From 2981714f1506fab937d037857e698fb61e1e2b49 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 17 Jan 2021 19:57:39 +0100 Subject: Fix form login if user does not exist (#3377) Small bug from https://github.com/FreshRSS/FreshRSS/pull/3070 , leading to an exception due to not being able to log the error. Minor: Also add some very primitive mitigation of timing attacks (to find out whether a user exists or not, although I have not checked whether this might be guessed through other means) - before, if the user did not exist, the response was always measurably faster; now it is harder to tell due to the noise --- app/Controllers/authController.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'app/Controllers/authController.php') diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php index 403c92790..ca8a9758a 100644 --- a/app/Controllers/authController.php +++ b/app/Controllers/authController.php @@ -123,6 +123,8 @@ class FreshRSS_auth_Controller extends Minz_ActionController { $username = Minz_Request::param('username', ''); $challenge = Minz_Request::param('challenge', ''); + usleep(rand(100, 10000)); //Primitive mitigation of timing attacks, in μs + FreshRSS_Context::initUser($username); if (FreshRSS_Context::$user_conf == null) { //We do not test here whether the user exists, so most likely an internal error. @@ -130,7 +132,8 @@ class FreshRSS_auth_Controller extends Minz_ActionController { return; } - if (!FreshRSS_Context::$user_conf->enabled) { + if (!FreshRSS_Context::$user_conf->enabled || FreshRSS_Context::$user_conf->passwordHash == '') { + usleep(rand(100, 5000)); //Primitive mitigation of timing attacks, in μs Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); return; } -- cgit v1.2.3