#5 Password with Quotes

open-later
nobody
None
5
2012-02-02
2011-10-12
Andy Smith
No

We have had an issue with users using LDAP authentication not being able to log in in with single or double quotes. It appears that the quotes arrive to the AuthenticateUser function escaped. Our solution is to replace the escaped quotes :

<code>
//Single and Double quotes come through excaped. Fix with string replace.
$password = str_replace('\"', '"', str_replace("\'","'",$password));
<code>

at line 41 of or-authenticate.php.

Not sure it is the best solution. Is there a better way.

Discussion

  • Robert Seaton
    Robert Seaton
    2012-02-02

    Thanks for reporting this. Can you tell me what version of OpenRoom you were using when you found this? I haven't been able to reproduce the error on my side. There is a somewhat related bug #2248376 with a fix that may have resolved this issue, but I'm not terribly sure. Your str_replace fix should work fine, but you could also use a function such as stripslashes() assuming it's escaping more than just quotes (for example, other slashes).

    If the encodeURIComponent fix mentioned in bug #2248376 hasn't been implemented in your version, you may want to try that and see if it works.

    I'll leave this bug open for now, but I'll wait to hear from you to see if this is an isolated case or just from an old version before I add a fix for 1.4.

     
  • Robert Seaton
    Robert Seaton
    2012-02-02

    • status: open --> open-later
     
  • Andy Smith
    Andy Smith
    2012-03-08

    This occurred with a fresh download for version 1.3 at the time. I'll try version 1.4 to see if it still happens for me.

    Thanks!