[rt-devel] case-sensitivity in ExternalAuth::DBI
Sam Hanes
sam at maltera.com
Mon Nov 7 16:40:39 EST 2016
From what I can tell RT's user Name and EmailAddress fields are
intended to be case-insensitive, and that's certainly what my users
expect. Given that, RT::Authen::ExternalAuth::DBI has a bug in that it
only works if its backing database is case-sensitive.
It uses DBI::selectall_hashref keyed on the username or email address
from the backing database (whichever was used to look up the account),
and then retrieves the record from the resulting hash with the string it
used for the query. If the backing database is case-insenitive but
case-preserving (as most are) and the case in the database does not
match the case used for the query, then the case used to create the hash
key won't match the case used to retrieve it. Since Perl hash keys are
case-sensitive, the hash dereference fails and the method returns undef,
resulting in very strange error messages.
I've submitted a pull request to replace DBI::selectall_hashref with
DBI::selectall_arrayref, which resolves the case conflict issue:
https://github.com/bestpractical/rt/pull/200
Could someone please take a look at it? It's been sitting for 17 days
without any activity. I'd be happy to change the target branch or add
more tests, if that'd help. I can also send the patch via email, if
you'd prefer that to a pull request.
More information about the rt-devel
mailing list