From d8c8b22589c6999154b4cee8e1d417c05bf9156f Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Fri, 30 Dec 2022 10:28:57 +0000
Subject: [PATCH] Disable autologon for empty passwords

Although there is nothing in the specification to prevent automatic
logons with empty passwords, this is not a secure default.

The autologon flag INFO_AUTOLOGON ([MS-RDPBCGR] 2.2.1.11.1.1) is now
ignored for empty passwords.
---
 libxrdp/xrdp_sec.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index 8e3fd021..77e86401 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -951,6 +951,17 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
     }
     in_uint16_le(s, len_password);
 
+    /*
+     * Ignore autologin requests if the password is empty. System managers
+     * who really want to allow empty passwords can do this with a
+     * special session type */
+    if (len_password == 0 && self->rdp_layer->client_info.rdp_autologin)
+    {
+        LOG(LOG_LEVEL_DEBUG,
+            "Client supplied password is empty, disabling autologin");
+        self->rdp_layer->client_info.rdp_autologin = 0;
+    }
+
     if (len_password >= INFO_CLIENT_MAX_CB_LEN)
     {
         LOG(LOG_LEVEL_ERROR,