don't accept empty passwords

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index 5a1f627..edd5ab0 100644 (file)
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -651,6 +651,13 @@ int authenticate_user_krb5pwd(request_rec *r,
    }
 
    sent_pw = ap_pbase64decode(r->pool, auth_line);
+   if (sent_pw == NULL || *sent_pw == '\0') {
+      log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 
+                "empty passwords are not accepted");
+      ret = HTTP_UNAUTHORIZED;
+      goto end;
+   }
+
    sent_name = ap_getword (r->pool, &sent_pw, ':');
    /* do not allow user to override realm setting of server */
    if (strchr(sent_name, '@')) {