never allow blank passwords

author Evan Prodromou <evan@prodromou.name>

Mon, 25 Aug 2008 18:52:45 +0000 (14:52 -0400)

committer Evan Prodromou <evan@prodromou.name>

Mon, 25 Aug 2008 18:52:45 +0000 (14:52 -0400)
author Evan Prodromou <evan@prodromou.name>
Mon, 25 Aug 2008 18:52:45 +0000 (14:52 -0400)
committer Evan Prodromou <evan@prodromou.name>
Mon, 25 Aug 2008 18:52:45 +0000 (14:52 -0400)
diff --git a/lib/util.php b/lib/util.php

index efd86ad509e12fc386c4b306409c2c3952eb9e4a..e14cc36aced85fec86ac35dd6aac3fe55a6c444f 100644 (file)
--- a/lib/util.php
+++ b/lib/util.php
@@ -493,6 +493,10 @@ function common_munge_password($password, $id) {
  
  # check if a username exists and has matching password
  function common_check_user($nickname, $password) {
+       # NEVER allow blank passwords, even if they match the DB
+       if (mb_strlen($password) == 0) {
+               return false;
+       }
         $user = User::staticGet('nickname', $nickname);
         if (is_null($user)) {
                 return false;
author	Evan Prodromou <evan@prodromou.name>
	Mon, 25 Aug 2008 18:52:45 +0000 (14:52 -0400)
committer	Evan Prodromou <evan@prodromou.name>
	Mon, 25 Aug 2008 18:52:45 +0000 (14:52 -0400)