Fixed issue with blank password with Ldap

The bind operation of LDAP, as described in RFC 4513, provides a method
which allows for authentication of users. For the Simple Authentication
Method a user may use the anonymous authentication mechanism, the
unauthenticated authentication mechanism, or the name/password
authentication mechanism. The unauthenticated authentication mechanism
is used when a client who desires to establish an anonymous
authorization state passes a non-zero length distinguished name and a
zero length password. Most LDAP servers either can be configured to
allow this mechanism or allow it by default.

_Web-based applications which perform the simple bind operation with the
client's credentials are at risk when an anonymous authorization state is
established. This can occur when the web-based application passes a
distinguished name and a zero length password to the LDAP server._

Thus, misconfiguring a server with simple bind can trick Symfony into
thinking the username/password tuple as valid, potentially leading to
unauthorized access.

2 files changed, 22 insertions, 1 deletions

diff --git a/Core/Authentication/Provider/LdapBindAuthenticationProvider.php b/Core/Authentication/Provider/LdapBindAuthenticationProvider.php
index adc42ef..e887f99 100644
--- a/Core/Authentication/Provider/LdapBindAuthenticationProvider.php
+++ b/Core/Authentication/Provider/LdapBindAuthenticationProvider.php
@@ -73,6 +73,10 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider
         $username = $token->getUsername();
         $password = $token->getCredentials();
 
+        if ('' === $password) {
+            throw new BadCredentialsException('The presented password must not be empty.');
+        }
+
         try {
             $username = $this->ldap->escape($username, '', LDAP_ESCAPE_DN);
             $dn = str_replace('{username}', $username, $this->dnString);
diff --git a/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php b/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php
index 844bcef..fbb4d73 100644
--- a/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php
+++ b/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php
@@ -23,6 +23,23 @@ class LdapBindAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
 {
     /**
      * @expectedException        \Symfony\Component\Security\Core\Exception\BadCredentialsException
+     * @expectedExceptionMessage The presented password must not be empty.
+     */
+    public function testEmptyPasswordShouldThrowAnException()
+    {
+        $userProvider = $this->getMock('Symfony\Component\Security\Core\User\UserProviderInterface');
+        $ldap = $this->getMock('Symfony\Component\Ldap\LdapClientInterface');
+        $userChecker = $this->getMock('Symfony\Component\Security\Core\User\UserCheckerInterface');
+
+        $provider = new LdapBindAuthenticationProvider($userProvider, $userChecker, 'key', $ldap);
+        $reflection = new \ReflectionMethod($provider, 'checkAuthentication');
+        $reflection->setAccessible(true);
+
+        $reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', '', 'key'));
+    }
+
+    /**
+     * @expectedException        \Symfony\Component\Security\Core\Exception\BadCredentialsException
      * @expectedExceptionMessage The presented password is invalid.
      */
     public function testBindFailureShouldThrowAnException()
@@ -40,7 +57,7 @@ class LdapBindAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
         $reflection = new \ReflectionMethod($provider, 'checkAuthentication');
         $reflection->setAccessible(true);
 
-        $reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', '', 'key'));
+        $reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', 'bar', 'key'));
     }
 
     public function testRetrieveUser()