From 00a00be692ded2e04cf9a71d0848244cfee35657 Mon Sep 17 00:00:00 2001
From: Maxime Dor <max@kamax.io>
Date: Mon, 18 Sep 2017 12:51:36 +0200
Subject: [PATCH] LDAP backend: protect against empty username

---
 .../groovy/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/main/groovy/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java b/src/main/groovy/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java
index cf25663..64f38bc 100644
--- a/src/main/groovy/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java
+++ b/src/main/groovy/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java
@@ -63,6 +63,11 @@ public class LdapAuthProvider extends LdapGenericBackend implements Authenticato
 
             String uidType = getCfg().getAttribute().getUid().getType();
             String userFilterValue = StringUtils.equals(LdapThreePidProvider.UID, uidType) ? mxid.getLocalPart() : mxid.getId();
+            if (StringUtils.isBlank(userFilterValue)) {
+                log.warn("Username is empty, failing auth");
+                return BackendAuthResult.failure();
+            }
+
             String userFilter = "(" + getCfg().getAttribute().getUid().getValue() + "=" + userFilterValue + ")";
             if (!StringUtils.isBlank(getCfg().getAuth().getFilter())) {
                 userFilter = "(&" + getCfg().getAuth().getFilter() + userFilter + ")";