Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F10774748
T134100-v4-REL1_30.patch
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Bawolff
Nov 13 2017, 11:35 PM
2017-11-13 23:35:49 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
T134100-v4-REL1_30.patch
View Options
From 701d4579f75d3975ac10e947c2c3a6f6fe951856 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 13 Nov 2017 16:02:50 +0000
Subject: [PATCH] SECURITY: Do not reveal if user exists during login failure
This is meant for private wikis where the list of users may
be secret. It is only meant to prevent trivial enumeration
of usernames. It is not designed to prevent enumeration
via timing attacks.
Bug: T134100
Change-Id: I7afaa955a4b393ef00b11e420709bd62b84fbc71
---
includes/auth/LocalPasswordPrimaryAuthenticationProvider.php | 5 ++++-
languages/i18n/en.json | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
index 7f93c12..86a6aae 100644
--- a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
+++ b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
@@ -96,7 +96,10 @@ class LocalPasswordPrimaryAuthenticationProvider
__METHOD__
);
if ( !$row ) {
- return AuthenticationResponse::newAbstain();
+ // Do not reveal whether its bad username or
+ // bad password to prevent username enumeration
+ // on private wikis. (T134100)
+ return $this->failResponse( $req );
}
$oldRow = clone $row;
diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index 6d06e40..b7a616d 100644
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -468,7 +468,7 @@
"nosuchusershort": "There is no user by the name \"$1\".\nCheck your spelling.",
"nouserspecified": "You have to specify a username.",
"login-userblocked": "This user is blocked. Login not allowed.",
- "wrongpassword": "Incorrect password entered.\nPlease try again.",
+ "wrongpassword": "Incorrect username or password entered.\nPlease try again.",
"wrongpasswordempty": "Password entered was blank.\nPlease try again.",
"passwordtooshort": "Passwords must be at least {{PLURAL:$1|1 character|$1 characters}}.",
"passwordtoolong": "Passwords cannot be longer than {{PLURAL:$1|1 character|$1 characters}}.",
--
1.9.5 (Apple Git-50.3)
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5088788
Default Alt Text
T134100-v4-REL1_30.patch (2 KB)
Attached To
Mode
T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password
Attached
Detach File
T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases
Attached
Detach File
Event Timeline
Log In to Comment