LDAP backend: protect against empty username

2017-09-18 12:51:36 +02:00
parent 9e8dade238
commit 00a00be692
1 changed files with 5 additions and 0 deletions
--- a/src/main/groovy/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java
+++ b/src/main/groovy/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java
@@ -63,6 +63,11 @@ public class LdapAuthProvider extends LdapGenericBackend implements Authenticato

            String uidType = getCfg().getAttribute().getUid().getType();
            String userFilterValue = StringUtils.equals(LdapThreePidProvider.UID, uidType) ? mxid.getLocalPart() : mxid.getId();
+            if (StringUtils.isBlank(userFilterValue)) {
+                log.warn("Username is empty, failing auth");
+                return BackendAuthResult.failure();
+            }
+
            String userFilter = "(" + getCfg().getAttribute().getUid().getValue() + "=" + userFilterValue + ")";
            if (!StringUtils.isBlank(getCfg().getAuth().getFilter())) {
                userFilter = "(&" + getCfg().getAuth().getFilter() + userFilter + ")";