Subject: [PATCH] r1472: Do not distinguish between invalid user name and invalid password --- debian/changelog | 3 ++ src/elog.c | 12 +++------ src/elogd.c | 70 ++++++++++++++---------------------------------------- 3 files changed, 25 insertions(+), 60 deletions(-) 4496b5d8e83505698c9c16c527653f2224499fda diff --git a/debian/changelog b/debian/changelog index 36c80d1..07e1ce7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,9 @@ elog (2.5.7+r1558-4+sarge1) unstable; ur "Fixed crashes with very long (revisions) attributes" * Backport r1335 from upstream's Subversion repository: "Applied patch from Emiliano to fix possible buffer overflow" + * Backport r1472 from upstream's Subversion repository: + "Do not distinguish between invalid user name and invalid password for + security reasons" -- Florian Weimer Mon, 23 Jan 2006 15:56:37 +0100 diff --git a/src/elog.c b/src/elog.c index 60f4efe..9a2d1db 100755 --- a/src/elog.c +++ b/src/elog.c @@ -527,10 +527,8 @@ INT retrieve_elog(char *host, int port, if (strstr(response, "302 Found")) { if (strstr(response, "Location:")) { - if (strstr(response, "wpwd")) - printf("Error: Invalid password\n"); - else if (strstr(response, "wusr")) - printf("Error: Invalid user name\n"); + if (strstr(response, "fail")) + printf("Error: Invalid user name or password\n"); else { strncpy(str, strstr(response, "Location:") + 10, sizeof(str)); if (strchr(str, '?')) @@ -922,10 +920,8 @@ INT submit_elog(char *host, int port, ch /* check response status */ if (strstr(response, "302 Found")) { if (strstr(response, "Location:")) { - if (strstr(response, "wpwd")) - printf("Error: Invalid password\n"); - else if (strstr(response, "wusr")) - printf("Error: Invalid user name\n"); + if (strstr(response, "fail")) + printf("Error: Invalid user name or password\n"); else { strncpy(str, strstr(response, "Location:") + 10, sizeof(str)); if (strchr(str, '?')) diff --git a/src/elogd.c b/src/elogd.c index 5417544..9d259b4 100755 --- a/src/elogd.c +++ b/src/elogd.c @@ -11437,11 +11437,8 @@ int retrieve_remote_md5(LOGBOOK * lbs, c if (isparam("debug")) rsputs(text); - if (strstr(text, "?wusr=")) - sprintf(error_str, loc("User \"%s\" has no access to remote logbook"), getparam("unm")); - else if (strstr(text, "?wpwd=")) - sprintf(error_str, - loc("Passwords for user \"%s\" do not match locally and remotely"), getparam("unm")); + if (strstr(text, "?fail=")) + sprintf(error_str, loc("Invalid user name \"%s\" or password for remote logbook"), getparam("unm")); else { strlcpy(str, p + 9, sizeof(str)); if (strchr(str, '?')) @@ -11764,10 +11761,8 @@ int submit_message(LOGBOOK * lbs, char * /* check response status */ if (strstr(response, "302 Found")) { if (strstr(response, "Location:")) { - if (strstr(response, "wpwd")) - sprintf(error_str, "Invalid password\n"); - else if (strstr(response, "wusr")) - sprintf(error_str, "Invalid user name\n"); + if (strstr(response, "fail")) + sprintf(error_str, "Invalid user name or password\n"); strlcpy(str, strstr(response, "Location:") + 9, sizeof(str)); if (strchr(str, '\n')) @@ -12058,10 +12053,8 @@ void submit_config(LOGBOOK * lbs, char * /* check response status */ if (strstr(response, "302 Found")) { if (strstr(response, "Location:")) { - if (strstr(response, "wpwd")) - sprintf(error_str, "Invalid