dépôts / lhc / web / wiklou.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 47d437a) | patch
Fix login API for users with @ in their usernames
authorGergő Tisza <gtisza@wikimedia.org>
Tue, 13 Sep 2016 23:25:49 +0000 (23:25 +0000)
committerGergő Tisza <gtisza@wikimedia.org>
Wed, 14 Sep 2016 01:47:52 +0000 (01:47 +0000)
commitaf37a4c77dc7fbea200d761f112e27479e747063
treedb40728a2ec408ec36981f3b4c6a7b540f239b96tree | snapshot
parent47d437a6c966c732b575d780d90bccf86d7079b9commit | diff
Fix login API for users with @ in their usernames

An @ in the username caused the password to be treated as a bot password,
but apparently some real usernames still contain it. Try both logins
instead. Security considerations are the same as for the other bot
password syntax: the length check makes sure we do not provide any
information on a timing side channel about the password unless it is
extremely long.

Change-Id: I58f42544a08c3208c41f54cfae932632d9c5affa
includes/user/BotPassword.php diff | blob | history
tests/phpunit/includes/api/ApiLoginTest.php diff | blob | history
tests/phpunit/includes/user/BotPasswordTest.php diff | blob | history
Wiklou, le Wiki du Wiklou