[rt-devel] case-sensitivity in ExternalAuth::DBI

Sam Hanes sam at maltera.com
Mon Nov 7 16:40:39 EST 2016


 From what I can tell RT's user Name and EmailAddress fields are 
intended to be case-insensitive, and that's certainly what my users 
expect. Given that, RT::Authen::ExternalAuth::DBI has a bug in that it 
only works if its backing database is case-sensitive.

It uses DBI::selectall_hashref keyed on the username or email address 
from the backing database (whichever was used to look up the account), 
and then retrieves the record from the resulting hash with the string it 
used for the query. If the backing database is case-insenitive but 
case-preserving (as most are) and the case in the database does not 
match the case used for the query, then the case used to create the hash 
key won't match the case used to retrieve it. Since Perl hash keys are 
case-sensitive, the hash dereference fails and the method returns undef, 
resulting in very strange error messages.

I've submitted a pull request to replace DBI::selectall_hashref with 
DBI::selectall_arrayref, which resolves the case conflict issue:
https://github.com/bestpractical/rt/pull/200

Could someone please take a look at it? It's been sitting for 17 days 
without any activity. I'd be happy to change the target branch or add 
more tests, if that'd help. I can also send the patch via email, if 
you'd prefer that to a pull request.


More information about the rt-devel mailing list