validate username/password fields when unencrypted (fixes #1545)

rstudio · Apr 19, 2018 · f873acc · f873acc
1 parent a6001ee
commit f873acc
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/NEWS.md b/NEWS.md
@@ -3,6 +3,7 @@
 ### Bug Fixes
 
 - Fix sign-out issue when "stay signed in" is checked in RStudio Server (#1538)
+- Fix hang when submitting empty passwords and password encryption is turned off (#1545)
 - Fix dark theme partial application in data viewer when upgrading from 1.0 (#1573)
 - Fix overlap between Refresh icon and plot title text (#1585)
 - Fix slow File Open dialog on RStudio Desktop for Linux (#1587)

diff --git a/src/cpp/server/ServerPAMAuth.cpp b/src/cpp/server/ServerPAMAuth.cpp
@@ -244,7 +244,9 @@ void signIn(const http::Request& request,
       variables[kFormAction] = "action=\"javascript:void\" "
                                "onsubmit=\"submitRealForm();return false\"";
    else
-      variables[kFormAction] = "action=\"" + variables["action"] + "\"";
+      variables[kFormAction] = "action=\"" + variables["action"] + "\" "
+                               "onsubmit=\"return verifyMe()\"";
+
 
    variables[kAppUri] = request.queryParamValue(kAppUri);
 
@@ -442,6 +444,13 @@ bool pamLogin(const std::string& username, const std::string& password)
    std::vector<std::string> args;
    args.push_back(username);
 
+   // don't try to login with an empty password (this hangs PAM as it waits for input)
+   if (password.empty())
+   {
+      LOG_WARNING_MESSAGE("No PAM password provided for user '" + username + "'; refusing login");
+      return false;
+   }
+
    // options (assume priv after fork)
    core::system::ProcessOptions options;
    options.onAfterFork = assumeRootPriv;