Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-08-10 08:15:25 +02:00
Code Issues Releases Activity

fix(auth): prevent user enumeration attack [EE-6832] (#11591)
Some checks failed
ci / build_images (map[arch:amd64 platform:linux version:]) (push) Has been cancelled
Details
ci / build_images (map[arch:amd64 platform:windows version:1809]) (push) Has been cancelled
Details
ci / build_images (map[arch:amd64 platform:windows version:ltsc2022]) (push) Has been cancelled
Details
ci / build_images (map[arch:arm platform:linux version:]) (push) Has been cancelled
Details
ci / build_images (map[arch:arm64 platform:linux version:]) (push) Has been cancelled
Details
ci / build_images (map[arch:ppc64le platform:linux version:]) (push) Has been cancelled
Details
ci / build_images (map[arch:s390x platform:linux version:]) (push) Has been cancelled
Details
/ triage (push) Has been cancelled
Details
Lint / Run linters (push) Has been cancelled
Details
Test / test-client (push) Has been cancelled
Details
Test / test-server (map[arch:amd64 platform:linux]) (push) Has been cancelled
Details
Test / test-server (map[arch:amd64 platform:windows version:1809]) (push) Has been cancelled
Details
Test / test-server (map[arch:amd64 platform:windows version:ltsc2022]) (push) Has been cancelled
Details
Test / test-server (map[arch:arm64 platform:linux]) (push) Has been cancelled
Details
ci / build_manifests (push) Has been cancelled
Details

Browse source
This commit is contained in:
Matt Hook 2024-04-17 16:09:05 +12:00 committed by GitHub
parent 6f5d9c357f
commit 9191d31e92
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 456 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

9
api/ldap/ldap.go
View file

@ -75,7 +75,14 @@ func (*Service) AuthenticateUser(username, password string, settings *portainer.
userDN, err := searchUser(username, connection, settings.SearchSettings)
if err != nil {
return err
if errors.Is(err, errUserNotFound) {
// prevent user enumeration timing attack by attempting the bind with a fake user
// and whatever password was provided should definately fail
// https://en.wikipedia.org/wiki/Timing_attack
userDN = "portainer-fake-ldap-username"
} else {
return err
}
}
err = connection.Bind(userDN, password)