__METHOD__
);
if ( !$row ) {
- return AuthenticationResponse::newAbstain();
+ // Do not reveal whether its bad username or
+ // bad password to prevent username enumeration
+ // on private wikis. (T134100)
+ return $this->failResponse( $req );
}
$oldRow = clone $row;
// The old hash format was just an md5 hex hash, with no type information
if ( preg_match( '/^[0-9a-f]{32}$/', $row->user_password ) ) {
if ( $this->config->get( 'PasswordSalt' ) ) {
- $row->user_password = ":A:{$row->user_id}:{$row->user_password}";
+ $row->user_password = ":B:{$row->user_id}:{$row->user_password}";
} else {
$row->user_password = ":A:{$row->user_password}";
}
$pwhash = null;
- if ( $this->loginOnly ) {
- $pwhash = $this->getPasswordFactory()->newFromCiphertext( null );
- $expiry = null;
- // @codeCoverageIgnoreStart
- } elseif ( get_class( $req ) === PasswordAuthenticationRequest::class ) {
- // @codeCoverageIgnoreEnd
- $pwhash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
- $expiry = $this->getNewPasswordExpiry( $username );
+ if ( get_class( $req ) === PasswordAuthenticationRequest::class ) {
+ if ( $this->loginOnly ) {
+ $pwhash = $this->getPasswordFactory()->newFromCiphertext( null );
+ $expiry = null;
+ } else {
+ $pwhash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
+ $expiry = $this->getNewPasswordExpiry( $username );
+ }
}
if ( $pwhash ) {
// Nothing we can do besides claim it, because the user isn't in
// the DB yet
if ( $req->username !== $user->getName() ) {
- $req = clone( $req );
+ $req = clone $req;
$req->username = $user->getName();
}
$ret = AuthenticationResponse::newPass( $req->username );