From: Ruediger Pluem <rpluem@apache.org>
Date: Wed, 27 Jan 2021 08:01:06 +0000 (+0000)
Subject: Do not allow to set empty bind passwords to be set via AuthLDAPBindPassword
X-Git-Tag: 2.5.0-alpha2-ci-test-only~1039
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3e4c918fba9fe8306eed1fcbdc19699af30e23b8;p=thirdparty%2Fapache%2Fhttpd.git

Do not allow to set empty bind passwords to be set via AuthLDAPBindPassword

Binds with empty passwords always succeed, but in case the password of the
user was not empty subsequent LDAP operations fail.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885939 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 08f5fa1bc97..592c1ef3ed8 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -1719,6 +1719,10 @@ static const char *set_bind_password(cmd_parms *cmd, void *_cfg, const char *arg
         sec->bindpw = (char *)arg;
     }
 
+    if (!(*sec->bindpw)) {
+        return "Empty passwords are invalid for AuthLDAPBindPassword";
+    }
+
     return NULL;
 }