Mercurial > dovecot > original-hg > dovecot-1.2
changeset 5619:121af23cfc65 HEAD
Empty password doesn't anymore allow user to log in with any password,
unless nopassword extra field is also set.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sun, 13 May 2007 21:47:42 +0300 |
parents | 5ea33dbddbae |
children | 85ae96fc1375 |
files | src/auth/auth-request.c src/auth/passdb-ldap.c src/auth/passdb-sql.c src/auth/password-scheme.c |
diffstat | 4 files changed, 31 insertions(+), 10 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/auth-request.c Sun May 13 21:28:41 2007 +0300 +++ b/src/auth/auth-request.c Sun May 13 21:47:42 2007 +0300 @@ -961,12 +961,17 @@ request->no_failure_delay = TRUE; } else if (strcmp(name, "nopassword") == 0) { /* NULL password - anything goes */ - if (request->passdb_password != NULL && - *request->passdb_password != '\0') { - auth_request_log_error(request, - request->passdb->passdb->iface.name, - "nopassword set but password is non-empty"); - return; + const char *password = request->passdb_password; + + if (password != NULL) { + (void)password_get_scheme(&password); + if (*password != '\0') { + auth_request_log_error(request, + request->passdb->passdb->iface.name, + "nopassword set but password is " + "non-empty"); + return; + } } request->no_password = TRUE; request->passdb_password = NULL; @@ -1048,6 +1053,11 @@ return 0; } + if (request->no_password) { + auth_request_log_info(request, subsystem, "No password"); + return 1; + } + ret = password_decode(crypted_password, scheme, &raw_password, &raw_password_size); if (ret <= 0) {
--- a/src/auth/passdb-ldap.c Sun May 13 21:28:41 2007 +0300 +++ b/src/auth/passdb-ldap.c Sun May 13 21:47:42 2007 +0300 @@ -209,12 +209,15 @@ } else if (ldap_next_entry(conn->ld, entry) != NULL) { auth_request_log_error(auth_request, "ldap", "pass_filter matched multiple objects, aborting"); + } else if (auth_request->passdb_password == NULL && + !auth_request->no_password) { + auth_request_log_info(auth_request, "ldap", + "Empty password returned without no_password"); + passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH; } else { /* passdb_password may change on the way, so we'll need to strdup. */ password = t_strdup(auth_request->passdb_password); - if (password == NULL) - auth_request->no_password = TRUE; passdb_result = PASSDB_RESULT_OK; }
--- a/src/auth/passdb-sql.c Sun May 13 21:28:41 2007 +0300 +++ b/src/auth/passdb-sql.c Sun May 13 21:47:42 2007 +0300 @@ -86,12 +86,15 @@ } else if (sql_result_next_row(result) > 0) { auth_request_log_error(auth_request, "sql", "Password query returned multiple matches"); + } else if (auth_request->passdb_password == NULL && + !auth_request->no_password) { + auth_request_log_info(auth_request, "sql", + "Empty password returned without no_password"); + passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH; } else { /* passdb_password may change on the way, so we'll need to strdup. */ password = t_strdup(auth_request->passdb_password); - if (password == NULL) - auth_request->no_password = TRUE; passdb_result = PASSDB_RESULT_OK; } }
--- a/src/auth/password-scheme.c Sun May 13 21:28:41 2007 +0300 +++ b/src/auth/password-scheme.c Sun May 13 21:47:42 2007 +0300 @@ -255,6 +255,11 @@ { const char *password; + if (size == 0) { + /* the default mycrypt() handler would return match */ + return FALSE; + } + password = t_strndup(raw_password, size); return strcmp(mycrypt(plaintext, password), password) == 0; }