diff options
| author | Benny Baumann <BenBE@geshi.org> | 2015-03-11 23:28:11 +0100 |
|---|---|---|
| committer | Benny Baumann <BenBE@geshi.org> | 2015-03-11 23:28:11 +0100 |
| commit | 0e14ede2f690be0df938ef2e98b974f60882612f (patch) | |
| tree | 4fff8fe36e8c5e38cea43c61938fae45b0bbcc86 /www/index.php | |
| parent | 85b24e6a28ed5cf2534a7d5a6039d5560c7f3dbf (diff) | |
| download | cacert-devel-0e14ede2f690be0df938ef2e98b974f60882612f.tar.gz cacert-devel-0e14ede2f690be0df938ef2e98b974f60882612f.tar.xz cacert-devel-0e14ede2f690be0df938ef2e98b974f60882612f.zip | |
bug 1341: Avoid a privacy issue leaking information if an account exists.bug-1341
Diffstat (limited to 'www/index.php')
| -rw-r--r-- | www/index.php | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/www/index.php b/www/index.php index 2247b68..8c5560c 100644 --- a/www/index.php +++ b/www/index.php @@ -241,10 +241,8 @@ require_once('../includes/notary.inc.php'); $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or `password`=password('$pword')) and `verified`=0 and `deleted`=0"; $res = mysql_query($query); - if(!$rateLimit) { - $_SESSION['_config']['errmsg'] = _("You hit the login rate limit of 1 login per 5 seconds."); - } else if(mysql_num_rows($res) <= 0) { - $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase."); + if(!$rateLimit || mysql_num_rows($res) <= 0) { + $_SESSION['_config']['errmsg'] = _("Login failed due to incorrect email address, wrong passphrase or because the rate limit of one login per 5 seconds was hit."); } else { $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages."); } |