[FIX] users_ldap: double-check to prevent blank passwords

The server should have done the check in the call to super.check(), but just in case, we double-check for blank passwords, as this is an issue for LDAP servers that allow anonymous bindings. See http://www.openldap.org/lists/openldap-software/200112/msg00178.html lp bug: https://launchpad.net/bugs/760301 fixed bzr revid: odo@openerp.com-20110428153543-vfhx9rhbspoc84b6
2011-04-28 17:35:43 +02:00 · 2011-04-28 17:35:43 +02:00 · 00c65ea9a7
parent 7464803d7d
commit 00c65ea9a7
1 changed files with 7 additions and 0 deletions
--- a/addons/users_ldap/users_ldap.py
+++ b/addons/users_ldap/users_ldap.py
@ -138,6 +138,11 @@ class users(osv.osv):
            return super(users,self).check(db, uid, passwd)
        except security.ExceptionNoTb: # AccessDenied
            pass
+
+        if not passwd:
+            # empty passwords disallowed for obvious security reasons
+            raise security.ExceptionNoTb('AccessDenied')
+
        cr = pooler.get_db(db).cursor()
        user = self.browse(cr, 1, uid)
        logger = logging.getLogger('orm.ldap')
@ -156,6 +161,8 @@ class users(osv.osv):
                        result_type, result_data = l.result(result_id, timeout)
                        if result_data and result_type == ldap.RES_SEARCH_RESULT and len(result_data) == 1:
                            dn = result_data[0][0]
+                            # some LDAP servers allow anonymous binding with blank passwords,
+                            # but these have been rejected above, so we're safe to use bind()
                            if l.bind_s(dn, passwd):
                                l.unbind()
                                self._uid_cache.setdefault(db, {})[uid] = passwd