From 7bb28c3f2b77b109451e2514e83fa99789fee35e Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 25 Oct 2015 13:24:48 +0100
Subject: [PATCH 1/3] HTTP 403 for invalid login

https://github.com/FreshRSS/FreshRSS/issues/1015
And does not leak if user exists or not
---
 app/Controllers/authController.php       | 9 +++------
 app/Controllers/javascriptController.php | 8 ++++++--
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index aff184263..bccce5a59 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -123,8 +123,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 
 			$conf = get_user_configuration($username);
 			if (is_null($conf)) {
-				Minz_Request::bad(_t('feedback.auth.login.invalid'),
-				                  array('c' => 'auth', 'a' => 'login'));
+				Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
 			}
 
 			$ok = FreshRSS_FormAuth::checkCredentials(
@@ -151,8 +150,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 				                  ' user=' . $username .
 				                  ', nonce=' . $nonce .
 				                  ', c=' . $challenge);
-				Minz_Request::bad(_t('feedback.auth.login.invalid'),
-				                  array('c' => 'auth', 'a' => 'login'));
+				Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
 			}
 		} elseif (FreshRSS_Context::$system_conf->unsafe_autologin_enabled) {
 			$username = Minz_Request::param('u', '');
@@ -184,8 +182,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 				                   array('c' => 'index', 'a' => 'index'));
 			} else {
 				Minz_Log::warning('Unsafe password mismatch for user ' . $username);
-				Minz_Request::bad(_t('feedback.auth.login.invalid'),
-				                  array('c' => 'auth', 'a' => 'login'));
+				Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
 			}
 		}
 	}
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index 421cf6f72..f8746240c 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -43,7 +43,11 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
 		} else {
 			Minz_Log::notice('Nonce failure due to invalid username!');
 		}
-		$this->view->nonce = '';	//Failure
-		$this->view->salt1 = '';
+		//Failure: Return random data.
+		$this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST);
+		for ($i = 22; $i > 0; $i--) {
+			$this->view->salt1 .= './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'[rand(0, 63)];
+		}
+		$this->view->nonce = sha1(rand());
 	}
 }

From ad1f0cb96b3eefdeac5031e59c8810fc9427b6e2 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 25 Oct 2015 19:31:41 +0100
Subject: [PATCH 2/3] Return after 403

https://github.com/FreshRSS/FreshRSS/pull/1016
https://github.com/FreshRSS/FreshRSS/issues/1015
---
 app/Controllers/authController.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index bccce5a59..f58b008de 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -124,6 +124,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 			$conf = get_user_configuration($username);
 			if (is_null($conf)) {
 				Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
+				return;
 			}
 
 			$ok = FreshRSS_FormAuth::checkCredentials(

From c992b683a8467de60136e4d4b1860f06a746c6b1 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Mon, 26 Oct 2015 17:38:32 +0100
Subject: [PATCH 3/3] PHP 5.2 compatibility

https://github.com/FreshRSS/FreshRSS/pull/1016
https://github.com/FreshRSS/FreshRSS/issues/1015
It is first PHP 5.5 that added support for accessing characters within
string literals using []...
---
 app/Controllers/javascriptController.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index f8746240c..e3ae3669e 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -45,8 +45,9 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
 		}
 		//Failure: Return random data.
 		$this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST);
+		$alphabet = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
 		for ($i = 22; $i > 0; $i--) {
-			$this->view->salt1 .= './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'[rand(0, 63)];
+			$this->view->salt1 .= $alphabet[rand(0, 63)];
 		}
 		$this->view->nonce = sha1(rand());
 	}