[dovecot-cvs] dovecot/src/auth auth-request.c, 1.99, 1.100 passdb-ldap.c, 1.63, 1.64 passdb-sql.c, 1.34, 1.35 password-scheme.c, 1.34, 1.35

[tss at dovecot.org]

Update of /var/lib/cvs/dovecot/src/auth
In directory talvi:/tmp/cvs-serv25705

Modified Files:
	auth-request.c passdb-ldap.c passdb-sql.c password-scheme.c 
Log Message:
Empty password doesn't anymore allow user to log in with any password,
unless nopassword extra field is also set.



Index: auth-request.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/auth-request.c,v
retrieving revision 1.99
retrieving revision 1.100
diff -u -d -r1.99 -r1.100
--- auth-request.c	13 May 2007 12:17:09 -0000	1.99
+++ auth-request.c	13 May 2007 18:47:42 -0000	1.100
@@ -961,12 +961,17 @@
 		request->no_failure_delay = TRUE;
 	} else if (strcmp(name, "nopassword") == 0) {
 		/* NULL password - anything goes */
-		if (request->passdb_password != NULL &&
-		    *request->passdb_password != '\0') {
-			auth_request_log_error(request,
-				request->passdb->passdb->iface.name,
-				"nopassword set but password is non-empty");
-			return;
+		const char *password = request->passdb_password;
+
+		if (password != NULL) {
+			(void)password_get_scheme(&password);
+			if (*password != '\0') {
+				auth_request_log_error(request,
+					request->passdb->passdb->iface.name,
+					"nopassword set but password is "
+					"non-empty");
+				return;
+			}
 		}
 		request->no_password = TRUE;
 		request->passdb_password = NULL;
@@ -1048,6 +1053,11 @@
 		return 0;
 	}
 
+	if (request->no_password) {
+		auth_request_log_info(request, subsystem, "No password");
+		return 1;
+	}
+
 	ret = password_decode(crypted_password, scheme,
 			      &raw_password, &raw_password_size);
 	if (ret <= 0) {

Index: passdb-ldap.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/passdb-ldap.c,v
retrieving revision 1.63
retrieving revision 1.64
diff -u -d -r1.63 -r1.64
--- passdb-ldap.c	13 May 2007 12:17:09 -0000	1.63
+++ passdb-ldap.c	13 May 2007 18:47:42 -0000	1.64
@@ -209,12 +209,15 @@
 	} else if (ldap_next_entry(conn->ld, entry) != NULL) {
 		auth_request_log_error(auth_request, "ldap",
 			"pass_filter matched multiple objects, aborting");
+	} else if (auth_request->passdb_password == NULL &&
+		   !auth_request->no_password) {
+		auth_request_log_info(auth_request, "ldap",
+			"Empty password returned without no_password");
+		passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH;
 	} else {
 		/* passdb_password may change on the way,
 		   so we'll need to strdup. */
 		password = t_strdup(auth_request->passdb_password);
-		if (password == NULL)
-			auth_request->no_password = TRUE;
 		passdb_result = PASSDB_RESULT_OK;
 	}
 

Index: passdb-sql.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/passdb-sql.c,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -d -r1.34 -r1.35
--- passdb-sql.c	13 May 2007 08:24:06 -0000	1.34
+++ passdb-sql.c	13 May 2007 18:47:42 -0000	1.35
@@ -86,12 +86,15 @@
 		} else if (sql_result_next_row(result) > 0) {
 			auth_request_log_error(auth_request, "sql",
 				"Password query returned multiple matches");
+		} else if (auth_request->passdb_password == NULL &&
+			   !auth_request->no_password) {
+			auth_request_log_info(auth_request, "sql",
+				"Empty password returned without no_password");
+			passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH;
 		} else {
 			/* passdb_password may change on the way,
 			   so we'll need to strdup. */
 			password = t_strdup(auth_request->passdb_password);
-			if (password == NULL)
-				auth_request->no_password = TRUE;
 			passdb_result = PASSDB_RESULT_OK;
 		}
 	}

Index: password-scheme.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/auth/password-scheme.c,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -d -r1.34 -r1.35
--- password-scheme.c	13 May 2007 12:17:09 -0000	1.34
+++ password-scheme.c	13 May 2007 18:47:42 -0000	1.35
@@ -255,6 +255,11 @@
 {
 	const char *password;
 
+	if (size == 0) {
+		/* the default mycrypt() handler would return match */
+		return FALSE;
+	}
+
 	password = t_strndup(raw_password, size);
 	return strcmp(mycrypt(plaintext, password), password) == 0;
 }