Monotone-Parent: d5dbf6c86849866efb9716dfc2cb95e3cf7ddd10

Monotone-Revision: bfde73f3a606ca04b49de7e953499331afc075af Monotone-Author: wsourdeau@inverse.ca Monotone-Date: 2007-02-05T22:03:01 Monotone-Branch: ca.inverse.sogo
2026-04-22 21:39:28 +00:00 · 2007-02-05 22:03:01 +00:00
parent d6a6433735
commit 3cc085ebc7
2 changed files with 14 additions and 3 deletions
--- a/6
+++ b/6
@@ -1,5 +1,11 @@
 2007-02-05  Wolfgang Sourdeau  <wsourdeau@inverse.ca>

+	* SoObjects/SOGo/SOGoAuthenticator.m ([SOGoAuthenticator
+	-checkLogin:_loginpassword:_pwd]): fixed a bug where a wrong
+	password would be accepted anyway as long as its length was > 0.
+	This can be the case ONLY when LDAP is disabled otherwise we have
+	a serious security issue...
+
 	* SoObjects/Appointments/SOGoAppointmentObject.m
 	([SOGoAppointmentObject -roleOfUser:logininContext:context]): if a
 	user is not an organizer nor a participant, he is declared as
--- a/SoObjects/SOGo/SOGoAuthenticator.m
+++ b/SoObjects/SOGo/SOGoAuthenticator.m
@@ -72,11 +72,16 @@ static SOGoAuthenticator *auth = nil;
 - (BOOL) checkLogin: (NSString *) _login
 	   password: (NSString *) _pwd
 {
+  BOOL accept;
+
+  if ([authMethod isEqualToString: @"LDAP"])
+    accept = [self LDAPCheckLogin: _login password: _pwd];
+  else
+    accept = ([_login length] > 0);
+
  return (([_login isEqualToString: @"freebusy"]
           && [_pwd isEqualToString: @"freebusy"])
-          || ([authMethod isEqualToString: @"LDAP"]
-              && [self LDAPCheckLogin: _login password: _pwd])
-          || [_login length] > 0);
+          || accept);
 }

 - (BOOL) LDAPCheckLogin: (NSString *) _login