Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F10767073
T134100-v3-1.29.patch
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Bawolff
Nov 13 2017, 4:26 PM
2017-11-13 16:26:29 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T134100-v3-1.29.patch
View Options
From a5710a0bf20cdd512de2b59fcdcb0ca8d6b90496 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 13 Nov 2017 16:02:50 +0000
Subject: [PATCH] SECURITY: Do not reveal if user exists during login failure
This is meant for private wikis where the list of users may
be secret. It is only meant to prevent trivial enumeration
of usernames. It is not designed to prevent enumeration
via timing attacks.
Bug: T134100
Change-Id: I7afaa955a4b393ef00b11e420709bd62b84fbc71
---
includes/auth/LocalPasswordPrimaryAuthenticationProvider.php | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
index fd36887..0e22d96 100644
--- a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
+++ b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
@@ -96,7 +96,10 @@ class LocalPasswordPrimaryAuthenticationProvider
__METHOD__
);
if ( !$row ) {
- return AuthenticationResponse::newAbstain();
+ // Do not reveal whether its bad username or
+ // bad password to prevent username enumeration
+ // on private wikis. (T134100)
+ return $this->failResponse( $req );
}
$oldRow = clone $row;
--
1.9.5 (Apple Git-50.3)
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5087699
Default Alt Text
T134100-v3-1.29.patch (1 KB)
Attached To
Mode
T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password
Attached
Detach File
T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases
Attached
Detach File
Event Timeline
Log In to Comment