dépôts
/
lhc
/
web
/
wiklou.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
GitInfo: Don't try shelling out if it's disabled
[lhc/web/wiklou.git]
/
includes
/
auth
/
LocalPasswordPrimaryAuthenticationProvider.php
diff --git
a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
index
fd36887
..
86a6aae
100644
(file)
--- a/
includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
+++ b/
includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
@@
-96,7
+96,10
@@
class LocalPasswordPrimaryAuthenticationProvider
__METHOD__
);
if ( !$row ) {
__METHOD__
);
if ( !$row ) {
- return AuthenticationResponse::newAbstain();
+ // Do not reveal whether its bad username or
+ // bad password to prevent username enumeration
+ // on private wikis. (T134100)
+ return $this->failResponse( $req );
}
$oldRow = clone $row;
}
$oldRow = clone $row;
@@
-297,7
+300,7
@@
class LocalPasswordPrimaryAuthenticationProvider
// Nothing we can do besides claim it, because the user isn't in
// the DB yet
if ( $req->username !== $user->getName() ) {
// Nothing we can do besides claim it, because the user isn't in
// the DB yet
if ( $req->username !== $user->getName() ) {
- $req = clone
( $req )
;
+ $req = clone
$req
;
$req->username = $user->getName();
}
$ret = AuthenticationResponse::newPass( $req->username );
$req->username = $user->getName();
}
$ret = AuthenticationResponse::newPass( $req->username );