You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2021/01/27 08:08:56 UTC

svn commit: r1885940 - /httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Author: rpluem
Date: Wed Jan 27 08:08:56 2021
New Revision: 1885940

URL: http://svn.apache.org/viewvc?rev=1885940&view=rev
Log:
Before doing any bind check that the provided username is not NULL and that the
password is neither NULL nor empty.

Binds with empty passwords always succeed, but in case the password of the
user was not empty subsequent LDAP operations fail.
This causes authentications that use user supplied credentials
(AuthLDAPInitialBindAsUser set to on) to fail with status code 500 instead of
401 if the user supplied an empty password.

Modified:
    httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=1885940&r1=1885939&r2=1885940&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Wed Jan 27 08:08:56 2021
@@ -539,6 +539,32 @@ static authn_status authn_ldap_check_pas
         return AUTH_GENERAL_ERROR;
     }
 
+    /* Get the password that the client sent */
+    if (password == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692)
+                      "auth_ldap authenticate: no password specified");
+        return AUTH_GENERAL_ERROR;
+    }
+
+    if (user == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693)
+                      "auth_ldap authenticate: no user specified");
+        return AUTH_GENERAL_ERROR;
+    }
+
+    /*
+     * A bind to the server with an empty password always succeeds, so
+     * we check to ensure that the password is not empty. This implies
+     * that users who actually do have empty passwords will never be
+     * able to authenticate with this module. I don't see this as a big
+     * problem.
+     */
+    if (!(*password)) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
+                      "auth_ldap authenticate: empty password specified");
+        return AUTH_DENIED;
+    }
+
     /* There is a good AuthLDAPURL, right? */
     if (sec->host) {
         const char *binddn = sec->binddn;
@@ -562,21 +588,6 @@ static authn_status authn_ldap_check_pas
     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691)
                   "auth_ldap authenticate: using URL %s", sec->url);
 
-    /* Get the password that the client sent */
-    if (password == NULL) {
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692)
-                      "auth_ldap authenticate: no password specified");
-        release_ldc(r, ldc);
-        return AUTH_GENERAL_ERROR;
-    }
-
-    if (user == NULL) {
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693)
-                      "auth_ldap authenticate: no user specified");
-        release_ldc(r, ldc);
-        return AUTH_GENERAL_ERROR;
-    }
-
     /* build the username filter */
     if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, user, NULL, sec)) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02622)