In the LDAP class, the password should only be escaped if it's not null, so...

In the LDAP class, the password should only be escaped if it's not null, so that we don't try to bind with an empty password if none was provided. This fixes #366 and closes #370.

In the LDAP class, the password should only be escaped if it's not null, so...
93821de4 · Jaime Perez Crespo · 3d32ff6d · 93821de4
Commit 93821de4 authored 9 years ago by Jaime Perez Crespo
--- a/lib/SimpleSAML/Auth/LDAP.php
+++ b/lib/SimpleSAML/Auth/LDAP.php
@@ -605,7 +605,6 @@ class SimpleSAML_Auth_LDAP {
         * These characters are escaped by prefixing them with '\'.
         */
        $username = addcslashes($username, ',+"\\<>;*');
-        $password = addcslashes($password, ',+"\\<>;*');
        if (isset($config['priv_user_dn'])) {
            $this->bind($config['priv_user_dn'], $config['priv_user_pw']);
@@ -617,6 +616,8 @@ class SimpleSAML_Auth_LDAP {
        }
        if ($password !== null) { // checking users credentials ... assuming below that she may read her own attributes ...
+            // escape characters with a special meaning, also in the password
+            $password = addcslashes($password, ',+"\\<>;*');
            if (!$this->bind($dn, $password)) {
                SimpleSAML\Logger::info('Library - LDAP validate(): Failed to authenticate \''. $username . '\' using DN \'' . $dn . '\'');
                return FALSE;