You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2021/03/02 07:43:35 UTC

svn commit: r1887080 - in /httpd/httpd/branches/2.4.x: ./ CHANGES modules/aaa/mod_authnz_ldap.c

Author: rpluem
Date: Tue Mar  2 07:43:35 2021
New Revision: 1887080

URL: http://svn.apache.org/viewvc?rev=1887080&view=rev
Log:
Merge r1885939, r1885940, r1885941, r1885945 from trunk:

Do not allow to set empty bind passwords to be set via AuthLDAPBindPassword

Binds with empty passwords always succeed, but in case the password of the
user was not empty subsequent LDAP operations fail.


Before doing any bind check that the provided username is not NULL and that the
password is neither NULL nor empty.

Binds with empty passwords always succeed, but in case the password of the
user was not empty subsequent LDAP operations fail.
This causes authentications that use user supplied credentials
(AuthLDAPInitialBindAsUser set to on) to fail with status code 500 instead of
401 if the user supplied an empty password.


* Document r1885939 and r1885940

* Add lognumber

Reviewed by: rpluem, ylavic, covener

Github: closes #168

Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1885939-1885941,1885945

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1887080&r1=1887079&r2=1887080&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue Mar  2 07:43:35 2021
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.47
 
+  *) mod_authnz_ldap: Prevent authentications with empty passwords for the
+     initial bind to fail with status 500. [Ruediger Pluem]
+
   *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
      the format can't match anyway.  [Yann Ylavic]
 

Modified: httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c?rev=1887080&r1=1887079&r2=1887080&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c Tue Mar  2 07:43:35 2021
@@ -500,6 +500,32 @@ static authn_status authn_ldap_check_pas
         return AUTH_GENERAL_ERROR;
     }
 
+    /* Get the password that the client sent */
+    if (password == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692)
+                      "auth_ldap authenticate: no password specified");
+        return AUTH_GENERAL_ERROR;
+    }
+
+    if (user == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693)
+                      "auth_ldap authenticate: no user specified");
+        return AUTH_GENERAL_ERROR;
+    }
+
+    /*
+     * A bind to the server with an empty password always succeeds, so
+     * we check to ensure that the password is not empty. This implies
+     * that users who actually do have empty passwords will never be
+     * able to authenticate with this module. I don't see this as a big
+     * problem.
+     */
+    if (!(*password)) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(10263)
+                      "auth_ldap authenticate: empty password specified");
+        return AUTH_DENIED;
+    }
+
     /* There is a good AuthLDAPURL, right? */
     if (sec->host) {
         const char *binddn = sec->binddn;
@@ -522,21 +548,6 @@ static authn_status authn_ldap_check_pas
     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691)
                   "auth_ldap authenticate: using URL %s", sec->url);
 
-    /* Get the password that the client sent */
-    if (password == NULL) {
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692)
-                      "auth_ldap authenticate: no password specified");
-        util_ldap_connection_close(ldc);
-        return AUTH_GENERAL_ERROR;
-    }
-
-    if (user == NULL) {
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693)
-                      "auth_ldap authenticate: no user specified");
-        util_ldap_connection_close(ldc);
-        return AUTH_GENERAL_ERROR;
-    }
-
     /* build the username filter */
     authn_ldap_build_filter(filtbuf, r, user, NULL, sec);
 
@@ -1673,6 +1684,10 @@ static const char *set_bind_password(cmd
         sec->bindpw = (char *)arg;
     }
 
+    if (!(*sec->bindpw)) {
+        return "Empty passwords are invalid for AuthLDAPBindPassword";
+    }
+
     return NULL;
 }