[Mediawiki-l] LdapAuthentication 1.2b released - security fix for register_globals users

Ryan Lane rlane32 at gmail.com
Wed Jun 23 01:19:35 UTC 2010


This release contains a security bugfix for users of register_globals.
Most configuration options in the extension did not have default
values; this release sets defaults for all configuration globals.
Users are recommended to update to this version, or disable
register_globals. If you do not have register_globals enabled, you are
not affected.

The following has changed since 1.2a:

* Fixed issue with group synchronization and nested groups
* Added support for exclusion groups in addition to required groups
** Configured via $wgLDAPExcludedGroups; syntax the same as
$wgLDAPRequiredGroups
* Fixed check for returns with no entries
* Added memberOf support
* Added patch for getting user's primary group when using memberOf
* Fixed group synchronization issue with memberOf support (patch by Teddy Reed)
* Fixed problem with usernames containing parenthesis
* Fixed warnings in PHP 5.2.10 when some entries weren't returned
* Fixed issue with $wgLDAPGroupsPrevail
* Fixed issue with mail temporary password button when email me a
password support was enabled
* Added support for non-standard ports
** Configured via $wgLDAPPort - see options documentation
* Changed debug to output to a file
** Configured via $wgDebugLogGroups["ldap"] - see options documentation
* Added support for modifying LDAP options when connecting
** Configured via $wgLDAPOptions - see options documentation
* Added a security fix for register_globals users (seriously, turn
register_globals off, if you have it on)

To download this version, please use the extension distributor
(http://www.mediawiki.org/wiki/Special:ExtensionDistributor/LdapAuthentication),
select "Development version (trunk)", and click "Continue".

Respectfully,

Ryan Lane



More information about the MediaWiki-l mailing list