Fix 0013901: SOAP API allows invoking methods without proper authentication

root · root · commit 5e9ead33df0b · 2012-02-16T09:39:56.000Z
Note: only applied to 1.2.x not 'next', as the code is changing anyway
diff --git a/api/soap/mc_api.php b/api/soap/mc_api.php
@@ -51,6 +51,11 @@ function mci_check_login( $p_username, $p_password ) {
 
 		# do not use password validation.
 		$p_password = null;
+	} else {
+		if( is_blank( $p_password ) ) {
+			# require password for authenticated access
+			return false;
+		}
 	}
 
 	if( false === auth_attempt_script_login( $p_username, $p_password ) ) {
