__METHOD__
);
if ( !$row ) {
- return AuthenticationResponse::newAbstain();
+ // Do not reveal whether its bad username or
+ // bad password to prevent username enumeration
+ // on private wikis. (T134100)
+ return $this->failResponse( $req );
}
$oldRow = clone $row;
// Nothing we can do besides claim it, because the user isn't in
// the DB yet
if ( $req->username !== $user->getName() ) {
- $req = clone( $req );
+ $req = clone $req;
$req->username = $user->getName();
}
$ret = AuthenticationResponse::newPass( $req->username );