Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: remove password after authenticating the user

Browse Source 
fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235

Signed-off-by: Benjamin Wang <wachao@vmware.com>
This commit is contained in:
Benjamin Wang
2023-04-06 16:48:57 +08:00
committed by Hitoshi Mitake
parent 291cb7172a
commit e6c2e380a9
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
server/etcdserver/v3_server.go
View File

@@ -454,6 +454,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest
lg := s.Logger() lg := s.Logger()
// fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235
defer func() {
if r != nil {
r.Password = ""
}
}()
var resp proto.Message var resp proto.Message
for { for {
checkedRevision, err := s.AuthStore().CheckPassword(r.Name, r.Password) checkedRevision, err := s.AuthStore().CheckPassword(r.Name, r.Password)