SECURITY CHANGE:

In the method passwordForUser: returning a nil password now means "no access at all". This is what you should return if the given username doesn't exist in the system. In a related change, returning an empty string password is now allowed, and will be treated just like any other password. This is to add support for things such as anonymous access. Anonymous access can be a helpful tool when generating dynamic content: anonymous users get basic information, and authenticated users get top secret information for the same page request.
jpsimons · Jan 29, 2009 · c0890fc · c0890fc
1 parent 9bdc5d6
commit c0890fc
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/HTTPConnection.m b/HTTPConnection.m
@@ -264,7 +264,9 @@ - (NSString *)passwordForUser:(NSString *)username
 	// Override me to provide proper password authentication
 	// You can configure a password for the entire server, or custom passwords for users and/or resources
 
-	// Note: A password of nil, or a zero-length password is considered the equivalent of no password
+	// Security Note:
+	// A nil password means no access at all. (Such as for user doesn't exist)
+	// An empty string password is allowed, and will be treated as any other password. (To support anonymous access)
 
 	return nil;
 }
@@ -329,11 +331,10 @@ - (BOOL)isAuthenticated
 		}
 
 		NSString *password = [self passwordForUser:[auth username]];
-		if((password == nil) || ([password length] == 0))
+		if(password == nil)
 		{
-			// There is no password set, or the password is an empty string
-			// We can consider this the equivalent of not using password protection
-			return YES;
+			// No access allowed (username doesn't exist in system)
+			return NO;
 		}
 
 		NSString *method = [NSMakeCollectable(CFHTTPMessageCopyRequestMethod(request)) autorelease];
@@ -431,11 +432,10 @@ - (BOOL)isAuthenticated
 		NSString *credPassword = [credentials substringFromIndex:(colonRange.location + colonRange.length)];
 
 		NSString *password = [self passwordForUser:credUsername];
-		if((password == nil) || ([password length] == 0))
+		if(password == nil)
 		{
-			// There is no password set, or the password is an empty string
-			// We can consider this the equivalent of not using password protection
-			return YES;
+			// No access allowed (username doesn't exist in system)
+			return NO;
 		}
 
 		return [password isEqualToString:credPassword];