[rt-users] R: Custom authentication script fails with > ExternalAuthPriority not defined, please check your configuration file

Thomas Sibley trs at bestpractical.com
Mon Dec 31 16:44:24 EST 2012


On 12/27/2012 04:57 PM, Scotto Alberto wrote:
> I've just shared my script on rt wikia :)
> 
> http://requesttracker.wikia.com/wiki/Rt-auth-user
> 
> Any improvements are welcome.
> 
> For example, I suspect there's a better way to do it (it =
> authenticating against external auths first, and then the local RT's
> DB). I'd expect to call only DoAuth, and then it should fall to
> IsPassword by itself, shouldn't it?

Your PHP example has a serious security flaw in it since you use
unescaped user input in the call to shell_exec().  Any username which
passes your check may be followed by a password which runs arbitrary
shell code on your server.



More information about the rt-users mailing list