password\n"); - else if (strstr(response, "wusr")) - sprintf(error_str, "Invalid user name\n"); + if (strstr(response, "fail")) + sprintf(error_str, "Invalid usr name or password\n"); } } else if (strstr(response, "Logbook Selection")) sprintf(error_str, "No logbook specified\n"); @@ -12342,7 +12335,7 @@ void receive_pwdfile(LOGBOOK * lbs, char /* check for logbook access */ if (strstr(p, loc("Please login")) || strstr(p, "GetPwdFile") || status == 302) { - if (strstr(buffer, "?wusr=") || strstr(buffer, "?wpwd=")) + if (strstr(buffer, "?fail=")) eprintf("\nInvalid username or password."); if (strstr(p, loc("Please login")) == NULL && strstr(p, "GetPwdFile") && isparam("unm")) @@ -18222,12 +18215,12 @@ BOOL check_password(LOGBOOK * lbs, char if (strcmp(password, str) == 0) return TRUE; - if (!isparam("wpwd") && password[0]) { + if (!isparam("fail") && password[0]) { strlcpy(str, redir, sizeof(str)); if (strchr(str, '?')) - strlcat(str, "&wpwd=1", sizeof(str)); + strlcat(str, "&fail=1", sizeof(str)); else - strlcat(str, "?wpwd=1", sizeof(str)); + strlcat(str, "?fail=1", sizeof(str)); redirect(lbs, str); return FALSE; } @@ -18237,7 +18230,7 @@ BOOL check_password(LOGBOOK * lbs, char rsprintf(""); - if (isparam("wpwd")) + if (isparam("fail")) rsprintf("\n", loc("Wrong password")); rsprintf("
%s!
\n"); @@ -18515,31 +18508,8 @@ BOOL check_user_password(LOGBOOK * lbs, return FALSE; } - /* display error message for invalid user */ - if (isparam("iusr")) { - /* header */ - show_html_header(NULL, FALSE, "ELOG error", TRUE, FALSE); - - rsprintf("
\n"); - rsprintf(""); - sprintf(str, loc("User \"%s\" has no access to logbook \"%s\""), - getparam("iusr"), lbs->name); - rsprintf("\n", str); - - rsprintf("", loc("Login as different user")); - - rsprintf("", loc("Goto logbook selection page")); - - rsprintf("
%s
"); - rsprintf("%s
"); - rsprintf("%s
\n"); - rsprintf("
\n"); - - return FALSE; - } - if (!check_login_user(lbs, user)) { - sprintf(str, "?iusr=%s", user); + sprintf(str, "?fail=%s", user); redirect(lbs, str); return FALSE; @@ -18552,8 +18522,8 @@ BOOL check_user_password(LOGBOOK * lbs, return TRUE; } - if (!isparam("wpwd") && password[0]) { - redirect(lbs, "?wpwd=1"); + if (!isparam("fail") && password[0]) { + redirect(lbs, "?fail=1"); return FALSE; } @@ -18585,11 +18555,8 @@ BOOL check_user_password(LOGBOOK * lbs, rsprintf(""); - if (isparam("wpwd")) - rsprintf("\n", loc("Wrong password")); - - if (isparam("wusr")) { - sprintf(str, loc("Invalid user name \"%s\""), getparam("wusr")); + if (isparam("fail")) { + sprintf(str, loc("Invalid user name or password")); rsprintf("\n", str); } @@ -18640,7 +18607,7 @@ BOOL check_user_password(LOGBOOK * lbs, } else { if (status == 2) { - sprintf(str, "?wusr=%s", user); + sprintf(str, "?fail"); setparam("redir", str); /* remove remaining cookies */ @@ -19452,8 +19419,7 @@ void interprete(char *lbook, char *path) /* check if guest access */ if (!(getcfg(lbs->name, "Guest menu commands", str, sizeof(str)) - && *getparam("unm") == 0 && !isparam("wpwd") - && !isparam("wusr"))) { + && *getparam("unm") == 0 && !isparam("fail"))) { if (strcmp(path, css) != 0) { /* if no guest menu commands but self register, evaluate new user commands */ if (getcfg(lbs->name, "Self register", str, sizeof(str)) && atoi(str) > 0) { -- 1.1.3
%s!
%s!