Fixed issue with blank password with Ldap
The bind operation of LDAP, as described in RFC 4513, provides a method which allows for authentication of users. For the Simple Authentication Method a user may use the anonymous authentication mechanism, the unauthenticated authentication mechanism, or the name/password authentication mechanism. The unauthenticated authentication mechanism is used when a client who desires to establish an anonymous authorization state passes a non-zero length distinguished name and a zero length password. Most LDAP servers either can be configured to allow this mechanism or allow it by default. _Web-based applications which perform the simple bind operation with the client's credentials are at risk when an anonymous authorization state is established. This can occur when the web-based application passes a distinguished name and a zero length password to the LDAP server._ Thus, misconfiguring a server with simple bind can trick Symfony into thinking the username/password tuple as valid, potentially leading to unauthorized access.
This commit is contained in:
Charles Sarrazin
Fabien Potencier
parent
27c122e0ca
commit
c7d9c62c79
@ -73,6 +73,10 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider
|
||||
$username = $token->getUsername();
|
||||
$password = $token->getCredentials();
|
||||
|
||||
if ('' === $password) {
|
||||
throw new BadCredentialsException('The presented password must not be empty.');
|
||||
}
|
||||
|
||||
try {
|
||||
$username = $this->ldap->escape($username, '', LDAP_ESCAPE_DN);
|
||||
$dn = str_replace('{username}', $username, $this->dnString);
|
||||
|
||||
@ -21,6 +21,23 @@ use Symfony\Component\Ldap\Exception\ConnectionException;
|
||||
*/
|
||||
class LdapBindAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
|
||||
{
|
||||
/**
|
||||
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
|
||||
* @expectedExceptionMessage The presented password must not be empty.
|
||||
*/
|
||||
public function testEmptyPasswordShouldThrowAnException()
|
||||
{
|
||||
$userProvider = $this->getMock('Symfony\Component\Security\Core\User\UserProviderInterface');
|
||||
$ldap = $this->getMock('Symfony\Component\Ldap\LdapClientInterface');
|
||||
$userChecker = $this->getMock('Symfony\Component\Security\Core\User\UserCheckerInterface');
|
||||
|
||||
$provider = new LdapBindAuthenticationProvider($userProvider, $userChecker, 'key', $ldap);
|
||||
$reflection = new \ReflectionMethod($provider, 'checkAuthentication');
|
||||
$reflection->setAccessible(true);
|
||||
|
||||
$reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', '', 'key'));
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
|
||||
* @expectedExceptionMessage The presented password is invalid.
|
||||
@ -40,7 +57,7 @@ class LdapBindAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
|
||||
$reflection = new \ReflectionMethod($provider, 'checkAuthentication');
|
||||
$reflection->setAccessible(true);
|
||||
|
||||
$reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', '', 'key'));
|
||||
$reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', 'bar', 'key'));
|
||||
}
|
||||
|
||||
public function testRetrieveUser()
|
||||
|
||||
Reference in New Issue
Block a user