external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix for information leak in login logic.

Browse source 
Fix for information leak in login logic.
No point telling people they have a valid username when the pass is wrong, etc.
This commit is contained in:
eliott 2008-02-17 20:37:49 -08:00 committed by Simo Leone
parent aedf2ab6a3
commit 4d9d5d3966
2 changed files with 5 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
web/lang/en/index_po.inc
View file

@ -35,16 +35,12 @@ $_t["en"]["For now, it's just a place holder."] = "For now, it's just a place ho
$_t["en"]["It's more important to get the login functionality finished."] = "It's more important to get the login functionality finished.";
$_t["en"]["Error looking up username, %s."] = "Error looking up username, %s.";
$_t["en"]["Login"] = "Login";
$_t["en"]["Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience."] = "Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience.";
$_t["en"]["If you have feedback about the AUR, please leave it in %hFlyspray%h."] = "If you have feedback about the AUR, please leave it in %hFlyspray%h.";
$_t["en"]["Incorrect password for username, %s."] = "Incorrect password for username, %s.";
$_t["en"]["Latest Packages:"] = "Latest Packages:";
$_t["en"]["Discussion about the AUR takes place on the %sTUR Users List%s."] = "Discussion about the AUR takes place on the %sTUR Users List%s.";
@ -94,6 +90,9 @@ $_t["en"]["The most popular packages will be provided as binary packages in [com
$_t["en"]["Packages added or updated in the past 7 days"] = "Packages added or updated in the past 7 days";
$_t["en"]["Out-of-date"] = "Out-of-date";
$_t["en"]["DISCLAIMER"] = "DISCLAIMER: Unsupported PKGBUILDs are user produced content, by downloading them you agree to do so at your own risk.";
$_t["en"]["Login failure: Bad user or pass."] = "Login failure: Bad user or pass.";
?>

6
web/lib/aur.inc
View file

@ -356,13 +356,11 @@ function html_header($title="") {
$q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'";
$result = db_query($q, $dbh);
if (!$result) {
$login_error = __("Error looking up username, %s.",
array(htmlspecialchars($_POST["user"])));
$login_error = __("Login failure: Bad user or pass.");
} else {
$row = mysql_fetch_row($result);
if (empty($row)) {
$login_error = __("Incorrect password for username, %s.",
array(htmlspecialchars($_POST["user"])));
$login_error = __("Login failure: Bad user or pass.");
} elseif ($row[1]) {
$login_error = __("Your account has been suspended.");
}