From 3cc085ebc7d8e28c4b52b2b3a02c4a84c51edab9 Mon Sep 17 00:00:00 2001 From: Wolfgang Sourdeau Date: Mon, 5 Feb 2007 22:03:01 +0000 Subject: [PATCH] Monotone-Parent: d5dbf6c86849866efb9716dfc2cb95e3cf7ddd10 Monotone-Revision: bfde73f3a606ca04b49de7e953499331afc075af Monotone-Author: wsourdeau@inverse.ca Monotone-Date: 2007-02-05T22:03:01 Monotone-Branch: ca.inverse.sogo --- ChangeLog | 6 ++++++ SoObjects/SOGo/SOGoAuthenticator.m | 11 ++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c0499a61d..68a071c6e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ 2007-02-05 Wolfgang Sourdeau + * SoObjects/SOGo/SOGoAuthenticator.m ([SOGoAuthenticator + -checkLogin:_loginpassword:_pwd]): fixed a bug where a wrong + password would be accepted anyway as long as its length was > 0. + This can be the case ONLY when LDAP is disabled otherwise we have + a serious security issue... + * SoObjects/Appointments/SOGoAppointmentObject.m ([SOGoAppointmentObject -roleOfUser:logininContext:context]): if a user is not an organizer nor a participant, he is declared as diff --git a/SoObjects/SOGo/SOGoAuthenticator.m b/SoObjects/SOGo/SOGoAuthenticator.m index a44d55325..18c00d272 100644 --- a/SoObjects/SOGo/SOGoAuthenticator.m +++ b/SoObjects/SOGo/SOGoAuthenticator.m @@ -72,11 +72,16 @@ static SOGoAuthenticator *auth = nil; - (BOOL) checkLogin: (NSString *) _login password: (NSString *) _pwd { + BOOL accept; + + if ([authMethod isEqualToString: @"LDAP"]) + accept = [self LDAPCheckLogin: _login password: _pwd]; + else + accept = ([_login length] > 0); + return (([_login isEqualToString: @"freebusy"] && [_pwd isEqualToString: @"freebusy"]) - || ([authMethod isEqualToString: @"LDAP"] - && [self LDAPCheckLogin: _login password: _pwd]) - || [_login length] > 0); + || accept); } - (BOOL) LDAPCheckLogin: (NSString *) _login