API: Ensure that empty passwords w/ client_cn are properly checked

author Michael Friedrich <michael.friedrich@netways.de>

Mon, 4 Apr 2016 14:38:47 +0000 (16:38 +0200)

committer Michael Friedrich <michael.friedrich@netways.de>

Mon, 4 Apr 2016 14:38:47 +0000 (16:38 +0200)
author Michael Friedrich <michael.friedrich@netways.de>
Mon, 4 Apr 2016 14:38:47 +0000 (16:38 +0200)
committer Michael Friedrich <michael.friedrich@netways.de>
Mon, 4 Apr 2016 14:38:47 +0000 (16:38 +0200)
diff --git a/lib/remote/httpserverconnection.cpp b/lib/remote/httpserverconnection.cpp

index d78ced453df7cb9d0c6ab19571827f4a841e3da0..f4aa24f421197935cb1e004246513569b7f49206 100644 (file)
--- a/lib/remote/httpserverconnection.cpp
+++ b/lib/remote/httpserverconnection.cpp
@@ -144,12 +144,16 @@ void HttpServerConnection::ProcessMessageAsync(HttpRequest& request)
  
         ApiUser::Ptr user;
  
+       /* client_cn matched. */
         if (m_ApiUser)
                 user = m_ApiUser;
         else {
                 user = ApiUser::GetByName(username);
  
-               if (user && user->GetPassword() != password)
+               /* Deny authentication if 1) given password is empty 2) configured password does not match. */
+               if (password.IsEmpty())
+                       user.reset();
+               else if (user && user->GetPassword() != password)
                         user.reset();
         }
author	Michael Friedrich <michael.friedrich@netways.de>
	Mon, 4 Apr 2016 14:38:47 +0000 (16:38 +0200)
committer	Michael Friedrich <michael.friedrich@netways.de>
	Mon, 4 Apr 2016 14:38:47 +0000 (16:38 +0200)