Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Require explicit intention for empty password. #126

Merged
merged 1 commit into from
Aug 24, 2017
Merged

Require explicit intention for empty password. #126

merged 1 commit into from
Aug 24, 2017

Conversation

tiziano88
Copy link
Contributor

This is normally used for unauthenticated bind, and
https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends:

Clients SHOULD disallow an empty password input to a Name/Password
Authentication user interface

This is normally used for unauthenticated bind, and
https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends:

> Clients SHOULD disallow an empty password input to a Name/Password
> Authentication user interface
Copy link
Member

@johnweldon johnweldon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I appreciate the fix, and the refactor. LGTM

@liggitt how do you want to handle the implicit API change? (no explicit breakage, but existing clients may rely on unauthenticated bind implicitly triggered by no password)
I think this is just a matter of a new version tag?

@liggitt
Copy link
Contributor

liggitt commented Aug 24, 2017

I think this is just a matter of a new version tag?

Definitely a new version tag. I'd like it to be a major version, but there were other breaking changes I wanted to see in the 3.0 bump that I don't have bandwidth to do in the next few days. I'm ok merging this into master, starting a v2 maintenance branch just prior to this, and holding tagging a 3.0 release until the other cleanup tasks are done

@johnweldon
Copy link
Member

I'll merge to master and open a new v2 maintenance branch just prior to this merge.

@johnweldon johnweldon merged commit 95ede12 into go-ldap:master Aug 24, 2017
jefferai added a commit to jefferai/ldap that referenced this pull request Dec 7, 2017
During the code reshuffle in go-ldap#126 at bind time a call to encodeControls
was added. Unfortunately, the safety check around calling it when there
are no controls to encode were omitted from this call (unlike in del.go
and search.go). As a result the packet was always getting control
characters added even if there were none to encode.

I also modified the checks in del.go and search.go to be a little safer;
rather than check for a nil slice, it also will do the right thing when
the slice is not nil but there are no entries.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants