diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2015-10-25 13:24:48 +0100 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre@alapetite.fr>
| 2015-10-25 13:24:48 +0100 |
| commit | 7bb28c3f2b77b109451e2514e83fa99789fee35e (patch) | |
| tree | 0db3eec55c63515032ac165e0edcb00d1f81f1c5 /app | |
| parent | eb912cc7a8599682a14f3bc779c494491a6da56b (diff) | |
HTTP 403 for invalid login
https://github.com/FreshRSS/FreshRSS/issues/1015
And does not leak if user exists or not
Diffstat (limited to 'app')
| -rw-r--r-- | app/Controllers/authController.php | 9 | ||||
| -rwxr-xr-x | app/Controllers/javascriptController.php | 8 |
2 files changed, 9 insertions, 8 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php index aff184263..bccce5a59 100644 --- a/app/Controllers/authController.php +++ b/app/Controllers/authController.php @@ -123,8 +123,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController { $conf = get_user_configuration($username); if (is_null($conf)) { - Minz_Request::bad(_t('feedback.auth.login.invalid'), - array('c' => 'auth', 'a' => 'login')); + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); } $ok = FreshRSS_FormAuth::checkCredentials( @@ -151,8 +150,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController { ' user=' . $username . ', nonce=' . $nonce . ', c=' . $challenge); - Minz_Request::bad(_t('feedback.auth.login.invalid'), - array('c' => 'auth', 'a' => 'login')); + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); } } elseif (FreshRSS_Context::$system_conf->unsafe_autologin_enabled) { $username = Minz_Request::param('u', ''); @@ -184,8 +182,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController { array('c' => 'index', 'a' => 'index')); } else { Minz_Log::warning('Unsafe password mismatch for user ' . $username); - Minz_Request::bad(_t('feedback.auth.login.invalid'), - array('c' => 'auth', 'a' => 'login')); + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); } } } diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index 421cf6f72..f8746240c 100755 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -43,7 +43,11 @@ class FreshRSS_javascript_Controller extends Minz_ActionController { } else { Minz_Log::notice('Nonce failure due to invalid username!'); } - $this->view->nonce = ''; //Failure - $this->view->salt1 = ''; + //Failure: Return random data. + $this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST); + for ($i = 22; $i > 0; $i--) { + $this->view->salt1 .= './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'[rand(0, 63)]; + } + $this->view->nonce = sha1(rand()); } } |