Mercurial > kallithea
changeset 1659:40db9e086773 beta
Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.
author | Shawn K. O'Shea <shawn@eth0.net> |
---|---|
date | Mon, 07 Nov 2011 16:06:24 -0500 |
parents | 3387b53044bf |
children | f62a960bae39 |
files | rhodecode/lib/auth_ldap.py |
diffstat | 1 files changed, 3 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/rhodecode/lib/auth_ldap.py Mon Nov 07 15:37:58 2011 +0200 +++ b/rhodecode/lib/auth_ldap.py Mon Nov 07 16:06:24 2011 -0500 @@ -87,6 +87,9 @@ uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS) + if not password: + log.debug("Attempt to authenticate LDAP user with blank password rejected.") + raise LdapPasswordError() if "," in username: raise LdapUsernameError("invalid character in username: ,") try: