From 5910f2e31063fbcf0fdc6ed355afde777c0c3a9b Mon Sep 17 00:00:00 2001
From: Michael Friedrich <michael.friedrich@netways.de>
Date: Mon, 4 Apr 2016 16:38:47 +0200
Subject: [PATCH] API: Ensure that empty passwords w/ client_cn are properly
 checked

fixes #11482
---
 lib/remote/httpserverconnection.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/remote/httpserverconnection.cpp b/lib/remote/httpserverconnection.cpp
index d78ced453df..f4aa24f4211 100644
--- a/lib/remote/httpserverconnection.cpp
+++ b/lib/remote/httpserverconnection.cpp
@@ -144,12 +144,16 @@ void HttpServerConnection::ProcessMessageAsync(HttpRequest& request)
 
 	ApiUser::Ptr user;
 
+	/* client_cn matched. */
 	if (m_ApiUser)
 		user = m_ApiUser;
 	else {
 		user = ApiUser::GetByName(username);
 
-		if (user && user->GetPassword() != password)
+		/* Deny authentication if 1) given password is empty 2) configured password does not match. */
+		if (password.IsEmpty())
+			user.reset();
+		else if (user && user->GetPassword() != password)
 			user.reset();
 	}