Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-3992

LDAP password including a quote does not work

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.2
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      Linux
    • Affected Branches:
      MOODLE_15_STABLE

      Description

      When Moodle authentification is set to be done by LDAP, apparently you cannot pass through the login page if the password includes ' (a single quote). Can anyone confirm the same problem at your own site?

      KITA

        Gliffy Diagrams

          Activity

          Hide
          dougiamas Martin Dougiamas added a comment -

          From Toshihiro KITA (t-kita at cc.kumamoto-u.ac.jp) Wednesday, 14 September 2005, 11:58 PM:

          I belive I finally find the reason.

          Moodle always put backslashes before single quotes (') in the data strings submitted by HTML forms.

          1. by addslashes_deep() defined around L250 in lib/setup.php.

          That is, a password like

          abc'def

          will always become

          abc\'def

          when it is passed to authenticate_user_login().

          A quick hack might be a modification in auth/ldap/lib.php

          around L73 :

          // Try to bind with current username and password

          $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, $password);

          ldap_close($ldapconnection);

          the middle line should be

          $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, stripslashes($password));

          if you want use a password from a LDAP server including ' or or \ .

          From Martin Langhoff (martin at catalyst.net.nz) Thursday, 6 October 2005, 10:18 AM:

          Fixed in HEAD and STABLE – thanks for a superb report & patch!

          Show
          dougiamas Martin Dougiamas added a comment - From Toshihiro KITA (t-kita at cc.kumamoto-u.ac.jp) Wednesday, 14 September 2005, 11:58 PM: I belive I finally find the reason. Moodle always put backslashes before single quotes (') in the data strings submitted by HTML forms. by addslashes_deep() defined around L250 in lib/setup.php. That is, a password like abc'def will always become abc\'def when it is passed to authenticate_user_login(). A quick hack might be a modification in auth/ldap/lib.php around L73 : // Try to bind with current username and password $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, $password); ldap_close($ldapconnection); the middle line should be $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, stripslashes($password)); if you want use a password from a LDAP server including ' or or \ . From Martin Langhoff (martin at catalyst.net.nz) Thursday, 6 October 2005, 10:18 AM: Fixed in HEAD and STABLE – thanks for a superb report & patch!
          Hide
          mblake Michael Blake added a comment -

          assign to a valid user

          Show
          mblake Michael Blake added a comment - assign to a valid user

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: