From 93821de42955eeaa3040f580abd384b3b05e8f16 Mon Sep 17 00:00:00 2001
From: Jaime Perez Crespo <jaime.perez@uninett.no>
Date: Thu, 21 Apr 2016 09:11:32 +0200
Subject: [PATCH] In the LDAP class, the password should only be escaped if
 it's not null, so that we don't try to bind with an empty password if none
 was provided. This fixes #366 and closes #370.

---
 lib/SimpleSAML/Auth/LDAP.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/SimpleSAML/Auth/LDAP.php b/lib/SimpleSAML/Auth/LDAP.php
index b106079f8..3a3679d7e 100644
--- a/lib/SimpleSAML/Auth/LDAP.php
+++ b/lib/SimpleSAML/Auth/LDAP.php
@@ -605,7 +605,6 @@ class SimpleSAML_Auth_LDAP {
          * These characters are escaped by prefixing them with '\'.
          */
         $username = addcslashes($username, ',+"\\<>;*');
-        $password = addcslashes($password, ',+"\\<>;*');
 
         if (isset($config['priv_user_dn'])) {
             $this->bind($config['priv_user_dn'], $config['priv_user_pw']);
@@ -617,6 +616,8 @@ class SimpleSAML_Auth_LDAP {
         }
 
         if ($password !== null) { // checking users credentials ... assuming below that she may read her own attributes ...
+            // escape characters with a special meaning, also in the password
+            $password = addcslashes($password, ',+"\\<>;*');
             if (!$this->bind($dn, $password)) {
                 SimpleSAML\Logger::info('Library - LDAP validate(): Failed to authenticate \''. $username . '\' using DN \'' . $dn . '\'');
                 return FALSE;
-- 
GitLab