Fix login (#5955)

fix https://github.com/FreshRSS/FreshRSS/issues/5953 Regression due to https://github.com/FreshRSS/FreshRSS/pull/5946
author: Alexandre Alapetite <alexandre@alapetite.fr> 2023-12-20 16:36:55 +0100
committer: GitHub <noreply@github.com> 2023-12-20 16:36:55 +0100
commit: 79604aa4b3051f083d1734bd9e82c6a89d785c5a (patch)
tree: b0b239c679191cfc6768eb437e851ab26679e329
parent: a80a5f48a16e7d232168a7aaa68e9a1804235ce1 (diff)
4 files changed, 15 insertions, 6 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 85a722761..ac3fcb0be 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -128,6 +128,15 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 			$username = Minz_Request::paramString('username');
 			$challenge = Minz_Request::paramString('challenge');
 
+			if ($nonce === '') {
+				Minz_Log::warning("Invalid session during login for user={$username}, nonce={$nonce}");
+				header('HTTP/1.1 403 Forbidden');
+				Minz_Session::_param('POST_to_GET', true);	//Prevent infinite internal redirect
+				Minz_Request::setBadNotification(_t('install.session.nok'));
+				Minz_Request::forward(['c' => 'auth', 'a' => 'login'], false);
+				return;
+			}
+
 			usleep(random_int(100, 10000));	//Primitive mitigation of timing attacks, in μs
 
 			FreshRSS_Context::initUser($username);
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index a9c4993df..74e4a0dd9 100644
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -49,7 +49,7 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
 
 		$user = $_GET['user'] ?? '';
 		FreshRSS_Context::initUser($user);
-		if (!FreshRSS_Context::hasUserConf()) {
+		if (FreshRSS_Context::hasUserConf()) {
 			try {
 				$salt = FreshRSS_Context::systemConf()->salt;
 				$s = FreshRSS_Context::userConf()->passwordHash;
@@ -64,7 +64,7 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
 				Minz_Log::warning('Nonce failure: ' . $me->getMessage());
 			}
 		} else {
-			Minz_Log::notice('Nonce failure due to invalid username!');
+			Minz_Log::notice('Nonce failure due to invalid username! ' . $user);
 		}
 		//Failure: Return random data.
 		$this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_password_Util::BCRYPT_COST);
diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php
index b3fccac24..126eb60a2 100644
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -9,7 +9,7 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController {
 	 * The username is also used as folder name, file name, and part of SQL table name.
 	 * '_' is a reserved internal username.
 	 */
-	public const USERNAME_PATTERN = '([0-9a-zA-Z_][0-9a-zA-Z_.@-]{1,38}|[0-9a-zA-Z])';
+	public const USERNAME_PATTERN = '([0-9a-zA-Z_][0-9a-zA-Z_.@\-]{1,38}|[0-9a-zA-Z])';
 
 	public static function checkUsername(string $username): bool {
 		return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1;
diff --git a/app/install.php b/app/install.php
index b4da2911f..7703b3840 100644
--- a/app/install.php
+++ b/app/install.php
@@ -551,7 +551,7 @@ function printStep2(): void {
 		<div class="form-group">
 			<label class="group-name" for="host"><?= _t('install.bdd.host') ?></label>
 			<div class="group-controls">
-				<input type="text" id="host" name="host" pattern="[0-9A-Z/a-z_.-]{1,64}(:[0-9]{2,5})?" value="<?=
+				<input type="text" id="host" name="host" pattern="[0-9A-Z/a-z_.\-]{1,64}(:[0-9]{2,5})?" value="<?=
 					$_SESSION['bd_host'] ?? $system_default_config->db['host'] ?? '' ?>" tabindex="2" />
 			</div>
 		</div>
@@ -559,7 +559,7 @@ function printStep2(): void {
 		<div class="form-group">
 			<label class="group-name" for="user"><?= _t('install.bdd.username') ?></label>
 			<div class="group-controls">
-				<input type="text" id="user" name="user" maxlength="64" pattern="[0-9A-Za-z@_.-]{1,64}" value="<?=
+				<input type="text" id="user" name="user" maxlength="64" pattern="[0-9A-Za-z@_.\-]{1,64}" value="<?=
 					$_SESSION['bd_user'] ?? '' ?>" tabindex="3" />
 			</div>
 		</div>
@@ -578,7 +578,7 @@ function printStep2(): void {
 		<div class="form-group">
 			<label class="group-name" for="base"><?= _t('install.bdd') ?></label>
 			<div class="group-controls">
-				<input type="text" id="base" name="base" maxlength="64" pattern="[0-9A-Za-z_-]{1,64}" value="<?=
+				<input type="text" id="base" name="base" maxlength="64" pattern="[0-9A-Za-z_\-]{1,64}" value="<?=
 					$_SESSION['bd_base'] ?? '' ?>" tabindex="6" />
 			</div>
 		</div>
author	Alexandre Alapetite <alexandre@alapetite.fr>	2023-12-20 16:36:55 +0100
committer	GitHub <noreply@github.com>	2023-12-20 16:36:55 +0100
commit	79604aa4b3051f083d1734bd9e82c6a89d785c5a (patch)
tree	b0b239c679191cfc6768eb437e851ab26679e329
parent	a80a5f48a16e7d232168a7aaa68e9a1804235ce1 (diff)