randomize database password for external auth users 205
authorKen Dreyer <ktdreyer@ktdreyer.com>
Tue, 22 May 2012 21:39:50 +0000 (15:39 -0600)
committerKen Dreyer <ktdreyer@ktdreyer.com>
Tue, 22 May 2012 21:54:48 +0000 (15:54 -0600)
commit2c1787029265403f25374a5dfc58582c5bd49205
treed1859a1649e0dea8d360c13cd669a1a643d13dcf
parent7b9dfbb655cc7cb32bb90bb1245f2b1da10d5e2d
randomize database password for external auth users

The LDAPAuthentication and CrowdAuthentication class set a default
static password of "left_blank" in auto_register(). This allows an
unexpected method of entry: when the DatabaseAuthentication plugin is
also active, lib/gitorious/authentication.rb will cycle through all the
auth plugins, and the DatabaseAuthentication plugin could allow a
malicious user to login with this "left_blank" password string.

Modify the external authentication plugins to randomize the user's local
database password immediately after auto registration.
lib/gitorious/authentication/crowd/user.rb
lib/gitorious/authentication/ldap_authentication.rb