Fix for information leak in login logic.

Fix for information leak in login logic. No point telling people they have a valid username when the pass is wrong, etc.
author: eliott <eliott@cactuswax.net> 2008-02-18 05:37:49 +0100
committer: Simo Leone <simo@archlinux.org> 2008-02-19 00:55:28 +0100
commit: 4d9d5d39666addc2afbb61bb04b00dc1ed707ecc (patch)
tree: ddc134b03ab8c87737cd62862f01ffc9960031fb /web/lib
parent: aedf2ab6a390b62f1a0de8afe18a5aa53075b9ef (diff)
download: aur-4d9d5d39666addc2afbb61bb04b00dc1ed707ecc.tar.gz
aur-4d9d5d39666addc2afbb61bb04b00dc1ed707ecc.tar.xz
1 files changed, 2 insertions, 4 deletions
diff --git a/web/lib/aur.inc b/web/lib/aur.inc
index 234dca98..e7e8c494 100644
--- a/web/lib/aur.inc
+++ b/web/lib/aur.inc
@@ -356,13 +356,11 @@ function html_header($title="") {
 			$q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'";
 			$result = db_query($q, $dbh);
 			if (!$result) {
-				$login_error = __("Error looking up username, %s.",
-							array(htmlspecialchars($_POST["user"])));
+                $login_error = __("Login failure: Bad user or pass.");
 			} else {
 				$row = mysql_fetch_row($result);
 				if (empty($row)) {
-					$login_error = __("Incorrect password for username, %s.",
-							array(htmlspecialchars($_POST["user"])));
+				    $login_error = __("Login failure: Bad user or pass.");
 				} elseif ($row[1]) {
 					$login_error = __("Your account has been suspended.");
 				}
author	eliott <eliott@cactuswax.net>	2008-02-18 05:37:49 +0100
committer	Simo Leone <simo@archlinux.org>	2008-02-19 00:55:28 +0100
commit	4d9d5d39666addc2afbb61bb04b00dc1ed707ecc (patch)
tree	ddc134b03ab8c87737cd62862f01ffc9960031fb /web/lib
parent	aedf2ab6a390b62f1a0de8afe18a5aa53075b9ef (diff)
download	aur-4d9d5d39666addc2afbb61bb04b00dc1ed707ecc.tar.gz aur-4d9d5d39666addc2afbb61bb04b00dc1ed707ecc.tar.xz