[system source] fix authentication: don't allow login whatever the given password if user password is NULL in database. Closes #2186099 stable
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Mon, 13 Feb 2012 17:57:07 +0100
branchstable
changeset 8235 c2a91d6639d8
parent 8234 83fd9ff90a9d
child 8236 cc70da744f43
child 8238 087bb529035c
[system source] fix authentication: don't allow login whatever the given password if user password is NULL in database. Closes #2186099
server/sources/native.py
--- a/server/sources/native.py	Tue Feb 14 15:15:59 2012 +0100
+++ b/server/sources/native.py	Mon Feb 13 17:57:07 2012 +0100
@@ -1586,9 +1586,11 @@
                 pwd = rset[0][0]
             except IndexError:
                 raise AuthenticationError('bad login')
+            if pwd is None:
+                # if pwd is None but a password is provided, something is wrong
+                raise AuthenticationError('bad password')
             # passwords are stored using the Bytes type, so we get a StringIO
-            if pwd is not None:
-                args['pwd'] = Binary(crypt_password(password, pwd.getvalue()[:2]))
+            args['pwd'] = Binary(crypt_password(password, pwd.getvalue()[:2]))
         # get eid from login and (crypted) password
         rset = self.source.syntax_tree_search(session, self._auth_rqlst, args)
         try: