[Catalyst-commits] r14444 - in
Catalyst-Authentication-Store-LDAP/trunk: .
lib/Catalyst/Authentication/Store/LDAP
t0m at dev.catalyst.perl.org
t0m at dev.catalyst.perl.org
Fri Apr 26 19:44:11 GMT 2013
Author: t0m
Date: 2013-04-26 19:44:11 +0000 (Fri, 26 Apr 2013)
New Revision: 14444
Modified:
Catalyst-Authentication-Store-LDAP/trunk/Changes
Catalyst-Authentication-Store-LDAP/trunk/lib/Catalyst/Authentication/Store/LDAP/Backend.pm
Log:
Fix security issue. RT#81908
Modified: Catalyst-Authentication-Store-LDAP/trunk/Changes
===================================================================
--- Catalyst-Authentication-Store-LDAP/trunk/Changes 2013-04-26 12:51:35 UTC (rev 14443)
+++ Catalyst-Authentication-Store-LDAP/trunk/Changes 2013-04-26 19:44:11 UTC (rev 14444)
@@ -1,3 +1,5 @@
+ - Don't fall back to unauthenticated bind when authenticating
+
1.013 9 January 2013
- fix for https://rt.cpan.org/Ticket/Display.html?id=81908 security hole.
Modified: Catalyst-Authentication-Store-LDAP/trunk/lib/Catalyst/Authentication/Store/LDAP/Backend.pm
===================================================================
--- Catalyst-Authentication-Store-LDAP/trunk/lib/Catalyst/Authentication/Store/LDAP/Backend.pm 2013-04-26 12:51:35 UTC (rev 14443)
+++ Catalyst-Authentication-Store-LDAP/trunk/lib/Catalyst/Authentication/Store/LDAP/Backend.pm 2013-04-26 19:44:11 UTC (rev 14444)
@@ -226,7 +226,8 @@
$self->_ldap_bind_anon($ldap);
}
else {
- if ($bindpw) {
+ # Don't fall back to unauthenticated bind when authenticating
+ if ($bindpw or $forauth eq 'forauth') {
my $mesg = $ldap->bind( $binddn, 'password' => $bindpw );
if ( $mesg->is_error ) {
More information about the Catalyst-commits
mailing list