From 2b1e35e6ff6c5b9090f706575f0add30590877b4 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Sat, 14 Nov 2009 14:48:56 -0500
Subject: Disallow blank passwords

---
 etc/inc/auth.inc | 66 ++++++++++++++++++++++++++++++--------------------------
 1 file changed, 36 insertions(+), 30 deletions(-)

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index a13faaf..9f80965 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -86,7 +86,7 @@ function passwd_backed_basic_auth() {
 
 function htpasswd_backed_basic_auth() {
         global $HTTP_SERVER_VARS;
-
+		
         $authfile = file("/var/run/htpasswd");
 
 		/* sanity check to ensure that /usr/local/www/.htpasswd doesn't exist */
@@ -94,35 +94,41 @@ function htpasswd_backed_basic_auth() {
 
         /* Prompt three times and give up */
         for($attempt = 0; $attempt <= 3; basic_auth_prompt()){
-                $attempt++;
-                
-        /* Check for AUTH_USER */
-		if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") {
-			$HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
-			$HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
-		}
-                if (!isset($HTTP_SERVER_VARS['AUTH_USER']))
-                        continue;
-
-                /* Check to see if user even exists */
-                $username = $HTTP_SERVER_VARS['AUTH_USER'];
-                if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
-                        continue;
-
-                /* Get crypted password */
-                $matches = "";
-                preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
-                $pass = $matches[1];
-                $salt = $matches[2];
-
-                /* Encrypt entered password with salt */
-                $authpass = crypt($HTTP_SERVER_VARS['AUTH_PW'], $salt);
-
-                /* And finally validate password */
-                if($authpass == $pass)
-                        return true;
-                else
-                        continue;
+			$attempt++;
+
+			/* Check for AUTH_USER */
+			if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") {
+				$HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
+				$HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
+			}
+
+			// Disallow blank usernames
+			if (!isset($HTTP_SERVER_VARS['AUTH_USER']))
+				continue;
+
+			// Disallow blank passwords
+			if(!isset($HTTP_SERVER_VARS['AUTH_PW'])) 
+				continue;
+
+			/* Check to see if user even exists */
+			$username = $HTTP_SERVER_VARS['AUTH_USER'];
+			if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
+				continue;
+
+			/* Get crypted password */
+			$matches = "";
+			preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
+			$pass = $matches[1];
+			$salt = $matches[2];
+
+			/* Encrypt entered password with salt */
+			$authpass = crypt($HTTP_SERVER_VARS['AUTH_PW'], $salt);
+
+			/* And finally validate password */
+			if($authpass == $pass)
+				return true;
+			else
+				continue;
         }
 
         /* Should only get here if user fails login three times */
-- 
cgit v1.1