aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Marien Fressinaud <dev@marienfressinaud.fr> 2015-10-27 20:31:57 +0100
committerGravatar Marien Fressinaud <dev@marienfressinaud.fr> 2015-10-27 20:31:57 +0100
commitd677495ca3ded1a65c974fcdc29e989cdae2b583 (patch)
tree83d8113d63a79707e98610d5f347f8e761416f0b
parentb8b0ba6f244b37f5b823f05b6ef00f4684b3d89b (diff)
parentc992b683a8467de60136e4d4b1860f06a746c6b1 (diff)
Merge pull request #1016 from Alkarex/login403
HTTP 403 for invalid login
Diffstat
-rw-r--r--app/Controllers/authController.php10
-rwxr-xr-xapp/Controllers/javascriptController.php9
2 files changed, 11 insertions, 8 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index aff184263..f58b008de 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -123,8 +123,8 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
$conf = get_user_configuration($username);
if (is_null($conf)) {
- Minz_Request::bad(_t('feedback.auth.login.invalid'),
- array('c' => 'auth', 'a' => 'login'));
+ Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
+ return;
}
$ok = FreshRSS_FormAuth::checkCredentials(
@@ -151,8 +151,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
' user=' . $username .
', nonce=' . $nonce .
', c=' . $challenge);
- Minz_Request::bad(_t('feedback.auth.login.invalid'),
- array('c' => 'auth', 'a' => 'login'));
+ Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
}
} elseif (FreshRSS_Context::$system_conf->unsafe_autologin_enabled) {
$username = Minz_Request::param('u', '');
@@ -184,8 +183,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
array('c' => 'index', 'a' => 'index'));
} else {
Minz_Log::warning('Unsafe password mismatch for user ' . $username);
- Minz_Request::bad(_t('feedback.auth.login.invalid'),
- array('c' => 'auth', 'a' => 'login'));
+ Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
}
}
}
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index 421cf6f72..e3ae3669e 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -43,7 +43,12 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
} else {
Minz_Log::notice('Nonce failure due to invalid username!');
}
- $this->view->nonce = ''; //Failure
- $this->view->salt1 = '';
+ //Failure: Return random data.
+ $this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST);
+ $alphabet = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+ for ($i = 22; $i > 0; $i--) {
+ $this->view->salt1 .= $alphabet[rand(0, 63)];
+ }
+ $this->view->nonce = sha1(rand());
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-10 13:19:15 +0000