From 5e9e1054045318cfb23f64db7be36a677dc9481a Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 26 Sep 2014 10:36:05 +0200
Subject: [PATCH] do not allow empty passwords

When a username but no password is submitted, the login is denied right
away instead of relying on the backend to refuse the login.
---
 inc/auth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inc/auth.php b/inc/auth.php
index 7477ae7ef..037f7e78f 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -229,7 +229,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) {
 
     if(!empty($user)) {
         //usual login
-        if($auth->checkPass($user, $pass)) {
+        if(!empty($pass) && $auth->checkPass($user, $pass)) {
             // make logininfo globally available
             $INPUT->server->set('REMOTE_USER', $user);
             $secret                 = auth_cookiesalt(!$sticky, true); //bind non-sticky to session
-- 
GitLab