opendev/gerrit
Code Issues Proposed changes

Don't allow empty user name and passwords in InternalAuthBackend

Browse Source 
Simple null check for username and password in InternalAuthBackend is
not enough. Also empty usernames and passwords should not be allowed.

Change-Id: I7ab1866b6b977db568c7fdec931cc5b96122f8c1
Signed-off-by: Dariusz Luksza <dariusz@luksza.org>
This commit is contained in:
Dariusz Luksza
2014-04-04 15:59:50 +02:00
committed by David Pursehouse
parent 6b9159abe7
commit 6cb803b959
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
gerrit-server/src/main/java/com/google/gerrit/server/auth/InternalAuthBackend.java
View File

@@ -14,6 +14,7 @@
package com.google.gerrit.server.auth;
import com.google.common.base.Strings;
import com.google.gerrit.server.account.AccountCache;
import com.google.gerrit.server.account.AccountState;
import com.google.gerrit.server.config.AuthConfig;
@@ -42,7 +43,8 @@ public class InternalAuthBackend implements AuthBackend {
public AuthUser authenticate(AuthRequest req)
throws MissingCredentialsException, InvalidCredentialsException,
UnknownUserException, UserNotAllowedException, AuthException {
if (req.getUsername() == null || req.getPassword() == null) {
if (Strings.isNullOrEmpty(req.getUsername())
|| Strings.isNullOrEmpty(req.getPassword())) {
throw new MissingCredentialsException();
}