[aur-dev] [PATCH] Fix for information leak in login logic.

Sun Feb 17 15:38:41 EST 2008

---
 web/lang/en/index_po.inc |    7 +++----
 web/lib/aur.inc          |    6 ++----
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/web/lang/en/index_po.inc b/web/lang/en/index_po.inc
index 66a7834..bdeb87f 100644
--- a/web/lang/en/index_po.inc
+++ b/web/lang/en/index_po.inc
@@ -35,16 +35,12 @@ $_t["en"]["For now, it's just a place holder."] = "For now, it's just a place ho
 
 $_t["en"]["It's more important to get the login functionality finished."] = "It's more important to get the login functionality finished.";
 
-$_t["en"]["Error looking up username, %s."] = "Error looking up username, %s.";
-
 $_t["en"]["Login"] = "Login";
 
 $_t["en"]["Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience."] = "Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience.";
 
 $_t["en"]["If you have feedback about the AUR, please leave it in %hFlyspray%h."] = "If you have feedback about the AUR, please leave it in %hFlyspray%h.";
 
-$_t["en"]["Incorrect password for username, %s."] = "Incorrect password for username, %s.";
-
 $_t["en"]["Latest Packages:"] = "Latest Packages:";
 
 $_t["en"]["Discussion about the AUR takes place on the %sTUR Users List%s."] = "Discussion about the AUR takes place on the %sTUR Users List%s.";
@@ -94,6 +90,9 @@ $_t["en"]["The most popular packages will be provided as binary packages in [com
 $_t["en"]["Packages added or updated in the past 7 days"] = "Packages added or updated in the past 7 days";
 
 $_t["en"]["Out-of-date"] = "Out-of-date";
+
 $_t["en"]["DISCLAIMER"] = "DISCLAIMER: Unsupported PKGBUILDs are user produced content, by downloading them you agree to do so at your own risk.";
 
+$_t["en"]["Login failure: Bad user or pass."] = "Login failure: Bad user or pass.";
+
 ?>
diff --git a/web/lib/aur.inc b/web/lib/aur.inc
index 5dec6e3..5cfb3c8 100644
--- a/web/lib/aur.inc
+++ b/web/lib/aur.inc
@@ -363,13 +363,11 @@ function html_header($title="") {
 			$q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'";
 			$result = db_query($q, $dbh);
 			if (!$result) {
-				$login_error = __("Error looking up username, %s.",
-							array(htmlspecialchars($_POST["user"])));
+                $login_error = __("Login failure: Bad user or pass.");
 			} else {
 				$row = mysql_fetch_row($result);
 				if (empty($row)) {
-					$login_error = __("Incorrect password for username, %s.",
-							array(htmlspecialchars($_POST["user"])));
+				    $login_error = __("Login failure: Bad user or pass.");
 				} elseif ($row[1]) {
 					$login_error = __("Your account has been suspended.");
 				}
-- 
1.5.3.7



