Fixed issue with blank password with Ldap
The bind operation of LDAP, as described in RFC 4513, provides a method which allows for authentication of users. For the Simple Authentication Method a user may use the anonymous authentication mechanism, the unauthenticated authentication mechanism, or the name/password authentication mechanism. The unauthenticated authentication mechanism is used when a client who desires to establish an anonymous authorization state passes a non-zero length distinguished name and a zero length password. Most LDAP servers either can be configured to allow this mechanism or allow it by default. _Web-based applications which perform the simple bind operation with the client's credentials are at risk when an anonymous authorization state is established. This can occur when the web-based application passes a distinguished name and a zero length password to the LDAP server._ Thus, misconfiguring a server with simple bind can trick Symfony into thinking the username/password tuple as valid, potentially leading to unauthorized access.
This commit is contained in:
parent
27c122e0ca
commit
c7d9c62c79
@ -73,6 +73,10 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider
|
|||||||
$username = $token->getUsername();
|
$username = $token->getUsername();
|
||||||
$password = $token->getCredentials();
|
$password = $token->getCredentials();
|
||||||
|
|
||||||
|
if ('' === $password) {
|
||||||
|
throw new BadCredentialsException('The presented password must not be empty.');
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$username = $this->ldap->escape($username, '', LDAP_ESCAPE_DN);
|
$username = $this->ldap->escape($username, '', LDAP_ESCAPE_DN);
|
||||||
$dn = str_replace('{username}', $username, $this->dnString);
|
$dn = str_replace('{username}', $username, $this->dnString);
|
||||||
|
@ -21,6 +21,23 @@ use Symfony\Component\Ldap\Exception\ConnectionException;
|
|||||||
*/
|
*/
|
||||||
class LdapBindAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
|
class LdapBindAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
|
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
|
||||||
|
* @expectedExceptionMessage The presented password must not be empty.
|
||||||
|
*/
|
||||||
|
public function testEmptyPasswordShouldThrowAnException()
|
||||||
|
{
|
||||||
|
$userProvider = $this->getMock('Symfony\Component\Security\Core\User\UserProviderInterface');
|
||||||
|
$ldap = $this->getMock('Symfony\Component\Ldap\LdapClientInterface');
|
||||||
|
$userChecker = $this->getMock('Symfony\Component\Security\Core\User\UserCheckerInterface');
|
||||||
|
|
||||||
|
$provider = new LdapBindAuthenticationProvider($userProvider, $userChecker, 'key', $ldap);
|
||||||
|
$reflection = new \ReflectionMethod($provider, 'checkAuthentication');
|
||||||
|
$reflection->setAccessible(true);
|
||||||
|
|
||||||
|
$reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', '', 'key'));
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
|
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
|
||||||
* @expectedExceptionMessage The presented password is invalid.
|
* @expectedExceptionMessage The presented password is invalid.
|
||||||
@ -40,7 +57,7 @@ class LdapBindAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
|
|||||||
$reflection = new \ReflectionMethod($provider, 'checkAuthentication');
|
$reflection = new \ReflectionMethod($provider, 'checkAuthentication');
|
||||||
$reflection->setAccessible(true);
|
$reflection->setAccessible(true);
|
||||||
|
|
||||||
$reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', '', 'key'));
|
$reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', 'bar', 'key'));
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testRetrieveUser()
|
public function testRetrieveUser()
|
||||||
|
Reference in New Issue
Block a user