From a1683dc4cd8a471cbaa98eb33f8ae99f9f3d77f2 Mon Sep 17 00:00:00 2001
From: Jerome Lebleu <jerome.lebleu@mailoo.org>
Date: Sat, 28 Dec 2013 18:13:43 +0100
Subject: [PATCH] Fix empty password breach

---
 yunohost.tac | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/yunohost.tac b/yunohost.tac
index af917180..b3d1ac61 100755
--- a/yunohost.tac
+++ b/yunohost.tac
@@ -42,8 +42,10 @@ def http_exec(request, **kwargs):
 
     # Simple HTTP auth
     elif installed:
-        authorized = request.getUser() == 'admin'
+        authorized = False
         pwd = request.getPassword()
+        if request.getUser() == 'admin' and pwd != '':
+            authorized = True
         if dev and 'api_key' in request.args:
             pwd = request.args['api_key'][0]
             authorized = True