From 2e6fddcccf09a456b51ec1b8b6d946048724429b Mon Sep 17 00:00:00 2001 From: JD Horelick Date: Wed, 24 Nov 2010 04:46:36 -0500 Subject: [PATCH] Force a password if auth_user is sent in PASS. Not doing this (and not having a password on the auth block) makes it really easy for anyone to get access to that auth block. --- modules/m_pass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/m_pass.c b/modules/m_pass.c index 73b3c13..10f142a 100644 --- a/modules/m_pass.c +++ b/modules/m_pass.c @@ -90,7 +90,7 @@ mr_pass(struct Client *client_p, struct Client *source_p, int parc, const char * client_p->localClient->passwd = *pass ? rb_strndup(pass, PASSWDLEN) : NULL; - if(auth_user && *auth_user) + if(auth_user && *auth_user && pass && *pass) client_p->localClient->auth_user = rb_strndup(auth_user, PASSWDLEN); /* These are for servers only */