diff options
author | eliott <eliott@cactuswax.net> | 2008-02-17 20:37:49 -0800 |
---|---|---|
committer | Simo Leone <simo@archlinux.org> | 2008-02-18 17:55:28 -0600 |
commit | 4d9d5d39666addc2afbb61bb04b00dc1ed707ecc (patch) | |
tree | ddc134b03ab8c87737cd62862f01ffc9960031fb /web/lib | |
parent | aedf2ab6a390b62f1a0de8afe18a5aa53075b9ef (diff) | |
download | aurweb-4d9d5d39666addc2afbb61bb04b00dc1ed707ecc.tar.xz |
Fix for information leak in login logic.
Fix for information leak in login logic.
No point telling people they have a valid username when the pass is wrong, etc.
Diffstat (limited to 'web/lib')
-rw-r--r-- | web/lib/aur.inc | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/web/lib/aur.inc b/web/lib/aur.inc index 234dca9..e7e8c49 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -356,13 +356,11 @@ function html_header($title="") { $q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'"; $result = db_query($q, $dbh); if (!$result) { - $login_error = __("Error looking up username, %s.", - array(htmlspecialchars($_POST["user"]))); + $login_error = __("Login failure: Bad user or pass."); } else { $row = mysql_fetch_row($result); if (empty($row)) { - $login_error = __("Incorrect password for username, %s.", - array(htmlspecialchars($_POST["user"]))); + $login_error = __("Login failure: Bad user or pass."); } elseif ($row[1]) { $login_error = __("Your account has been suspended."); } |