phpBB • Free and Open Source Forum Software

The ldap bind is ok on the auth config page in ACP, but login fails without an error message.

Here is the fix:
diff includes/auth/auth_ldap.php includes/auth/auth_ldap.php.orig
155c155
< if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password'])))
---
> if (!@ldap_bind($ldap, $config['ldap_user'], htmlspecialchars_decode($config['ldap_password'])))

Following DRY this line of code should be moved in a function.

I've made some changes to this: http://code.phpbb.com/repositories/diff ... ev_to=9636

You can safely test it out on 3.0.5.

Why are those values saved html encoded in the database and not decoded before storing them?

Because everything is stored HTML escaped no exceptions.

What's the reason for this (sick) decision?

Security. The system holds everything in a safely escaped state and only reverses that on demand. That way, modification authors cannot accidentally "forget" about sanitizing something prior to output.
It's a pain in about < 5% of all cases, but being consistent is the whole point of it.

I guess everything operating on that html escaped data like the full-text search is a pain in the ass and has tons of edge cases where it fails.
Html is not the only output it should be able to produce...

	What:	Where:	Country:
vacatures php arbeit php jobs php lavoro php emploi php trabajo php jobs php arbeit php

LDAP auth on login fails when binddn has html escaped chars (fix completed in vcs)

Comments / History

Ticket details

Related SVN changesets

Advertisements