From b92617e056ab5b5fed12a64f49bc5dbbfc71c444 Mon Sep 17 00:00:00 2001 From: Ramon Novoa Date: Wed, 1 Jun 2011 10:51:53 +0000 Subject: [PATCH] 2011-06-01 Ramon Novoa * include/auth/mysql.php: Do not allow empty passwords when authenticating against an LDAP server. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@4396 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f --- pandora_console/ChangeLog | 5 +++++ pandora_console/include/auth/mysql.php | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog index 4d9bf890bf..cd42a2e0a5 100644 --- a/pandora_console/ChangeLog +++ b/pandora_console/ChangeLog @@ -1,3 +1,8 @@ +2011-06-01 Ramon Novoa + + * include/auth/mysql.php: Do not allow empty passwords when + authenticating against an LDAP server. + 2011-06-01 Javier Lanz * include/functions_graph.php: Fixed a deprecated function call diff --git a/pandora_console/include/auth/mysql.php b/pandora_console/include/auth/mysql.php index dcd338ae15..49837abbbf 100644 --- a/pandora_console/include/auth/mysql.php +++ b/pandora_console/include/auth/mysql.php @@ -423,7 +423,7 @@ function ldap_process_user_login ($login, $password) { } } - if (!@ldap_bind ($ds, $config["ldap_login_attr"]."=".$login.",".$config["ldap_base_dn"], $password)) { + if (strlen($password) == 0 || !@ldap_bind ($ds, $config["ldap_login_attr"]."=".$login.",".$config["ldap_base_dn"], $password)) { $config["auth_error"] = 'User not found in database or incorrect password'; @ldap_close ($ds); return false;