This file updates RT::Authen::ExternalAuth version 0.08 to patch the
security vulnerability otherwise addressed in RT::Authen::ExternalAuth
0.11.  It need only be applied if you are running RT 3.8.1, and thus
cannot install a more recent version of RT::Authen::ExternalAuth.

If you are running RT 3.8.1 and a version of RT::Authen::ExternalAuth
prior to 0.08, you should first upgrade to 0.08, then continue with the
patching instructions below.  Version 0.08 can be downloaded from:
http://cpan.metacpan.org/authors/id/Z/ZO/ZORDRAK/RT-Authen-ExternalAuth-0.08.tar.gz

This patch should be applied via:

   patch -p1 -d /opt/rt4 < /path/to/this/file.patch

You should then restart your webserver.

diff --git a/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm b/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
index 948939a..d4da020 100644
--- a/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
+++ b/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
@@ -166,12 +166,12 @@ sub DoAuth {
     # If we got here and don't have a user loaded we must have failed to
     # get a full, valid user from an authoritative external source.
     unless ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id) {
-        delete $session->{'CurrentUser'};
+        $session->{'CurrentUser'} = RT::CurrentUser->new;
         return (0, "No User");
     }
 
     unless($success) {
-        delete $session->{'CurrentUser'};
+        $session->{'CurrentUser'} = RT::CurrentUser->new;
 	return (0, "Password Invalid");
     }
     
@@ -206,7 +206,7 @@ sub DoAuth {
         # Now that we definitely have up-to-date user information,
         # if the user is disabled, kick them out. Now!
         if ($session->{'CurrentUser'}->UserObj->Disabled) {
-            delete $session->{'CurrentUser'};
+            $session->{'CurrentUser'} = RT::CurrentUser->new;
             return (0, "User account disabled, login denied");
         }
     }
@@ -223,8 +223,8 @@ sub DoAuth {
             # Do not delete the session. User stays logged in and
             # autohandler will not check the password again
     } else {
-            # Make SURE the session is deleted.
-            delete $session->{'CurrentUser'};
+            # Make SURE the session is purged to an empty user.
+            $session->{'CurrentUser'} = RT::CurrentUser->new;
             return (0, "Failed to authenticate externally");
             # This will cause autohandler to request IsPassword 
             # which will in turn call IsExternalPassword