mirrors
/
xrdp
mirror of https://github.com/neutrinolabs/xrdp
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Disable autologon for empty passwords 

Although there is nothing in the specification to prevent automatic
logons with empty passwords, this is not a secure default.

The autologon flag INFO_AUTOLOGON ([MS-RDPBCGR] 2.2.1.11.1.1) is now
ignored for empty passwords.
This commit is contained in:
matt335672 2022-12-30 10:28:57 +00:00
parent 752b4bcaa5
commit d8c8b22589
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libxrdp/xrdp_sec.c
View File

@ -951,6 +951,17 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
}
in_uint16_le(s, len_password);
/*
* Ignore autologin requests if the password is empty. System managers
* who really want to allow empty passwords can do this with a
* special session type */
if (len_password == 0 && self->rdp_layer->client_info.rdp_autologin)
{
LOG(LOG_LEVEL_DEBUG,
"Client supplied password is empty, disabling autologin");
self->rdp_layer->client_info.rdp_autologin = 0;
}
if (len_password >= INFO_CLIENT_MAX_CB_LEN)
{
LOG(LOG_LEVEL_ERROR,