Moodle
  1. Moodle
  2. MDL-3992

LDAP password including a quote does not work

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.2
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      Linux
    • Affected Branches:
      MOODLE_15_STABLE
    • Rank:
      8517

      Description

      When Moodle authentification is set to be done by LDAP, apparently you cannot pass through the login page if the password includes ' (a single quote). Can anyone confirm the same problem at your own site?

      KITA

        Activity

        Hide
        Martin Dougiamas added a comment -

        From Toshihiro KITA (t-kita at cc.kumamoto-u.ac.jp) Wednesday, 14 September 2005, 11:58 PM:

        I belive I finally find the reason.

        Moodle always put backslashes before single quotes (') in the data strings submitted by HTML forms.

        1. by addslashes_deep() defined around L250 in lib/setup.php.

        That is, a password like

        abc'def

        will always become

        abc\'def

        when it is passed to authenticate_user_login().

        A quick hack might be a modification in auth/ldap/lib.php

        around L73 :

        // Try to bind with current username and password

        $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, $password);

        ldap_close($ldapconnection);

        the middle line should be

        $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, stripslashes($password));

        if you want use a password from a LDAP server including ' or or \ .

        From Martin Langhoff (martin at catalyst.net.nz) Thursday, 6 October 2005, 10:18 AM:

        Fixed in HEAD and STABLE – thanks for a superb report & patch!

        Show
        Martin Dougiamas added a comment - From Toshihiro KITA (t-kita at cc.kumamoto-u.ac.jp) Wednesday, 14 September 2005, 11:58 PM: I belive I finally find the reason. Moodle always put backslashes before single quotes (') in the data strings submitted by HTML forms. by addslashes_deep() defined around L250 in lib/setup.php. That is, a password like abc'def will always become abc\'def when it is passed to authenticate_user_login(). A quick hack might be a modification in auth/ldap/lib.php around L73 : // Try to bind with current username and password $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, $password); ldap_close($ldapconnection); the middle line should be $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, stripslashes($password)); if you want use a password from a LDAP server including ' or or \ . From Martin Langhoff (martin at catalyst.net.nz) Thursday, 6 October 2005, 10:18 AM: Fixed in HEAD and STABLE – thanks for a superb report & patch!
        Hide
        Michael Blake added a comment -

        assign to a valid user

        Show
        Michael Blake added a comment - assign to a valid user

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: