T134100-v3-1.29.patch
No One
Actions

Authored By

	Bawolff
	Nov 13 2017, 4:26 PM

Size

1 KB

Referenced Files

None

Subscribers

None

T134100-v3-1.29.patch
View Options

	From a5710a0bf20cdd512de2b59fcdcb0ca8d6b90496 Mon Sep 17 00:00:00 2001
	From: Brian Wolff <bawolff+wn@gmail.com>
	Date: Mon, 13 Nov 2017 16:02:50 +0000
	Subject: [PATCH] SECURITY: Do not reveal if user exists during login failure

	This is meant for private wikis where the list of users may
	be secret. It is only meant to prevent trivial enumeration
	of usernames. It is not designed to prevent enumeration
	via timing attacks.

	Bug: T134100
	Change-Id: I7afaa955a4b393ef00b11e420709bd62b84fbc71
	---
	includes/auth/LocalPasswordPrimaryAuthenticationProvider.php \| 5 ++++-
	1 file changed, 4 insertions(+), 1 deletion(-)

	diff --git a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
	index fd36887..0e22d96 100644
	--- a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
	+++ b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
	@@ -96,7 +96,10 @@ class LocalPasswordPrimaryAuthenticationProvider
	__METHOD__
	);
	if ( !$row ) {
	- return AuthenticationResponse::newAbstain();
	+ // Do not reveal whether its bad username or
	+ // bad password to prevent username enumeration
	+ // on private wikis. (T134100)
	+ return $this->failResponse( $req );
	}

	$oldRow = clone $row;
	--
	1.9.5 (Apple Git-50.3)

Attached To	Mode
T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password	Attached	Detach File
T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases	Attached	Detach File