API: Ensure that empty passwords w/ client_cn are properly checked

fixes #11482
Icinga · Apr 4, 2016 · d2f5008 · d2f5008
1 parent 3715f30
commit d2f5008
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/lib/remote/httpserverconnection.cpp b/lib/remote/httpserverconnection.cpp
@@ -144,12 +144,16 @@ void HttpServerConnection::ProcessMessageAsync(HttpRequest& request)
 
 	ApiUser::Ptr user;
 
+	/* client_cn matched. */
 	if (m_ApiUser)
 		user = m_ApiUser;
 	else {
 		user = ApiUser::GetByName(username);
 
-		if (user && user->GetPassword() != password)
+		/* Deny authentication if 1) given password is empty 2) configured password does not match. */
+		if (password.IsEmpty())
+			user.reset();
+		else if (user && user->GetPassword() != password)
 			user.reset();
 	}