mirrors/xrdp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disable autologon for empty passwords

Browse Source 
Although there is nothing in the specification to prevent automatic
logons with empty passwords, this is not a secure default.

The autologon flag INFO_AUTOLOGON ([MS-RDPBCGR] 2.2.1.11.1.1) is now
ignored for empty passwords.
This commit is contained in:
matt335672 2022-12-30 10:28:57 +00:00
parent 752b4bcaa5
commit d8c8b22589
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libxrdp/xrdp_sec.c
View File

@ -951,6 +951,17 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
}
in_uint16_le(s, len_password);
/*
* Ignore autologin requests if the password is empty. System managers
* who really want to allow empty passwords can do this with a
* special session type */
if (len_password == 0 && self->rdp_layer->client_info.rdp_autologin)
{
LOG(LOG_LEVEL_DEBUG,
"Client supplied password is empty, disabling autologin");
self->rdp_layer->client_info.rdp_autologin = 0;
}
if (len_password >= INFO_CLIENT_MAX_CB_LEN)
{
LOG(LOG_LEVEL_ERROR,