Skip to content
Snippets Groups Projects
Select Git revision
  • ldapi-support
  • master default
  • v1.3.3
  • v1.4.0
  • v1.3.2
  • v1.3.0
  • v1.1.2
  • v1.1.1
  • v1.1.0
  • v1.0.1
  • v1.0.0
  • v0.4.0
  • v0.2.0
  • v0.3.0
  • v0.1.1
  • v0.1.0
16 results

flask_simpleldap

  • Clone with SSH
  • Clone with HTTPS
    • user avatar
    Only trust .bind_user() with a non-empty password.
    Timothy Allen authored 
    There are two reasons one migh call .bind_user(): you might want to
connect to an LDAP server and perform operations on that user's behalf,
or you might want to check whether a username and password pair are
valid. Unfortunately, if you give the password as an empty string, many
LDAP servers will grant you access as an anonymous user, regardless of
the username you ask for, so just because .bind_user() accepts
a username/password pair doesn't mean that's the correct password for
that user.

Therefore:

- I've added a warning to the bind_user() docstring.
- I've modified the `basic_auth_required()` decorator to guard against
  empty passwords.
- I've modified the various code examples to guard against empty
  passwords.
    caed6e29
    History
    user avatar caed6e29
    History
    Name Last commit Last update
    ..