Re: [PATCH] privacy: don't tell users what is the reason for a failed login

Tue, 19 May 2015 08:16:40 -0700 

On 05/16/2015 05:04 PM, Andrew Shadura wrote:

# HG changeset patch
# User Andrew Shadura <and...@shadura.me>
# Date 1431788631 -7200
#      Sat May 16 17:03:51 2015 +0200
# Node ID cb911e90e205bdb18fc2e2bd66549ea388d00413
# Parent  388a6eada55925cb55cd2368e47a6115d833b4c1
privacy: don't tell users what is the reason for a failed login



I think the current implementation is wrong when it does any kind of 
login verification in the user friendly form code. The authentication 
should be done explicitly in the controller. (That would also make the 
email login simpler.)



So while this patch makes it less wrong, I still think it is a bit 
pointless.


/Mads



Makes it harder for strangers to probe the instance for presence of
certain users. This can make it harder to break in, as it is now
harder to tell is a username or a password are wrong, so bruteforcing
should probably take a bit longer if you don't know what exactly are
you doing.

diff --git a/kallithea/model/validators.py b/kallithea/model/validators.py
--- a/kallithea/model/validators.py
+++ b/kallithea/model/validators.py
@@ -305,9 +305,7 @@ def ValidPasswordsMatch(passwd='new_pass
  def ValidAuth():
      class _validator(formencode.validators.FancyValidator):
          messages = {
-            'invalid_password': _(u'invalid password'),
-            'invalid_username': _(u'invalid user name'),
-            'disabled_account': _(u'Your account is disabled')
+            'invalid_auth': _(u'Invalid user name or password')
          }

  
          def validate_python(self, value, state):

@@ -325,16 +323,15 @@ def ValidAuth():
                  user = User.get_by_username(username)
                  if user and not user.active:
                      log.warning('user %s is disabled' % username)
-                    msg = M(self, 'disabled_account', state)
+                    msg = M(self, 'invalid_auth', state)
                      raise formencode.Invalid(msg, value, state,
-                        error_dict=dict(username=msg)
+                        error_dict=dict(username=' ',password=msg)
                      )
                  else:
                      log.warning('user %s failed to authenticate' % username)
-                    msg = M(self, 'invalid_username', state)
-                    msg2 = M(self, 'invalid_password', state)
+                    msg = M(self, 'invalid_auth', state)
                      raise formencode.Invalid(msg, value, state,
-                        error_dict=dict(username=msg, password=msg2)
+                        error_dict=dict(username=' ',password=msg)
                      )
      return _validator

  
_______________________________________________

kallithea-general mailing list
kallithea-general@sfconservancy.org
http://lists.sfconservancy.org/mailman/listinfo/kallithea-general


_______________________________________________
kallithea-general mailing list
kallithea-general@sfconservancy.org
http://lists.sfconservancy.org/mailman/listinfo/kallithea-general






















					Reply via email to