diff options
Diffstat (limited to 'app/Controllers/authController.php')
| -rw-r--r-- | app/Controllers/authController.php | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php index 85a722761..ac3fcb0be 100644 --- a/app/Controllers/authController.php +++ b/app/Controllers/authController.php @@ -128,6 +128,15 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController { $username = Minz_Request::paramString('username'); $challenge = Minz_Request::paramString('challenge'); + if ($nonce === '') { + Minz_Log::warning("Invalid session during login for user={$username}, nonce={$nonce}"); + header('HTTP/1.1 403 Forbidden'); + Minz_Session::_param('POST_to_GET', true); //Prevent infinite internal redirect + Minz_Request::setBadNotification(_t('install.session.nok')); + Minz_Request::forward(['c' => 'auth', 'a' => 'login'], false); + return; + } + usleep(random_int(100, 10000)); //Primitive mitigation of timing attacks, in μs FreshRSS_Context::initUser($username); |