Don't create a user account every time a username with an apostrophe successfuly authenticates using LDAP #160

Open
wants to merge 1 commit into
from

Projects

None yet

3 participants

@proofek
proofek commented Mar 28, 2013
  • decode HTML entities in username
  • escape slashes when quering for existing users
@proofek proofek Don't create a user account every time a username with an apostrophe …
…successfuly authenticates using LDAP

* decode HTML entities in username
* escape slashes when quering for existing users
6f01994
@proofek
proofek commented Mar 28, 2013

Please also see the bug raised in Sugar QA database: http://www.sugarcrm.com/support/bugs.html#issue_62290

@RobertGonzalez RobertGonzalez commented on the diff Mar 28, 2013
...hentication/LDAPAuthenticate/LDAPAuthenticateUser.php
ldap_close($ldapconn);
- $dbresult = $GLOBALS['db']->query("SELECT id, status FROM users WHERE user_name='" . $name . "' AND deleted = 0");
+
+ $dbName = addslashes($name);
@RobertGonzalez
RobertGonzalez Mar 28, 2013

Would a call to $db->quote($name) be better here than a straight addslashes() call?

@proofek
proofek Mar 28, 2013

Yeah, we tried that, but for some reason it didn't work!

@Sugared
Sugared commented May 26, 2013

Hi proofek,

Thanks for submitting your fix. Looks good and we'd like to use it. I see you have the bug filed already and linked back to this PR which is great! Have you had a chance to review and sign our contribution agreement ( http://www.sugarforge.org/content/community/participate/agreement.html )?

If you could print, sign, scan and email back to me at eddy@sugarcrm.com then we can pull in your fix.

Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment