Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-8713

trimming login inputs isn't sensible

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.5
    • Fix Version/s: 3.1.0-a1
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      PHP Environment: PHP v5.2.8, Windows Server 2003 Standard

      Description

      I'm currently working on a custom auth plugin that combines NTLM and LDAP authentication in a custom package.

      Long story short, some of the passwords in Active Directory begin with a space. Somewhere in the phpBB control flow, the password input POST'ed by the user becomes trimmed (or otherwise "sanitized") such that the leading space is removed. Naturally, Active Directory knows the difference between a password beginning with a space and one without, resulting in the affected users being unable to login.

      Is there a reason the password input (and possibly others) are seemingly being trim()'d before being passed along to the respective auth_*.php plugin?

      If not, wouldn't a good workaround be to move the trim()'ing and/or other sanitization into the auth_db.php (the default auth 'plugin') file so that it can be easily modified/removed by custom auth plugins?

        Issue Links

          Activity

          Hide
          bantu Andreas Fischer added a comment -

          I agree. The new request class for phpBB 3.1 should have "raw" method that allows receiving the untrimmed value. See http://area51.phpbb.com/phpBB/viewtopic.php?p=228139#p228139 and following posts.

          Show
          bantu Andreas Fischer added a comment - I agree. The new request class for phpBB 3.1 should have "raw" method that allows receiving the untrimmed value. See http://area51.phpbb.com/phpBB/viewtopic.php?p=228139#p228139 and following posts.

            People

            • Assignee:
              bantu Andreas Fischer
              Reporter:
              dead.on# dead.on#
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development