search

1234- / gitblit

Automatically exported from code.google.com/p/gitblit
Apache License 2.0
1 stars 0 forks source link

LDAP team retrieval using wrong credentials #537

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
Configure gitblit to use LDAP authorization and read teams from LDAP. Specify 
LDAP manager credentials for gitblit to use.

What is the expected output? What do you see instead?
The expected behavior is for gitblit to check team memberships for a user by 
using the manager account, not that user's account since that user may not have 
the privileges to see team memberships.

What version of the product are you using? On what operating system?
1.6.2 on Jetty 9, CentOS 6.3

Please provide any additional information below.
Browsing the source code, I noticed that after binding with the manager 
account, gitblit rebinds as the user trying to log in (the comment says this is 
to prevent an LDAP injection attack). Team memberships are then read after 
this, while bound to the LDAP server as the user trying to log in, not the 
manager. I believe this is wrong since the user doesn't have to be authorized 
to read team memberships.

Original issue reported on code.google.com by hrv...@mail.maracic.net on 22 Nov 2014 at 1:21

GoogleCodeExporter commented 9 years ago 
https://github.com/gitblit/gitblit/pull/247

Original comment by redsa...@gmail.com on 23 Mar 2015 at 1:46