You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by rp...@apache.org on 2021/01/27 08:01:06 UTC

svn commit: r1885939 - /httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Author: rpluem
Date: Wed Jan 27 08:01:06 2021
New Revision: 1885939

URL: http://svn.apache.org/viewvc?rev=1885939&view=rev
Log:
Do not allow to set empty bind passwords to be set via AuthLDAPBindPassword

Binds with empty passwords always succeed, but in case the password of the
user was not empty subsequent LDAP operations fail.

Modified:
    httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=1885939&r1=1885938&r2=1885939&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Wed Jan 27 08:01:06 2021
@@ -1719,6 +1719,10 @@ static const char *set_bind_password(cmd
         sec->bindpw = (char *)arg;
     }
 
+    if (!(*sec->bindpw)) {
+        return "Empty passwords are invalid for AuthLDAPBindPassword";
+    }
+
     return NULL;
 }