diff options
| author | Ruediger Pluem <rpluem@apache.org> | 2021-01-27 09:08:56 +0100 |
|---|---|---|
| committer | Ruediger Pluem <rpluem@apache.org> | 2021-01-27 09:08:56 +0100 |
| commit | ec1d14ccf6d4f8061f3aea0f4d9870f5c445f5c9 (patch) | |
| tree | de0043fc4b32e7120b500b4b646bfa7db953d6b9 /modules/aaa | |
| parent | Do not allow to set empty bind passwords to be set via AuthLDAPBindPassword (diff) | |
| download | apache2-ec1d14ccf6d4f8061f3aea0f4d9870f5c445f5c9.tar.xz apache2-ec1d14ccf6d4f8061f3aea0f4d9870f5c445f5c9.zip | |
Before doing any bind check that the provided username is not NULL and that the
password is neither NULL nor empty.
Binds with empty passwords always succeed, but in case the password of the
user was not empty subsequent LDAP operations fail.
This causes authentications that use user supplied credentials
(AuthLDAPInitialBindAsUser set to on) to fail with status code 500 instead of
401 if the user supplied an empty password.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885940 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/aaa')
| -rw-r--r-- | modules/aaa/mod_authnz_ldap.c | 41 |
1 files changed, 26 insertions, 15 deletions
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 592c1ef3ed..aed5b1eb04 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -539,6 +539,32 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user, return AUTH_GENERAL_ERROR; } + /* Get the password that the client sent */ + if (password == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692) + "auth_ldap authenticate: no password specified"); + return AUTH_GENERAL_ERROR; + } + + if (user == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693) + "auth_ldap authenticate: no user specified"); + return AUTH_GENERAL_ERROR; + } + + /* + * A bind to the server with an empty password always succeeds, so + * we check to ensure that the password is not empty. This implies + * that users who actually do have empty passwords will never be + * able to authenticate with this module. I don't see this as a big + * problem. + */ + if (!(*password)) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO() + "auth_ldap authenticate: empty password specified"); + return AUTH_DENIED; + } + /* There is a good AuthLDAPURL, right? */ if (sec->host) { const char *binddn = sec->binddn; @@ -562,21 +588,6 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user, ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691) "auth_ldap authenticate: using URL %s", sec->url); - /* Get the password that the client sent */ - if (password == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692) - "auth_ldap authenticate: no password specified"); - release_ldc(r, ldc); - return AUTH_GENERAL_ERROR; - } - - if (user == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693) - "auth_ldap authenticate: no user specified"); - release_ldc(r, ldc); - return AUTH_GENERAL_ERROR; - } - /* build the username filter */ if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, user, NULL, sec)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02622) |