[FIX] users_ldap: double-check to prevent blank passwords
The server should have done the check in the call to super.check(), but just in case, we double-check for blank passwords, as this is an issue for LDAP servers that allow anonymous bindings. See http://www.openldap.org/lists/openldap-software/200112/msg00178.html lp bug: https://launchpad.net/bugs/760301 fixed bzr revid: odo@openerp.com-20110428153543-vfhx9rhbspoc84b6
This commit is contained in:
parent
7464803d7d
commit
00c65ea9a7
|
@ -138,6 +138,11 @@ class users(osv.osv):
|
|||
return super(users,self).check(db, uid, passwd)
|
||||
except security.ExceptionNoTb: # AccessDenied
|
||||
pass
|
||||
|
||||
if not passwd:
|
||||
# empty passwords disallowed for obvious security reasons
|
||||
raise security.ExceptionNoTb('AccessDenied')
|
||||
|
||||
cr = pooler.get_db(db).cursor()
|
||||
user = self.browse(cr, 1, uid)
|
||||
logger = logging.getLogger('orm.ldap')
|
||||
|
@ -156,6 +161,8 @@ class users(osv.osv):
|
|||
result_type, result_data = l.result(result_id, timeout)
|
||||
if result_data and result_type == ldap.RES_SEARCH_RESULT and len(result_data) == 1:
|
||||
dn = result_data[0][0]
|
||||
# some LDAP servers allow anonymous binding with blank passwords,
|
||||
# but these have been rejected above, so we're safe to use bind()
|
||||
if l.bind_s(dn, passwd):
|
||||
l.unbind()
|
||||
self._uid_cache.setdefault(db, {})[uid] = passwd
|
||||
|
|
Loading…
Reference in New Issue