From 00c65ea9a7a22d83b8537bfa3c9969deec5cb809 Mon Sep 17 00:00:00 2001
From: Olivier Dony <odo@openerp.com>
Date: Thu, 28 Apr 2011 17:35:43 +0200
Subject: [PATCH] [FIX] users_ldap: double-check to prevent blank passwords

The server should have done the check in the call to super.check(),
but just in case, we double-check for blank passwords, as this is an
issue for LDAP servers that allow anonymous bindings.
See http://www.openldap.org/lists/openldap-software/200112/msg00178.html

lp bug: https://launchpad.net/bugs/760301 fixed

bzr revid: odo@openerp.com-20110428153543-vfhx9rhbspoc84b6
---
 addons/users_ldap/users_ldap.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/addons/users_ldap/users_ldap.py b/addons/users_ldap/users_ldap.py
index 2c590242889..1e924a22276 100644
--- a/addons/users_ldap/users_ldap.py
+++ b/addons/users_ldap/users_ldap.py
@@ -138,6 +138,11 @@ class users(osv.osv):
             return super(users,self).check(db, uid, passwd)
         except security.ExceptionNoTb: # AccessDenied
             pass
+
+        if not passwd:
+            # empty passwords disallowed for obvious security reasons
+            raise security.ExceptionNoTb('AccessDenied')
+
         cr = pooler.get_db(db).cursor()
         user = self.browse(cr, 1, uid)
         logger = logging.getLogger('orm.ldap')
@@ -156,6 +161,8 @@ class users(osv.osv):
                         result_type, result_data = l.result(result_id, timeout)
                         if result_data and result_type == ldap.RES_SEARCH_RESULT and len(result_data) == 1:
                             dn = result_data[0][0]
+                            # some LDAP servers allow anonymous binding with blank passwords,
+                            # but these have been rejected above, so we're safe to use bind()
                             if l.bind_s(dn, passwd):
                                 l.unbind()
                                 self._uid_cache.setdefault(db, {})[uid] = passwd