fix: requirepass allows connection with any non-empty password

caiyu · caiyu · commit 0eaab74f23fb · 2025-06-19T18:16:36.000+08:00
diff --git a/src/acl.cc b/src/acl.cc
@@ -497,6 +497,10 @@ void Acl::InitLimitUser(const std::string& bl, bool limit_exist) {
     }
     if (!pass.empty()) {
       u->SetUser(">" + pass);
+    }else{
+      //If the userpass password is empty, 
+      //disable the limit user to prevent password-free access
+      u->SetUser("off");
     }
   } else {
     if (pass.empty()) {
diff --git a/tests/integration/acl_test.go b/tests/integration/acl_test.go
@@ -124,5 +124,22 @@ var _ = Describe("Acl test", func() {
 		Expect(err).NotTo(HaveOccurred())
 		Expect(len(logEntries)).To(Equal(0))
 	})
-
+	// Test case for the bug: any non-empty requirepass could connect when requirepass is set.
+	// pika.conf: requirepass abc
+	It("has wrong password returns error and correct password returns OK", func() {
+		ctx := context.TODO()
+		client := redis.NewClient(&redis.Options{
+			Addr: "127.0.0.1:9221",
+		})
+		authRes := client.Do(ctx, "auth", "wrongpass")
+		Expect(authRes.Err()).To(MatchError("WRONGPASS invalid username-password pair or user is disabled."))
+		client.Close()
+		client = redis.NewClient(&redis.Options{
+			Addr: "127.0.0.1:9221",
+		})
+		authRes = client.Do(ctx, "auth", "abc")
+		Expect(authRes.Err()).NotTo(HaveOccurred())
+		Expect(authRes.Val()).To(Equal("OK"))
+		client.Close()
+	})
 })

Original file line number	Diff line number	Diff line change
`@@ -497,6 +497,10 @@ void Acl::InitLimitUser(const std::string& bl, bool limit_exist) {`
`497`	`497`	`}`
`498`	`498`	`if (!pass.empty()) {`
`499`	`499`	`u->SetUser(">" + pass);`
	`500`	`+ }else{`
	`501`	`+ //If the userpass password is empty,`
	`502`	`+ //disable the limit user to prevent password-free access`
	`503`	`+ u->SetUser("off");`
`500`	`504`	`}`
`501`	`505`	`} else {`
`502`	`506`	`if (pass.empty()) {`