From 7bb28c3f2b77b109451e2514e83fa99789fee35e Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 25 Oct 2015 13:24:48 +0100 Subject: HTTP 403 for invalid login https://github.com/FreshRSS/FreshRSS/issues/1015 And does not leak if user exists or not --- app/Controllers/javascriptController.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'app/Controllers/javascriptController.php') diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index 421cf6f72..f8746240c 100755 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -43,7 +43,11 @@ class FreshRSS_javascript_Controller extends Minz_ActionController { } else { Minz_Log::notice('Nonce failure due to invalid username!'); } - $this->view->nonce = ''; //Failure - $this->view->salt1 = ''; + //Failure: Return random data. + $this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST); + for ($i = 22; $i > 0; $i--) { + $this->view->salt1 .= './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'[rand(0, 63)]; + } + $this->view->nonce = sha1(rand()); } } -- cgit v1.2.3 From c992b683a8467de60136e4d4b1860f06a746c6b1 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Mon, 26 Oct 2015 17:38:32 +0100 Subject: PHP 5.2 compatibility https://github.com/FreshRSS/FreshRSS/pull/1016 https://github.com/FreshRSS/FreshRSS/issues/1015 It is first PHP 5.5 that added support for accessing characters within string literals using []... --- app/Controllers/javascriptController.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'app/Controllers/javascriptController.php') diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index f8746240c..e3ae3669e 100755 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -45,8 +45,9 @@ class FreshRSS_javascript_Controller extends Minz_ActionController { } //Failure: Return random data. $this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST); + $alphabet = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; for ($i = 22; $i > 0; $i--) { - $this->view->salt1 .= './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'[rand(0, 63)]; + $this->view->salt1 .= $alphabet[rand(0, 63)]; } $this->view->nonce = sha1(rand()); } -- cgit v1.2.3