On 12/27/2012 04:57 PM, Scotto Alberto wrote: > I've just shared my script on rt wikia :) > > http://requesttracker.wikia.com/wiki/Rt-auth-user > > Any improvements are welcome. > > For example, I suspect there's a better way to do it (it = > authenticating against external auths first, and then the local RT's > DB). I'd expect to call only DoAuth, and then it should fall to > IsPassword by itself, shouldn't it?
Your PHP example has a serious security flaw in it since you use unescaped user input in the call to shell_exec(). Any username which passes your check may be followed by a password which runs arbitrary shell code on your server.
