Skip to content
  1. Jan 04, 2016
  2. Sep 05, 2015
  3. Sep 01, 2015
  4. Aug 27, 2015
  5. Aug 21, 2015
  6. Jan 22, 2015
  7. Jan 18, 2015
    • Timothy Allen's avatar
      Only trust .bind_user() with a non-empty password. · caed6e29
      Timothy Allen authored
      There are two reasons one migh call .bind_user(): you might want to
      connect to an LDAP server and perform operations on that user's behalf,
      or you might want to check whether a username and password pair are
      valid. Unfortunately, if you give the password as an empty string, many
      LDAP servers will grant you access as an anonymous user, regardless of
      the username you ask for, so just because .bind_user() accepts
      a username/password pair doesn't mean that's the correct password for
      that user.
      
      Therefore:
      
      - I've added a warning to the bind_user() docstring.
      - I've modified the `basic_auth_required()` decorator to guard against
        empty passwords.
      - I've modified the various code examples to guard against empty
        passwords.
      caed6e29
  8. Jan 06, 2015
  9. Dec 07, 2014
  10. Nov 24, 2014
  11. Nov 23, 2014
  12. Nov 19, 2014
  13. Sep 06, 2014
  14. Aug 21, 2014
  15. Aug 19, 2014
  16. Aug 15, 2014
  17. Aug 14, 2014
  18. Aug 10, 2014
Loading