From 7bb28c3f2b77b109451e2514e83fa99789fee35e Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 25 Oct 2015 13:24:48 +0100 Subject: HTTP 403 for invalid login https://github.com/FreshRSS/FreshRSS/issues/1015 And does not leak if user exists or not --- app/Controllers/authController.php | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'app/Controllers/authController.php') diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php index aff184263..bccce5a59 100644 --- a/app/Controllers/authController.php +++ b/app/Controllers/authController.php @@ -123,8 +123,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController { $conf = get_user_configuration($username); if (is_null($conf)) { - Minz_Request::bad(_t('feedback.auth.login.invalid'), - array('c' => 'auth', 'a' => 'login')); + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); } $ok = FreshRSS_FormAuth::checkCredentials( @@ -151,8 +150,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController { ' user=' . $username . ', nonce=' . $nonce . ', c=' . $challenge); - Minz_Request::bad(_t('feedback.auth.login.invalid'), - array('c' => 'auth', 'a' => 'login')); + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); } } elseif (FreshRSS_Context::$system_conf->unsafe_autologin_enabled) { $username = Minz_Request::param('u', ''); @@ -184,8 +182,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController { array('c' => 'index', 'a' => 'index')); } else { Minz_Log::warning('Unsafe password mismatch for user ' . $username); - Minz_Request::bad(_t('feedback.auth.login.invalid'), - array('c' => 'auth', 'a' => 'login')); + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); } } } -- cgit v1.2.3 From ad1f0cb96b3eefdeac5031e59c8810fc9427b6e2 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 25 Oct 2015 19:31:41 +0100 Subject: Return after 403 https://github.com/FreshRSS/FreshRSS/pull/1016 https://github.com/FreshRSS/FreshRSS/issues/1015 --- app/Controllers/authController.php | 1 + 1 file changed, 1 insertion(+) (limited to 'app/Controllers/authController.php') diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php index bccce5a59..f58b008de 100644 --- a/app/Controllers/authController.php +++ b/app/Controllers/authController.php @@ -124,6 +124,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController { $conf = get_user_configuration($username); if (is_null($conf)) { Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); + return; } $ok = FreshRSS_FormAuth::checkCredentials( -- cgit v1.2.3