ACL: default user off should not allow automatic authentication.

This fixes issue #7011.
2020-03-20 12:45:48 +01:00 · 2020-03-20 12:45:48 +01:00 · f9c56dbb09
commit f9c56dbb09
parent b3a97004f4
2 changed files with 3 additions and 2 deletions
--- a/src/networking.c
+++ b/src/networking.c
@ -124,7 +124,8 @@ client *createClient(connection *conn) {
    c->ctime = c->lastinteraction = server.unixtime;
    /* If the default user does not require authentication, the user is
     * directly authenticated. */
-    c->authenticated = (c->user->flags & USER_FLAG_NOPASS) != 0;
+    c->authenticated = (c->user->flags & USER_FLAG_NOPASS) &&
+                       !(c->user->flags & USER_FLAG_DISABLED);
    c->replstate = REPL_STATE_NONE;
    c->repl_put_online_on_ack = 0;
    c->reploff = 0;
--- a/src/server.c
+++ b/src/server.c
@ -3380,7 +3380,7 @@ int processCommand(client *c) {
    /* Check if the user is authenticated. This check is skipped in case
     * the default user is flagged as "nopass" and is active. */
    int auth_required = (!(DefaultUser->flags & USER_FLAG_NOPASS) ||
-                           DefaultUser->flags & USER_FLAG_DISABLED) &&
+                          (DefaultUser->flags & USER_FLAG_DISABLED)) &&
                        !c->authenticated;
    if (auth_required) {
        /* AUTH and HELLO and no auth modules are valid even in