Skip to content
  1. Apr 11, 2017
  2. Dec 20, 2016
  3. Dec 18, 2016
  4. Sep 08, 2016
  5. Jun 08, 2016
  6. Jun 06, 2016
  7. Jun 05, 2016
  8. Jan 04, 2016
  9. Sep 05, 2015
  10. Sep 01, 2015
  11. Aug 27, 2015
  12. Aug 21, 2015
  13. Jan 22, 2015
  14. Jan 18, 2015
    • Timothy Allen's avatar
      Only trust .bind_user() with a non-empty password. · caed6e29
      Timothy Allen authored
      There are two reasons one migh call .bind_user(): you might want to
      connect to an LDAP server and perform operations on that user's behalf,
      or you might want to check whether a username and password pair are
      valid. Unfortunately, if you give the password as an empty string, many
      LDAP servers will grant you access as an anonymous user, regardless of
      the username you ask for, so just because .bind_user() accepts
      a username/password pair doesn't mean that's the correct password for
      that user.
      
      Therefore:
      
      - I've added a warning to the bind_user() docstring.
      - I've modified the `basic_auth_required()` decorator to guard against
        empty passwords.
      - I've modified the various code examples to guard against empty
        passwords.
      caed6e29
  15. Jan 06, 2015
  16. Dec 07, 2014
  17. Nov 24, 2014
  18. Nov 23, 2014
Loading