kallithea Changeset - b75f1d0753d6

Changeset - b75f1d0753d6

Parent rev.

Child rev.

[Not reviewed]

default

0 3 0

Andrew Shadura - 11 years ago 2015-05-16 17:03:51
andrew@shadura.me

privacy: don't tell users what is the reason for a failed login

Makes it harder for strangers to probe the instance for presence of
certain users. This can make it harder to break in, as it is now
harder to tell is a username or a password are wrong, so bruteforcing
should probably take a bit longer if you don't know what exactly are
you doing.

3 files changed with 8 insertions and 13 deletions:

kallithea/model/validators.py

kallithea/tests/__init__.py

kallithea/tests/functional/test_login.py

0 comments (0 inline, 0 general)

kallithea/model/validators.py

➞

Show inline comments

@@ @@ -295,15 +295,13 @@ def ValidPasswordsMatch(password_field, @@
     return _validator
 def ValidAuth():
     class _validator(formencode.validators.FancyValidator):
         messages = {
             'invalid_password': _('Invalid password'),
             'invalid_username': _('Invalid username'),
             'disabled_account': _('Account has been disabled')
             'invalid_auth': _(u'Invalid username or password'),
+        }
         def validate_python(self, value, state):
             from kallithea.lib import auth_modules
             password = value['password']
@@ @@ -312,22 +310,21 @@ def ValidAuth(): @@
             # authenticate returns unused dict but has called
             # plugin._authenticate which has create_or_update'ed the username user in db
             if auth_modules.authenticate(username, password) is None:
                 user = User.get_by_username(username)
                 if user and not user.active:
                     log.warning('user %s is disabled' % username)
-                    msg = M(self, 'disabled_account', state)
+                    msg = M(self, 'invalid_auth', state)
                     raise formencode.Invalid(msg, value, state,
                         error_dict=dict(username=msg)
+                        error_dict=dict(username=' ', password=msg)
+                    )
                 else:
                     log.warning('user %s failed to authenticate' % username)
                     msg = M(self, 'invalid_username', state)
                     msg2 = M(self, 'invalid_password', state)
                     msg = M(self, 'invalid_auth', state)
                     raise formencode.Invalid(msg, value, state,
-                        error_dict=dict(username=msg, password=msg2)
+                        error_dict=dict(username=' ', password=msg)
+                    )
     return _validator
 def ValidAuthToken():
     class _validator(formencode.validators.FancyValidator):

kallithea/tests/__init__.py

➞

Show inline comments

@@ @@ -212,13 +212,13 @@ class TestController(BaseTestCase): @@
                  password=TEST_USER_ADMIN_PASS):
         self._logged_username = username
         response = self.app.post(url(controller='login', action='index'),
                                  {'username': username,
                                   'password': password})
-        if 'invalid user name' in response.body:
+        if 'Invalid username or password' in response.body:
             self.fail('could not login using %s %s' % (username, password))
         self.assertEqual(response.status, '302 Found')
         self.assert_authenticated_user(response, username)
         response = response.follow()

kallithea/tests/functional/test_login.py

➞

Show inline comments

@@ @@ -126,14 +126,13 @@ class TestLoginController(TestController @@
     def test_login_wrong_username_password(self):
         response = self.app.post(url(controller='login', action='index'),
                                  {'username': 'error',
                                   'password': 'test12'})
         response.mustcontain('Invalid username')
         response.mustcontain('Invalid password')
         response.mustcontain('Invalid username or password')
     # verify that get arguments are correctly passed along login redirection
     @parameterized.expand([
         ({'foo':'one', 'bar':'two'}, ('foo=one', 'bar=two')),
         ({'blue': u'blå'.encode('utf-8'), 'green':u'grøn'},
@@ @@ -184,14 +183,13 @@ class TestLoginController(TestController @@
         response = self.app.post(url(controller='login', action='index',
                                      came_from = '/_admin/users',
                                      **args),
                                  {'username': 'error',
                                   'password': 'test12'})
         response.mustcontain('Invalid username')
         response.mustcontain('Invalid password')
         response.mustcontain('Invalid username or password')
         for encoded in args_encoded:
             self.assertIn(encoded, response.form.action)
     #==========================================================================
     # REGISTRATIONS
     #==========================================================================

0 comments (0 inline, 0 general)