Merged revisions 61787 via svnmerge from
authorRussell Bryant <russell@russellbryant.com>
Tue, 24 Apr 2007 21:37:00 +0000 (21:37 +0000)
committerRussell Bryant <russell@russellbryant.com>
Tue, 24 Apr 2007 21:37:00 +0000 (21:37 +0000)
https://origsvn.digium.com/svn/asterisk/branches/1.4

................
r61787 | russell | 2007-04-24 16:34:53 -0500 (Tue, 24 Apr 2007) | 12 lines

Merged revisions 61786 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.2

........
r61786 | russell | 2007-04-24 16:33:59 -0500 (Tue, 24 Apr 2007) | 4 lines

Don't crash if a manager connection provides a username that exists in
manager.conf but does not have a password, and also requests MD5
authentication. (ASA-2007-012)

........

................

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@61788 65c4cc65-6c06-0410-ace0-fbb531ad65f3

main/manager.c

index 88dba48..8b0381e 100644 (file)
@@ -984,7 +984,8 @@ static int authenticate(struct mansession *s, const struct message *m)
        }
        if (!strcasecmp(astman_get_header(m, "AuthType"), "MD5")) {
                const char *key = astman_get_header(m, "Key");
-               if (!ast_strlen_zero(key) && !ast_strlen_zero(s->challenge)) {
+               if (!ast_strlen_zero(key) && !ast_strlen_zero(s->challenge) &&
+                   !ast_strlen_zero(password)) {
                        int x;
                        int len = 0;
                        char md5key[256] = "";