From 88165371efbc79fdc0194de26814eacca68d2a5c Mon Sep 17 00:00:00 2001
From: Ermal <eri@pfsense.org>
Date: Wed, 30 May 2012 20:51:11 +0000
Subject: Do not allow empty passwords since this might cause problems for some
 authentication servers like ldap. Fixes #2326

---
 etc/inc/auth.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'etc/inc/auth.inc')

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 5b62e6a..1c176ab 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -1304,7 +1304,7 @@ function session_auth() {
 		session_start();
 
 	/* Validate incoming login request */
-	if (isset($_POST['login'])) {
+	if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
 		$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
 		if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) || 
 		    authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
@@ -1412,4 +1412,4 @@ function session_auth() {
 
 Header("X-Frame-Options: SAMEORIGIN");
 
-?>
\ No newline at end of file
+?>
-- 
cgit v1.1