upstream/kallithea Commit - r1659:40db9e08

Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.

Shawn K. O'Shea -

r1659:40db9e08 beta

parent child

Collapse all files

rhodecode/lib/auth_ldap.py

0 +3 0

                     uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)
+                    if not password:
+                        log.debug("Attempt to authenticate LDAP user with blank password rejected.")
+                        raise LdapPasswordError()
                     if "," in username:
                         raise LdapUsernameError("invalid character in username: ,")
                     try:

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages