Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rebind with empty password could lead to a potential security issue #393

Closed
dmanchon opened this issue Aug 2, 2017 · 3 comments
Closed

Rebind with empty password could lead to a potential security issue #393

dmanchon opened this issue Aug 2, 2017 · 3 comments
Labels
bug Fixed In upcoming version

Comments

@dmanchon
Copy link

dmanchon commented Aug 2, 2017

Problem: Rebind is comparing making this comparison to validate input data:

if password:
    self.password = password

That condition is false in case of password = '', so the old value of the object will be keep in that case, including case where the bind was correct.

This is a potential security hole, since a correct bind followed by a rebind with empty password will complete the binding correctly.

I have changed the way the password is checked to only check if None.
#392
@cannatag
Copy link
Owner

cannatag commented Aug 2, 2017

Thanks, will include your fix in the next release of ldap3.

@dmanchon
Copy link
Author

dmanchon commented Aug 2, 2017

Thanks a lot @cannatag

@cannatag cannatag added the bug label Aug 26, 2017
@cannatag
Copy link
Owner

Fixed in v2.4

@ProbstDJakob ProbstDJakob mentioned this issue Sep 13, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixed In upcoming version
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmanchon @cannatag