From a5710a0bf20cdd512de2b59fcdcb0ca8d6b90496 Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Mon, 13 Nov 2017 16:02:50 +0000 Subject: [PATCH] SECURITY: Do not reveal if user exists during login failure This is meant for private wikis where the list of users may be secret. It is only meant to prevent trivial enumeration of usernames. It is not designed to prevent enumeration via timing attacks. Bug: T134100 Change-Id: I7afaa955a4b393ef00b11e420709bd62b84fbc71 --- includes/auth/LocalPasswordPrimaryAuthenticationProvider.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php index fd36887..0e22d96 100644 --- a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php +++ b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php @@ -96,7 +96,10 @@ class LocalPasswordPrimaryAuthenticationProvider __METHOD__ ); if ( !$row ) { - return AuthenticationResponse::newAbstain(); + // Do not reveal whether its bad username or + // bad password to prevent username enumeration + // on private wikis. (T134100) + return $this->failResponse( $req ); } $oldRow = clone $row; -- 1.9.5 (Apple Git-50.3)