projects / catagits/Catalyst-Authentication-Store-LDAP.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw (parent: 195f2f1)
Fix security issue. RT#81908
Tomas Doran [Fri, 26 Apr 2013 19:44:11 +0000 (19:44 +0000)]
Changes patch | blob | blame | history
lib/Catalyst/Authentication/Store/LDAP/Backend.pm patch | blob | blame | history

diff --git a/Changes b/Changes
index 1d8f27d..6fc7302 100644 (file)
--- a/Changes
+++ b/Changes
@@ -1,3 +1,5 @@
+  - Don't fall back to unauthenticated bind when authenticating
+
 1.013  9 January 2013
   - fix for https://rt.cpan.org/Ticket/Display.html?id=81908 security hole.
 
diff --git a/lib/Catalyst/Authentication/Store/LDAP/Backend.pm b/lib/Catalyst/Authentication/Store/LDAP/Backend.pm
index a0be77a..7211e72 100644 (file)
--- a/lib/Catalyst/Authentication/Store/LDAP/Backend.pm
+++ b/lib/Catalyst/Authentication/Store/LDAP/Backend.pm
@@ -226,7 +226,8 @@ sub ldap_bind {
         $self->_ldap_bind_anon($ldap);
     }
     else {
-        if ($bindpw) {
+        # Don't fall back to unauthenticated bind when authenticating
+        if ($bindpw or $forauth eq 'forauth') {
             my $mesg = $ldap->bind( $binddn, 'password' => $bindpw );
             if ( $mesg->is_error ) {
 
Unnamed repository; edit this file 'description' to name the repository.