changeset 1890:41f50553dc70

Don't disclose if a login failed because of wrong password or wrong user (thanks to Davide Del Vecchio for reporting and testing)
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 18 Mar 2007 00:03:18 +0100
parents 1405a38ae848
children 76040d9ab344
files MoinMoin/action/login.py
diffstat 1 files changed, 5 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/login.py	Sat Mar 17 23:34:40 2007 +0100
+++ b/MoinMoin/action/login.py	Sun Mar 18 00:03:18 2007 +0100
@@ -42,10 +42,12 @@
 Name may contain any Unicode alpha numeric character, with optional one
 space between words. Group page name is not allowed.""") % name
 
+            # we do NOT check this, we don't want to disclose whether a user
+            # exists or not to not help an attacker.
             # Check that user exists
-            elif not user.getUserId(request, name):
-                error = _('Unknown user name: {{{"%s"}}}. Please enter'
-                             ' user name and password.') % name
+            #elif not user.getUserId(request, name):
+            #    error = _('Unknown user name: {{{"%s"}}}. Please enter'
+            #                 ' user name and password.') % name
 
             # Require password
             else: