[aur-dev] [PATCH] Fix for information leak in login logic.
Loui
louipc.ist at gmail.com
Sun Feb 17 18:03:14 EST 2008
Yep that's what my patches are based off of.
On Sun, Feb 17, 2008 at 5:42 PM, eliott <eliott at cactuswax.net> wrote:
> I was just working off the current 'testing' branch on
> projects.archlinux.org for the AUR.
>
>
>
> On 2/17/08, Loui <louipc.ist at gmail.com> wrote:
> > Hey take a look at my last patch. This is fixed as well, login is
> > moved into it's own function and the login form template is used. I'll
> > ping the thread so you can see it.
> >
> > On Sun, Feb 17, 2008 at 3:38 PM, eliott <eliott at cactuswax.net> wrote:
> > > ---
> > > web/lang/en/index_po.inc | 7 +++----
> > > web/lib/aur.inc | 6 ++----
> > > 2 files changed, 5 insertions(+), 8 deletions(-)
> > >
> > > diff --git a/web/lang/en/index_po.inc b/web/lang/en/index_po.inc
> > > index 66a7834..bdeb87f 100644
> > > --- a/web/lang/en/index_po.inc
> > > +++ b/web/lang/en/index_po.inc
> > > @@ -35,16 +35,12 @@ $_t["en"]["For now, it's just a place holder."] = "For now, it's just a place ho
> > >
> > > $_t["en"]["It's more important to get the login functionality finished."] = "It's more important to get the login functionality finished.";
> > >
> > > -$_t["en"]["Error looking up username, %s."] = "Error looking up username, %s.";
> > > -
> > > $_t["en"]["Login"] = "Login";
> > >
> > > $_t["en"]["Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience."] = "Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience.";
> > >
> > > $_t["en"]["If you have feedback about the AUR, please leave it in %hFlyspray%h."] = "If you have feedback about the AUR, please leave it in %hFlyspray%h.";
> > >
> > > -$_t["en"]["Incorrect password for username, %s."] = "Incorrect password for username, %s.";
> > > -
> > > $_t["en"]["Latest Packages:"] = "Latest Packages:";
> > >
> > > $_t["en"]["Discussion about the AUR takes place on the %sTUR Users List%s."] = "Discussion about the AUR takes place on the %sTUR Users List%s.";
> > > @@ -94,6 +90,9 @@ $_t["en"]["The most popular packages will be provided as binary packages in [com
> > > $_t["en"]["Packages added or updated in the past 7 days"] = "Packages added or updated in the past 7 days";
> > >
> > > $_t["en"]["Out-of-date"] = "Out-of-date";
> > > +
> > > $_t["en"]["DISCLAIMER"] = "DISCLAIMER: Unsupported PKGBUILDs are user produced content, by downloading them you agree to do so at your own risk.";
> > >
> > > +$_t["en"]["Login failure: Bad user or pass."] = "Login failure: Bad user or pass.";
> > > +
> > > ?>
> > > diff --git a/web/lib/aur.inc b/web/lib/aur.inc
> > > index 5dec6e3..5cfb3c8 100644
> > > --- a/web/lib/aur.inc
> > > +++ b/web/lib/aur.inc
> > > @@ -363,13 +363,11 @@ function html_header($title="") {
> > > $q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'";
> > > $result = db_query($q, $dbh);
> > > if (!$result) {
> > > - $login_error = __("Error looking up username, %s.",
> > > - array(htmlspecialchars($_POST["user"])));
> > > + $login_error = __("Login failure: Bad user or pass.");
> > > } else {
> > > $row = mysql_fetch_row($result);
> > > if (empty($row)) {
> > > - $login_error = __("Incorrect password for username, %s.",
> > > - array(htmlspecialchars($_POST["user"])));
> > > + $login_error = __("Login failure: Bad user or pass.");
> > > } elseif ($row[1]) {
> > > $login_error = __("Your account has been suspended.");
> > > }
> > > --
> > > 1.5.3.7
> > >
> > >
> > >
> >
> >
>
>
More information about the aur-dev
mailing list