From 79604aa4b3051f083d1734bd9e82c6a89d785c5a Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Wed, 20 Dec 2023 16:36:55 +0100 Subject: Fix login (#5955) fix https://github.com/FreshRSS/FreshRSS/issues/5953 Regression due to https://github.com/FreshRSS/FreshRSS/pull/5946 --- app/Controllers/authController.php | 9 +++++++++ app/Controllers/javascriptController.php | 4 ++-- app/Controllers/userController.php | 2 +- app/install.php | 6 +++--- 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php index 85a722761..ac3fcb0be 100644 --- a/app/Controllers/authController.php +++ b/app/Controllers/authController.php @@ -128,6 +128,15 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController { $username = Minz_Request::paramString('username'); $challenge = Minz_Request::paramString('challenge'); + if ($nonce === '') { + Minz_Log::warning("Invalid session during login for user={$username}, nonce={$nonce}"); + header('HTTP/1.1 403 Forbidden'); + Minz_Session::_param('POST_to_GET', true); //Prevent infinite internal redirect + Minz_Request::setBadNotification(_t('install.session.nok')); + Minz_Request::forward(['c' => 'auth', 'a' => 'login'], false); + return; + } + usleep(random_int(100, 10000)); //Primitive mitigation of timing attacks, in μs FreshRSS_Context::initUser($username); diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index a9c4993df..74e4a0dd9 100644 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -49,7 +49,7 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController { $user = $_GET['user'] ?? ''; FreshRSS_Context::initUser($user); - if (!FreshRSS_Context::hasUserConf()) { + if (FreshRSS_Context::hasUserConf()) { try { $salt = FreshRSS_Context::systemConf()->salt; $s = FreshRSS_Context::userConf()->passwordHash; @@ -64,7 +64,7 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController { Minz_Log::warning('Nonce failure: ' . $me->getMessage()); } } else { - Minz_Log::notice('Nonce failure due to invalid username!'); + Minz_Log::notice('Nonce failure due to invalid username! ' . $user); } //Failure: Return random data. $this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_password_Util::BCRYPT_COST); diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index b3fccac24..126eb60a2 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -9,7 +9,7 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController { * The username is also used as folder name, file name, and part of SQL table name. * '_' is a reserved internal username. */ - public const USERNAME_PATTERN = '([0-9a-zA-Z_][0-9a-zA-Z_.@-]{1,38}|[0-9a-zA-Z])'; + public const USERNAME_PATTERN = '([0-9a-zA-Z_][0-9a-zA-Z_.@\-]{1,38}|[0-9a-zA-Z])'; public static function checkUsername(string $username): bool { return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1; diff --git a/app/install.php b/app/install.php index b4da2911f..7703b3840 100644 --- a/app/install.php +++ b/app/install.php @@ -551,7 +551,7 @@ function printStep2(): void {
-
@@ -559,7 +559,7 @@ function printStep2(): void {
-
@@ -578,7 +578,7 @@ function printStep2(): void {
-
-- cgit v1.2.3