Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Return the same error message from /login when password is incorrect and when account doesn't exist. #12738

Merged
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/12738.misc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Report login failures due to unknown third party identifiers in the same way as failures due to invalid passwords. This prevents an attacker from using the error response to determine if the identifier exists. Contributed by Daniel Aloni.
5 changes: 3 additions & 2 deletions synapse/handlers/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@

logger = logging.getLogger(__name__)

INVALID_USERNAME_OR_PASSWORD = "Invalid username or password"

def convert_client_dict_legacy_fields_to_identifier(
submission: JsonDict,
Expand Down Expand Up @@ -1204,7 +1205,7 @@ async def validate_login(
await self._failed_login_attempts_ratelimiter.can_do_action(
None, (medium, address)
)
raise LoginError(403, "", errcode=Codes.FORBIDDEN)
raise LoginError(403, msg=INVALID_USERNAME_OR_PASSWORD, errcode=Codes.FORBIDDEN)

identifier_dict = {"type": "m.id.user", "user": user_id}

Expand Down Expand Up @@ -1330,7 +1331,7 @@ async def _validate_userid_login(

# We raise a 403 here, but note that if we're doing user-interactive
# login, it turns all LoginErrors into a 401 anyway.
Danieloni1 marked this conversation as resolved.
Show resolved Hide resolved
raise LoginError(403, "Invalid password", errcode=Codes.FORBIDDEN)
raise LoginError(403, msg=INVALID_USERNAME_OR_PASSWORD, errcode=Codes.FORBIDDEN)

async def check_password_provider_3pid(
self, medium: str, address: str, password: str
Expand Down