__METHOD__
);
if ( !$row ) {
- return AuthenticationResponse::newAbstain();
+ // Do not reveal whether its bad username or
+ // bad password to prevent username enumeration
+ // on private wikis. (T134100)
+ return $this->failResponse( $req );
}
$oldRow = clone $row;
// The old hash format was just an md5 hex hash, with no type information
if ( preg_match( '/^[0-9a-f]{32}$/', $row->user_password ) ) {
if ( $this->config->get( 'PasswordSalt' ) ) {
- $row->user_password = ":A:{$row->user_id}:{$row->user_password}";
+ $row->user_password = ":B:{$row->user_id}:{$row->user_password}";
} else {
$row->user_password = ":A:{$row->user_password}";
}
// @codeCoverageIgnoreStart
if ( $this->getPasswordFactory()->needsUpdate( $pwhash ) ) {
- $pwhash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
- \DeferredUpdates::addCallableUpdate( function () use ( $pwhash, $oldRow ) {
+ $newHash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
+ \DeferredUpdates::addCallableUpdate( function () use ( $newHash, $oldRow ) {
$dbw = wfGetDB( DB_MASTER );
$dbw->update(
'user',
- [ 'user_password' => $pwhash->toString() ],
+ [ 'user_password' => $newHash->toString() ],
[
'user_id' => $oldRow->user_id,
'user_password' => $oldRow->user_password
// Nothing we can do besides claim it, because the user isn't in
// the DB yet
if ( $req->username !== $user->getName() ) {
- $req = clone( $req );
+ $req = clone $req;
$req->username = $user->getName();
}
$ret = AuthenticationResponse::newPass( $req->username );