c2c-oerpscenario team mailing list archive

Thread
Date

[Bug 760301] Re: [6.0.2] users_ldap allows login with blank password

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: "Vinay Rana \(openerp\)" <760301@xxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Apr 2011 05:00:31 -0000
Reply-to: Bug 760301 <760301@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Visibility changed to: Public

** This bug is no longer flagged as a security vulnerability

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/760301

Title:
  [6.0.2] users_ldap allows login with blank password

Status in OpenERP Modules (addons):
  New

Bug description:
  Allow users_ldap to create a user.
  Login as that user. If you give the wrong password it rejects you. If you leave the password blank it lets you in!

  Line 99 in users_ldap.py:

     if l.bind_s(dn, password):

  Basically, if you can bind you're in. According to this posting 
  http://www.openldap.org/lists/openldap-software/200112/msg00178.html
  ldap is *designed* to allow an anonymous bind if the password is blank, so users_ldap *must* explicitly check for blank passwords itself.