[PATCH] privacy: don't tell users what is the reason for a failed login

Andrew Shadura andrew at shadura.me
Sat May 16 11:04:06 EDT 2015


# HG changeset patch
# User Andrew Shadura <andrew at shadura.me>
# Date 1431788631 -7200
#      Sat May 16 17:03:51 2015 +0200
# Node ID cb911e90e205bdb18fc2e2bd66549ea388d00413
# Parent  388a6eada55925cb55cd2368e47a6115d833b4c1
privacy: don't tell users what is the reason for a failed login

Makes it harder for strangers to probe the instance for presence of
certain users. This can make it harder to break in, as it is now
harder to tell is a username or a password are wrong, so bruteforcing
should probably take a bit longer if you don't know what exactly are
you doing.

diff --git a/kallithea/model/validators.py b/kallithea/model/validators.py
--- a/kallithea/model/validators.py
+++ b/kallithea/model/validators.py
@@ -305,9 +305,7 @@ def ValidPasswordsMatch(passwd='new_pass
 def ValidAuth():
     class _validator(formencode.validators.FancyValidator):
         messages = {
-            'invalid_password': _(u'invalid password'),
-            'invalid_username': _(u'invalid user name'),
-            'disabled_account': _(u'Your account is disabled')
+            'invalid_auth': _(u'Invalid user name or password')
         }
 
         def validate_python(self, value, state):
@@ -325,16 +323,15 @@ def ValidAuth():
                 user = User.get_by_username(username)
                 if user and not user.active:
                     log.warning('user %s is disabled' % username)
-                    msg = M(self, 'disabled_account', state)
+                    msg = M(self, 'invalid_auth', state)
                     raise formencode.Invalid(msg, value, state,
-                        error_dict=dict(username=msg)
+                        error_dict=dict(username=' ',password=msg)
                     )
                 else:
                     log.warning('user %s failed to authenticate' % username)
-                    msg = M(self, 'invalid_username', state)
-                    msg2 = M(self, 'invalid_password', state)
+                    msg = M(self, 'invalid_auth', state)
                     raise formencode.Invalid(msg, value, state,
-                        error_dict=dict(username=msg, password=msg2)
+                        error_dict=dict(username=' ',password=msg)
                     )
     return _validator
 


More information about the kallithea-general mailing list