Merge "Warn if stateful ParserOutput transforms are used"

[lhc/web/wiklou.git] / includes / auth / LocalPasswordPrimaryAuthenticationProvider.php

diff --git a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
index 7f93c12..86a6aae 100644 (file)
--- a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
+++ b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
@@ -96,7 +96,10 @@ class LocalPasswordPrimaryAuthenticationProvider
                        __METHOD__
                );
                if ( !$row ) {
-                       return AuthenticationResponse::newAbstain();
+                       // Do not reveal whether its bad username or
+                       // bad password to prevent username enumeration
+                       // on private wikis. (T134100)
+                       return $this->failResponse( $req );
                }
 
                $oldRow = clone $row;