a password like abc'def will always become abc\'def when it is passed to authenticate_user_login(). A quick hack might be a modification in auth/ldap/lib.php around L73 : // Try to bind with current username and password $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, $password); ldap_close($ldapconnection); the middle line should be $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, stripslashes($password)); if you want use a password from a LDAP server including ' or or \ . From Martin Langhoff (martin at catalyst.net.nz) Thursday, 6 October 2005, 10:18 AM: Fixed in HEAD and STABLE – thanks for a superb report & patch!