[aur-dev] [PATCH] Fix for information leak in login logic.

Loui louipc.ist at gmail.com
Sun Feb 17 17:40:34 EST 2008 

Hey take a look at my last patch. This is fixed as well, login is
moved into it's own function and the login form template is used. I'll
ping the thread so you can see it.

On Sun, Feb 17, 2008 at 3:38 PM, eliott <eliott at cactuswax.net> wrote:
> ---
>   web/lang/en/index_po.inc |    7 +++----
>   web/lib/aur.inc          |    6 ++----
>   2 files changed, 5 insertions(+), 8 deletions(-)
>
>  diff --git a/web/lang/en/index_po.inc b/web/lang/en/index_po.inc
>  index 66a7834..bdeb87f 100644
>  --- a/web/lang/en/index_po.inc
>  +++ b/web/lang/en/index_po.inc
>  @@ -35,16 +35,12 @@ $_t["en"]["For now, it's just a place holder."] = "For now, it's just a place ho
>
>   $_t["en"]["It's more important to get the login functionality finished."] = "It's more important to get the login functionality finished.";
>
>  -$_t["en"]["Error looking up username, %s."] = "Error looking up username, %s.";
>  -
>   $_t["en"]["Login"] = "Login";
>
>   $_t["en"]["Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience."] = "Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience.";
>
>   $_t["en"]["If you have feedback about the AUR, please leave it in %hFlyspray%h."] = "If you have feedback about the AUR, please leave it in %hFlyspray%h.";
>
>  -$_t["en"]["Incorrect password for username, %s."] = "Incorrect password for username, %s.";
>  -
>   $_t["en"]["Latest Packages:"] = "Latest Packages:";
>
>   $_t["en"]["Discussion about the AUR takes place on the %sTUR Users List%s."] = "Discussion about the AUR takes place on the %sTUR Users List%s.";
>  @@ -94,6 +90,9 @@ $_t["en"]["The most popular packages will be provided as binary packages in [com
>   $_t["en"]["Packages added or updated in the past 7 days"] = "Packages added or updated in the past 7 days";
>
>   $_t["en"]["Out-of-date"] = "Out-of-date";
>  +
>   $_t["en"]["DISCLAIMER"] = "DISCLAIMER: Unsupported PKGBUILDs are user produced content, by downloading them you agree to do so at your own risk.";
>
>  +$_t["en"]["Login failure: Bad user or pass."] = "Login failure: Bad user or pass.";
>  +
>   ?>
>  diff --git a/web/lib/aur.inc b/web/lib/aur.inc
>  index 5dec6e3..5cfb3c8 100644
>  --- a/web/lib/aur.inc
>  +++ b/web/lib/aur.inc
>  @@ -363,13 +363,11 @@ function html_header($title="") {
>                         $q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'";
>                         $result = db_query($q, $dbh);
>                         if (!$result) {
>  -                               $login_error = __("Error looking up username, %s.",
>  -                                                       array(htmlspecialchars($_POST["user"])));
>  +                $login_error = __("Login failure: Bad user or pass.");
>                         } else {
>                                 $row = mysql_fetch_row($result);
>                                 if (empty($row)) {
>  -                                       $login_error = __("Incorrect password for username, %s.",
>  -                                                       array(htmlspecialchars($_POST["user"])));
>  +                                   $login_error = __("Login failure: Bad user or pass.");
>                                 } elseif ($row[1]) {
>                                         $login_error = __("Your account has been suspended.");
>                                 }
>  --
>  1.5.3.7
>
>
>

More information about the aur-dev mailing list