[PATCH] privacy: don't tell users what is the reason for a failed login

Mads Kiilerich mads at kiilerich.com
Tue May 19 11:15:30 EDT 2015 

On 05/16/2015 05:04 PM, Andrew Shadura wrote:
> # HG changeset patch
> # User Andrew Shadura <andrew at shadura.me>
> # Date 1431788631 -7200
> #      Sat May 16 17:03:51 2015 +0200
> # Node ID cb911e90e205bdb18fc2e2bd66549ea388d00413
> # Parent  388a6eada55925cb55cd2368e47a6115d833b4c1
> privacy: don't tell users what is the reason for a failed login

I think the current implementation is wrong when it does any kind of 
login verification in the user friendly form code. The authentication 
should be done explicitly in the controller. (That would also make the 
email login simpler.)

So while this patch makes it less wrong, I still think it is a bit 
pointless.

/Mads


> Makes it harder for strangers to probe the instance for presence of
> certain users. This can make it harder to break in, as it is now
> harder to tell is a username or a password are wrong, so bruteforcing
> should probably take a bit longer if you don't know what exactly are
> you doing.
>
> diff --git a/kallithea/model/validators.py b/kallithea/model/validators.py
> --- a/kallithea/model/validators.py
> +++ b/kallithea/model/validators.py
> @@ -305,9 +305,7 @@ def ValidPasswordsMatch(passwd='new_pass
>   def ValidAuth():
>       class _validator(formencode.validators.FancyValidator):
>           messages = {
> -            'invalid_password': _(u'invalid password'),
> -            'invalid_username': _(u'invalid user name'),
> -            'disabled_account': _(u'Your account is disabled')
> +            'invalid_auth': _(u'Invalid user name or password')
>           }
>   
>           def validate_python(self, value, state):
> @@ -325,16 +323,15 @@ def ValidAuth():
>                   user = User.get_by_username(username)
>                   if user and not user.active:
>                       log.warning('user %s is disabled' % username)
> -                    msg = M(self, 'disabled_account', state)
> +                    msg = M(self, 'invalid_auth', state)
>                       raise formencode.Invalid(msg, value, state,
> -                        error_dict=dict(username=msg)
> +                        error_dict=dict(username=' ',password=msg)
>                       )
>                   else:
>                       log.warning('user %s failed to authenticate' % username)
> -                    msg = M(self, 'invalid_username', state)
> -                    msg2 = M(self, 'invalid_password', state)
> +                    msg = M(self, 'invalid_auth', state)
>                       raise formencode.Invalid(msg, value, state,
> -                        error_dict=dict(username=msg, password=msg2)
> +                        error_dict=dict(username=' ',password=msg)
>                       )
>       return _validator
>   
> _______________________________________________
> kallithea-general mailing list
> kallithea-general at sfconservancy.org
> http://lists.sfconservancy.org/mailman/listinfo/kallithea-general

More information about the kallithea-general mailing list