From a49db010e4a5e48017d8583c374210242a680ddd Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Fri, 17 Apr 2020 10:56:06 +0200
Subject: A wrong login must return HTTP 403 (#2903)

* A wrong login must produce HTTP 403

#fix https://github.com/FreshRSS/FreshRSS/issues/2901
https://github.com/FreshRSS/FreshRSS/pull/2794/files#r389319248

* Just for consistency
---
 app/Models/Auth.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'app/Models')

diff --git a/app/Models/Auth.php b/app/Models/Auth.php
index f8f97e74e..bd7f05c66 100644
--- a/app/Models/Auth.php
+++ b/app/Models/Auth.php
@@ -213,6 +213,7 @@ class FreshRSS_Auth {
 class FreshRSS_FormAuth {
 	public static function checkCredentials($username, $hash, $nonce, $challenge) {
 		if (!FreshRSS_user_Controller::checkUsername($username) ||
+				!ctype_graph($hash) ||
 				!ctype_graph($challenge) ||
 				!ctype_alnum($nonce)) {
 			Minz_Log::debug('Invalid credential parameters:' .
-- 
cgit v1.2.3