From: Ruediger Pluem Date: Tue, 2 Mar 2021 07:43:35 +0000 (+0000) Subject: Merge r1885939, r1885940, r1885941, r1885945 from trunk: X-Git-Tag: 2.4.47~101 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=427d38fa7e31bd9e96c6a90f143f4aa286e8769f;p=thirdparty%2Fapache%2Fhttpd.git Merge r1885939, r1885940, r1885941, r1885945 from trunk: Do not allow to set empty bind passwords to be set via AuthLDAPBindPassword Binds with empty passwords always succeed, but in case the password of the user was not empty subsequent LDAP operations fail. Before doing any bind check that the provided username is not NULL and that the password is neither NULL nor empty. Binds with empty passwords always succeed, but in case the password of the user was not empty subsequent LDAP operations fail. This causes authentications that use user supplied credentials (AuthLDAPInitialBindAsUser set to on) to fail with status code 500 instead of 401 if the user supplied an empty password. * Document r1885939 and r1885940 * Add lognumber Reviewed by: rpluem, ylavic, covener Github: closes #168 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1887080 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 5af3c081b93..47ac08b2b5d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.47 + *) mod_authnz_ldap: Prevent authentications with empty passwords for the + initial bind to fail with status 500. [Ruediger Pluem] + *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if the format can't match anyway. [Yann Ylavic] diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 4634fe96857..a7b4939752e 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -500,6 +500,32 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user, return AUTH_GENERAL_ERROR; } + /* Get the password that the client sent */ + if (password == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692) + "auth_ldap authenticate: no password specified"); + return AUTH_GENERAL_ERROR; + } + + if (user == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693) + "auth_ldap authenticate: no user specified"); + return AUTH_GENERAL_ERROR; + } + + /* + * A bind to the server with an empty password always succeeds, so + * we check to ensure that the password is not empty. This implies + * that users who actually do have empty passwords will never be + * able to authenticate with this module. I don't see this as a big + * problem. + */ + if (!(*password)) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(10263) + "auth_ldap authenticate: empty password specified"); + return AUTH_DENIED; + } + /* There is a good AuthLDAPURL, right? */ if (sec->host) { const char *binddn = sec->binddn; @@ -522,21 +548,6 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user, ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691) "auth_ldap authenticate: using URL %s", sec->url); - /* Get the password that the client sent */ - if (password == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692) - "auth_ldap authenticate: no password specified"); - util_ldap_connection_close(ldc); - return AUTH_GENERAL_ERROR; - } - - if (user == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693) - "auth_ldap authenticate: no user specified"); - util_ldap_connection_close(ldc); - return AUTH_GENERAL_ERROR; - } - /* build the username filter */ authn_ldap_build_filter(filtbuf, r, user, NULL, sec); @@ -1673,6 +1684,10 @@ static const char *set_bind_password(cmd_parms *cmd, void *_cfg, const char *arg sec->bindpw = (char *)arg; } + if (!(*sec->bindpw)) { + return "Empty passwords are invalid for AuthLDAPBindPassword"; + } + return NULL; }