Trailing and leading whitespaces in user cn
39 views
Skip to first unread message
Dario Vinella
Feb 21, 2012, 8:29:19 AM2/21/12
to django-auth-ldap
Hi,
i discovered a strange behavior using django-auth-ldap in my project
when an user that is trying to log in appends or prepends a whitespace
to the username (that is registered without any whitespace). The ldap
backend grants the authentication to this user, but i can see multiple
profile rows in profiles table: one without the spaces and one with
them.
If i try to authenticate with the users "foobar", "foobar " and "
foobar" i get three successful logins and three populated profile
rows.
The db based ModelBacked correctly denies access to " foobar" and
"foobar " instead.
I'm using the builtin django.contrib.auth.views.login, so i'm not
performing any custom validation or strip() on strings passed by the
form, and i'm using the direct binding with
AUTH_LDAP_USER_DN_TEMPLATE = 'cn=%(user)s,ou=users,dc=mysite,dc=gtld'
I don't know if it is a real bug or works as expected, and if it is
related to django-auth-ldap or to python-ldap, so i'm asking if
someone has seen this before.
Dario
i discovered a strange behavior using django-auth-ldap in my project
when an user that is trying to log in appends or prepends a whitespace
to the username (that is registered without any whitespace). The ldap
backend grants the authentication to this user, but i can see multiple
profile rows in profiles table: one without the spaces and one with
them.
If i try to authenticate with the users "foobar", "foobar " and "
foobar" i get three successful logins and three populated profile
rows.
The db based ModelBacked correctly denies access to " foobar" and
"foobar " instead.
I'm using the builtin django.contrib.auth.views.login, so i'm not
performing any custom validation or strip() on strings passed by the
form, and i'm using the direct binding with
AUTH_LDAP_USER_DN_TEMPLATE = 'cn=%(user)s,ou=users,dc=mysite,dc=gtld'
I don't know if it is a real bug or works as expected, and if it is
related to django-auth-ldap or to python-ldap, so i'm asking if
someone has seen this before.
Dario
Peter Sagerson
Feb 21, 2012, 7:18:59 PM2/21/12
to django-a...@googlegroups.com
This isn't surprising. LDAP has some flexible rules for matching strings and particularly DNs, so the mapping isn't always going to be one-to-one. We already make an attempt to negotiate case-sensitivity between the two; it would probably be reasonable to handle leading and trailing whitespace as well. Either way, it's probably a good idea to wrap django.contrib.auth.views.login and sanitize the input in a way that makes sense for your deployment.
Thanks
Dario Vinella
Feb 22, 2012, 4:39:08 AM2/22/12
to django-a...@googlegroups.com
Thank you Peter, i'll wrap the builtin login view. Maybe a little warning should be added to the docs for users that try to use the view without modifications, to avoid the pollution of the profiles table, but also possible problems with everything that relies on request.user (since it continues to return the string with whitespaces through the whole session)
Dario
Dario
Peter Sagerson
Mar 7, 2012, 2:15:02 AM3/7/12
to django-a...@googlegroups.com
I actually added this to the latest version, along with another fix. Technically, it's probably still a good idea to sanitize usernames in the login view, since it's not really particular to one backend. Thanks for the report.
Peter
Di majo
May 12, 2024, 3:14:14 PM5/12/24
to django-auth-ldap
MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER
Thanks.
NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.
DM ME ON WHATSAPP
+44 7529 555638
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER
Thanks.
NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.
DM ME ON WHATSAPP
+44 7529 555638
Reply all
Reply to author
Forward
0 new messages