A wrong login must return HTTP 403 (#2903)

* A wrong login must produce HTTP 403 #fix https://github.com/FreshRSS/FreshRSS/issues/2901 https://github.com/FreshRSS/FreshRSS/pull/2794/files#r389319248 * Just for consistency
author: Alexandre Alapetite <alexandre@alapetite.fr> 2020-04-17 10:56:06 +0200
committer: GitHub <noreply@github.com> 2020-04-17 10:56:06 +0200
commit: a49db010e4a5e48017d8583c374210242a680ddd (patch)
tree: 478dc92de33a2ee1ba17ddb330c16d1a5dee2c69 /app/Models/Auth.php
parent: bdc4da6ad07f2f5dfa7cf397cf3a379199c0a2ed (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/app/Models/Auth.php b/app/Models/Auth.php
index f8f97e74e..bd7f05c66 100644
--- a/app/Models/Auth.php
+++ b/app/Models/Auth.php
@@ -213,6 +213,7 @@ class FreshRSS_Auth {
 class FreshRSS_FormAuth {
 	public static function checkCredentials($username, $hash, $nonce, $challenge) {
 		if (!FreshRSS_user_Controller::checkUsername($username) ||
+				!ctype_graph($hash) ||
 				!ctype_graph($challenge) ||
 				!ctype_alnum($nonce)) {
 			Minz_Log::debug('Invalid credential parameters:' .
author	Alexandre Alapetite <alexandre@alapetite.fr>	2020-04-17 10:56:06 +0200
committer	GitHub <noreply@github.com>	2020-04-17 10:56:06 +0200
commit	a49db010e4a5e48017d8583c374210242a680ddd (patch)
tree	478dc92de33a2ee1ba17ddb330c16d1a5dee2c69 /app/Models/Auth.php
parent	bdc4da6ad07f2f5dfa7cf397cf3a379199c0a2ed (diff)