Fix panic when logging in to userpass without a valid user (#7160)

d7efee8f · Jeff Mitchell · GitHub · 7f0ff628 · d7efee8f
Unverified Commit d7efee8f authored 5 years ago by Jeff Mitchell Committed by GitHub 5 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 5 additions and 5 deletions
+5 -5
--- a/builtin/credential/userpass/path_login.go
+++ b/builtin/credential/userpass/path_login.go
@@ -64,11 +64,6 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 	// Get the user and validate auth
 	user, userError := b.user(ctx, req.Storage, username)

-	// Check for a CIDR match.
-	if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, user.TokenBoundCIDRs) {
-		return nil, logical.ErrPermissionDenied
-	}
-
 	var userPassword []byte
 	var legacyPassword bool
 	// If there was an error or it's nil, we fake a password for the bcrypt
@@ -108,6 +103,11 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		return logical.ErrorResponse("invalid username or password"), nil
 	}

+	// Check for a CIDR match.
+	if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, user.TokenBoundCIDRs) {
+		return nil, logical.ErrPermissionDenied
+	}
+
 	auth := &logical.Auth{
 		Metadata: map[string]string{
 			"username": username,