diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2020-04-17 10:56:06 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2020-04-17 10:56:06 +0200 |
| commit | a49db010e4a5e48017d8583c374210242a680ddd (patch) | |
| tree | 478dc92de33a2ee1ba17ddb330c16d1a5dee2c69 /app | |
| parent | bdc4da6ad07f2f5dfa7cf397cf3a379199c0a2ed (diff) | |
A wrong login must return HTTP 403 (#2903)
* A wrong login must produce HTTP 403
#fix https://github.com/FreshRSS/FreshRSS/issues/2901
https://github.com/FreshRSS/FreshRSS/pull/2794/files#r389319248
* Just for consistency
Diffstat (limited to 'app')
| -rw-r--r-- | app/Controllers/authController.php | 24 | ||||
| -rw-r--r-- | app/Models/Auth.php | 1 |
2 files changed, 16 insertions, 9 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php index 5874b312d..d61472e53 100644 --- a/app/Controllers/authController.php +++ b/app/Controllers/authController.php @@ -116,17 +116,18 @@ class FreshRSS_auth_Controller extends Minz_ActionController { $limits = $conf->limits; $this->view->cookie_days = round($limits['cookie_duration'] / 86400, 1); - if (Minz_Request::isPost()) { + $isPOST = Minz_Request::isPost() && !Minz_Session::param('POST_to_GET'); + Minz_Session::_param('POST_to_GET'); + + if ($isPOST) { $nonce = Minz_Session::param('nonce'); $username = Minz_Request::param('username', ''); $challenge = Minz_Request::param('challenge', ''); $conf = get_user_configuration($username); if ($conf == null) { - Minz_Request::bad( - _t('feedback.auth.login.invalid'), - array('c' => 'auth', 'a' => 'login') - ); + //We do not test here whether the user exists, so most likely an internal error. + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); return; } @@ -155,10 +156,15 @@ class FreshRSS_auth_Controller extends Minz_ActionController { ' user=' . $username . ', nonce=' . $nonce . ', c=' . $challenge); - Minz_Request::bad( - _t('feedback.auth.login.invalid'), - array('c' => 'auth', 'a' => 'login') - ); + + header('HTTP/1.1 403 Forbidden'); + Minz_Session::_param('POST_to_GET', true); //Prevent infinite internal redirect + Minz_View::_param('notification', [ + 'type' => 'bad', + 'content' => _t('feedback.auth.login.invalid'), + ]); + Minz_Request::forward(['c' => 'auth', 'a' => 'login'], false); + return; } } elseif (FreshRSS_Context::$system_conf->unsafe_autologin_enabled) { $username = Minz_Request::param('u', ''); diff --git a/app/Models/Auth.php b/app/Models/Auth.php index f8f97e74e..bd7f05c66 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -213,6 +213,7 @@ class FreshRSS_Auth { class FreshRSS_FormAuth { public static function checkCredentials($username, $hash, $nonce, $challenge) { if (!FreshRSS_user_Controller::checkUsername($username) || + !ctype_graph($hash) || !ctype_graph($challenge) || !ctype_alnum($nonce)) { Minz_Log::debug('Invalid credential parameters:' . |