do not allow empty passwords

When a username but no password is submitted, the login is denied right away instead of relying on the backend to refuse the login.
2025-08-15 22:25:03 +00:00 · 2014-09-26 10:36:05 +02:00
parent 395c2f0ff3
commit 5e9e105404
1 changed files with 1 additions and 1 deletions
--- a/inc/auth.php
+++ b/inc/auth.php
@ -229,7 +229,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) {

    if(!empty($user)) {
        //usual login
-        if($auth->checkPass($user, $pass)) {
+        if(!empty($pass) && $auth->checkPass($user, $pass)) {
            // make logininfo globally available
            $INPUT->server->set('REMOTE_USER', $user);
            $secret                 = auth_cookiesalt(!$sticky, true); //bind non-sticky to session