[rt-users] R: R: R: Custom authentication script fails with > ExternalAuthPriority not defined, please check your configuration file

Thomas Sibley trs at bestpractical.com
Wed Jan 2 19:08:33 EST 2013


On 01/02/2013 03:53 PM, Scotto Alberto wrote:
>> Fix problems at the source
>
> Exactly. From my point of view, the "source" is who/what generates
> the input: the user who fills in a form. So, this is why I say that
> the input validation should be done around the View layer, while in
> the back ("rt_auth" function) I should assume with a precondition
> that the input is not evil anymore.

It's far too easy for the backend function to start being used somewhere
where the validation doesn't happen first, and then you're vulnerable
again.  The backend is a single point to fix, whereas validation might
need to happen across multiple views and interfaces.

The path of shoving the shell_exec() validation up into the view is
lined with awful websites which prohibit special characters in passwords.



More information about the rt-users mailing list