mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-01-10 06:17:52 -05:00
Code Issues Packages Projects Releases Wiki Activity

HTTP 403 for invalid login

Browse Source 
https://github.com/FreshRSS/FreshRSS/issues/1015
And does not leak if user exists or not
This commit is contained in:
Alexandre Alapetite
2015-10-25 13:24:48 +01:00
parent eb912cc7a8
commit 7bb28c3f2b
2 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/Controllers/javascriptController.php
View File

@@ -43,7 +43,11 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
} else {
Minz_Log::notice('Nonce failure due to invalid username!');
}
$this->view->nonce = ''; //Failure
$this->view->salt1 = '';
//Failure: Return random data.
$this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST);
for ($i = 22; $i > 0; $i--) {
$this->view->salt1 .= './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'[rand(0, 63)];
}
$this->view->nonce = sha1(rand());
}
}