aboutsummaryrefslogtreecommitdiff
path: root/app/Controllers/javascriptController.php
diff options
context:
space:
mode:
authorGravatar Alexandre Alapetite <alexandre@alapetite.fr> 2015-10-25 13:24:48 +0100
committerGravatar Alexandre Alapetite <alexandre@alapetite.fr> 2015-10-25 13:24:48 +0100
commit7bb28c3f2b77b109451e2514e83fa99789fee35e (patch)
tree0db3eec55c63515032ac165e0edcb00d1f81f1c5 /app/Controllers/javascriptController.php
parenteb912cc7a8599682a14f3bc779c494491a6da56b (diff)
HTTP 403 for invalid login
https://github.com/FreshRSS/FreshRSS/issues/1015 And does not leak if user exists or not
Diffstat (limited to 'app/Controllers/javascriptController.php')
-rwxr-xr-xapp/Controllers/javascriptController.php8
1 files changed, 6 insertions, 2 deletions
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index 421cf6f72..f8746240c 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -43,7 +43,11 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
} else {
Minz_Log::notice('Nonce failure due to invalid username!');
}
- $this->view->nonce = ''; //Failure
- $this->view->salt1 = '';
+ //Failure: Return random data.
+ $this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST);
+ for ($i = 22; $i > 0; $i--) {
+ $this->view->salt1 .= './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'[rand(0, 63)];
+ }
+ $this->view->nonce = sha1(rand());
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-10 14:48:35 +0000