From: Brian Wolff Date: Mon, 13 Nov 2017 16:02:50 +0000 (+0000) Subject: SECURITY: Do not reveal if user exists during login failure X-Git-Tag: 1.31.0-rc.0~1515 X-Git-Url: http://git.cyclocoop.org/?a=commitdiff_plain;h=e7ea90509c73c60b665b8f63e3bb95b1adfec78c;p=lhc%2Fweb%2Fwiklou.git SECURITY: Do not reveal if user exists during login failure This is meant for private wikis where the list of users may be secret. It is only meant to prevent trivial enumeration of usernames. It is not designed to prevent enumeration via timing attacks. Bug: T134100 Change-Id: I7afaa955a4b393ef00b11e420709bd62b84fbc71 --- diff --git a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php index 7f93c12d4c..86a6aae0ab 100644 --- a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php +++ b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php @@ -96,7 +96,10 @@ class LocalPasswordPrimaryAuthenticationProvider __METHOD__ ); if ( !$row ) { - return AuthenticationResponse::newAbstain(); + // Do not reveal whether its bad username or + // bad password to prevent username enumeration + // on private wikis. (T134100) + return $this->failResponse( $req ); } $oldRow = clone $row; diff --git a/languages/i18n/en.json b/languages/i18n/en.json index dc5d97d41e..5083bedae8 100644 --- a/languages/i18n/en.json +++ b/languages/i18n/en.json @@ -467,7 +467,7 @@ "nosuchusershort": "There is no user by the name \"$1\".\nCheck your spelling.", "nouserspecified": "You have to specify a username.", "login-userblocked": "This user is blocked. Login not allowed.", - "wrongpassword": "Incorrect password entered.\nPlease try again.", + "wrongpassword": "Incorrect username or password entered.\nPlease try again.", "wrongpasswordempty": "Password entered was blank.\nPlease try again.", "passwordtooshort": "Passwords must be at least {{PLURAL:$1|1 character|$1 characters}}.", "passwordtoolong": "Passwords cannot be longer than {{PLURAL:$1|1 character|$1 characters}}.",