summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjustdave%syndicomm.com <>2001-12-10 00:56:23 +0100
committerjustdave%syndicomm.com <>2001-12-10 00:56:23 +0100
commit482e72b6a8190cf4e2ada47cf1168f36ed92afe5 (patch)
tree3957d3734a545df56c51b02d7e39306ca096eb9d
parent709a4c037dc5113692aee18c5a85262613653a45 (diff)
downloadbugzilla-482e72b6a8190cf4e2ada47cf1168f36ed92afe5.tar.gz
bugzilla-482e72b6a8190cf4e2ada47cf1168f36ed92afe5.tar.xz
SECURITY FIX bug 54901: If you were using LDAP authentication it would let you log in as anyone if you left the password
blank. Patch by David Crowe <crow@waveset.com> r= jmrobins, justdave
-rw-r--r--CGI.pl15
1 files changed, 15 insertions, 0 deletions
diff --git a/CGI.pl b/CGI.pl
index 5a2b5f7ce..e245c1db4 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -868,6 +868,21 @@ sub confirm_login {
exit;
}
+ # if no password was provided, then fail the authentication
+ # while it may be valid to not have an LDAP password, when you
+ # bind without a password (regardless of the binddn value), you
+ # will get an anonymous bind. I do not know of a way to determine
+ # whether a bind is anonymous or not without making changes to the
+ # LDAP access control settings
+ if ( ! $::FORM{"LDAP_password"} ) {
+ print "Content-type: text/html\n\n";
+ PutHeader("Login Failed");
+ print "You did not provide a password.\n";
+ print "Please click <b>Back</b> and try again.\n";
+ PutFooter();
+ exit;
+ }
+
# We've got our anonymous bind; let's look up this user.
my $dnEntry = $LDAPconn->search(Param("LDAPBaseDN"),"subtree","uid=".$::FORM{"LDAP_login"});
if(!$dnEntry) {