From 2ddd1c00d1d26e8dbd93099ad259314020b6509a Mon Sep 17 00:00:00 2001 From: "justdave%syndicomm.com" Date: Sun, 9 Dec 2001 15:56:23 +0000 Subject: [PATCH] SECURITY FIX bug 54901: If you were using LDAP authentication it would let you log in as anyone if you left the password blank. Patch by David Crowe r= jmrobins, justdave --- webtools/bugzilla/CGI.pl | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/webtools/bugzilla/CGI.pl b/webtools/bugzilla/CGI.pl index 5a2b5f7cec8..e245c1db423 100644 --- a/webtools/bugzilla/CGI.pl +++ b/webtools/bugzilla/CGI.pl @@ -868,6 +868,21 @@ sub confirm_login { exit; } + # if no password was provided, then fail the authentication + # while it may be valid to not have an LDAP password, when you + # bind without a password (regardless of the binddn value), you + # will get an anonymous bind. I do not know of a way to determine + # whether a bind is anonymous or not without making changes to the + # LDAP access control settings + if ( ! $::FORM{"LDAP_password"} ) { + print "Content-type: text/html\n\n"; + PutHeader("Login Failed"); + print "You did not provide a password.\n"; + print "Please click Back and try again.\n"; + PutFooter(); + exit; + } + # We've got our anonymous bind; let's look up this user. my $dnEntry = $LDAPconn->search(Param("LDAPBaseDN"),"subtree","uid=".$::FORM{"LDAP_login"}); if(!$dnEntry) {