[rt-users] R: Custom authentication script fails with > ExternalAuthPriority not defined, please check your configuration file
Thomas Sibley
trs at bestpractical.com
Mon Dec 31 16:44:24 EST 2012
On 12/27/2012 04:57 PM, Scotto Alberto wrote:
> I've just shared my script on rt wikia :)
>
> http://requesttracker.wikia.com/wiki/Rt-auth-user
>
> Any improvements are welcome.
>
> For example, I suspect there's a better way to do it (it =
> authenticating against external auths first, and then the local RT's
> DB). I'd expect to call only DoAuth, and then it should fall to
> IsPassword by itself, shouldn't it?
Your PHP example has a serious security flaw in it since you use
unescaped user input in the call to shell_exec(). Any username which
passes your check may be followed by a password which runs arbitrary
shell code on your server.
More information about the rt-users
mailing list