TeamPass icon indicating copy to clipboard operation
TeamPass copied to clipboard

Published 20 hours ago verified publisher icon nilsteampassnet

LDAP-Password with '<' don't work

Open Nachtlichtermeer opened this issue 2 years ago • 1 comments

Steps to reproduce

  1. set pw of test-user in LDAP with '<'
  2. Configure LDAP in Teampass
  3. Try Login at startpage or LDAP-Config-Page

Expected behaviour

Login should work

Actual behaviour

Login at startpage and test at LDAP-Config-Page don't work if the LDAP-PW has '<' inside. A local user with the same password works.

Server configuration

Operating system: Ubuntu 20.04 Web server: Apache 2.4.41 Database: MySQL 8.0.29 PHP version: 7.4.3 Teampass version: 3.0.0.18

Nachtlichtermeer avatar Jun 08 '22 09:06 Nachtlichtermeer

I also faced this. I found problem line here

$userCredentials = identifyGetUserCredentials(
    $SETTINGS,
    (string) $server['PHP_AUTH_USER'],
    (string) $server['PHP_AUTH_PW'],
    (string) filter_var($dataReceived['pw'], FILTER_SANITIZE_STRING),
    (string) filter_var($dataReceived['login'], FILTER_SANITIZE_STRING)
);

Fourth parameter (user provided password) was filtered using FILTER_SANITIZE_STRING, which encodes < > and quotes.

I don't know why we need encode tags in user password because it's will be never shown.

Maybe we don't need to filter_var password? Because password can contain any character

fuale avatar Jun 13 '22 13:06 fuale