Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-3992

LDAP password including a quote does not work

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.2
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      Linux
    • Affected Branches:
      MOODLE_15_STABLE

      Description

      When Moodle authentification is set to be done by LDAP, apparently you cannot pass through the login page if the password includes ' (a single quote). Can anyone confirm the same problem at your own site?

      KITA

        Gliffy Diagrams

          Attachments

            Activity

            Hide
            dougiamas Martin Dougiamas added a comment -

            From Toshihiro KITA (t-kita at cc.kumamoto-u.ac.jp) Wednesday, 14 September 2005, 11:58 PM:

            I belive I finally find the reason.

            Moodle always put backslashes before single quotes (') in the data strings submitted by HTML forms.

            1. by addslashes_deep() defined around L250 in lib/setup.php.

            That is, a password like

            abc'def

            will always become

            abc\'def

            when it is passed to authenticate_user_login().

            A quick hack might be a modification in auth/ldap/lib.php

            around L73 :

            // Try to bind with current username and password

            $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, $password);

            ldap_close($ldapconnection);

            the middle line should be

            $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, stripslashes($password));

            if you want use a password from a LDAP server including ' or or \ .

            From Martin Langhoff (martin at catalyst.net.nz) Thursday, 6 October 2005, 10:18 AM:

            Fixed in HEAD and STABLE – thanks for a superb report & patch!

            Show
            dougiamas Martin Dougiamas added a comment - From Toshihiro KITA (t-kita at cc.kumamoto-u.ac.jp) Wednesday, 14 September 2005, 11:58 PM: I belive I finally find the reason. Moodle always put backslashes before single quotes (') in the data strings submitted by HTML forms. by addslashes_deep() defined around L250 in lib/setup.php. That is, a password like abc'def will always become abc\'def when it is passed to authenticate_user_login(). A quick hack might be a modification in auth/ldap/lib.php around L73 : // Try to bind with current username and password $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, $password); ldap_close($ldapconnection); the middle line should be $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, stripslashes($password)); if you want use a password from a LDAP server including ' or or \ . From Martin Langhoff (martin at catalyst.net.nz) Thursday, 6 October 2005, 10:18 AM: Fixed in HEAD and STABLE – thanks for a superb report & patch!
            Hide
            mblake Michael Blake added a comment -

            assign to a valid user

            Show
            mblake Michael Blake added a comment - assign to a valid user

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: