zend-ldap icon indicating copy to clipboard operation
zend-ldap copied to clipboard

Published 20 hours ago verified publisher icon zendframework

Ldap::addAttributes() fails without throwing if bind() has not been called

Open mbaynton opened this issue 7 years ago • 4 comments

This one is bad. Other methods that require an ldap bind to have been made, like Ldap::search(), check if the connection is already bound and call Ldap::bind() if not, so users may be accustomed to skipping calling Ldap::bind() directly in user code. However, Ldap::addAttributes() does not do this, so if the Ldap instance doesn't already have a bound connection, we end up calling ldap_mod_add() with null as the ldap resource. Obviously, that doesn't work, but worse, ldap_mod_add returns null, not false, when it is given a null resource, and we only throw an exception if it returns false. So calling code gets no indication that something is wrong.

#68 and #73 as currently written are also subject to this bug.

I'll submit two PRs for this, one with only new tests that cover this case, and one with tests plus fix.

mbaynton avatar Nov 02 '17 16:11 mbaynton

@heiglandreas current tests pass because they check that ldap_mod_add() is being passed null?!?

https://github.com/zendframework/zend-ldap/blob/0234654ce6c300d3e59f7ce752d2895a7e6e673a/test/OfflineTest.php#L200

That should never be. Please advise how you'd like to proceed. You've not approved of any changes to existing tests in the past.

mbaynton avatar Nov 02 '17 17:11 mbaynton

thanks for noting and raising that issue! And I'd rather see that ldap_mod_add behaves the same as all the other methods and tries to bind when no connection is available.

I'm not yet sure how to handle that test but I'll check that today. Perhaps adding a new test for the fixed (right) behaviour and mark the current test as incomplete or skipped.

heiglandreas avatar Nov 03 '17 09:11 heiglandreas

updateAttributes and deleteAttributes are also affected fwiw. I have subclassed Zend\Ldap locally to fix this for me anyways for now as I'm unsure what an acceptable patch would look like due to the broken existing test and @heiglandreas has assigned this to him as well.

mbaynton avatar May 23 '19 20:05 mbaynton

This repository has been closed and moved to laminas/laminas-ldap; a new issue has been opened at https://github.com/laminas/laminas-ldap/issues/2.

weierophinney avatar Dec 31 '19 21:12 weierophinney