Skip to content

Commit

Permalink
Return the same error message from /login when password is incorrec…
Browse files Browse the repository at this point in the history
…t and when account doesn't exist. (matrix-org#12738)
  • Loading branch information
Danieloni1 committed Jun 8, 2022
1 parent 234e064 commit d2794e5
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 2 deletions.
1 change: 1 addition & 0 deletions changelog.d/12738.misc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Report login failures due to unknown third party identifiers in the same way as failures due to invalid passwords. This prevents an attacker from using the error response to determine if the identifier exists. Contributed by Daniel Aloni.
8 changes: 6 additions & 2 deletions synapse/handlers/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@

logger = logging.getLogger(__name__)

INVALID_USERNAME_OR_PASSWORD = "Invalid username or password"


def convert_client_dict_legacy_fields_to_identifier(
submission: JsonDict,
Expand Down Expand Up @@ -1203,7 +1205,9 @@ async def validate_login(
await self._failed_login_attempts_ratelimiter.can_do_action(
None, (medium, address)
)
raise LoginError(403, "Invalid password", errcode=Codes.FORBIDDEN)
raise LoginError(
403, msg=INVALID_USERNAME_OR_PASSWORD, errcode=Codes.FORBIDDEN
)

identifier_dict = {"type": "m.id.user", "user": user_id}

Expand Down Expand Up @@ -1329,7 +1333,7 @@ async def _validate_userid_login(

# We raise a 403 here, but note that if we're doing user-interactive
# login, it turns all LoginErrors into a 401 anyway.
raise LoginError(403, "Invalid password", errcode=Codes.FORBIDDEN)
raise LoginError(403, msg=INVALID_USERNAME_OR_PASSWORD, errcode=Codes.FORBIDDEN)

async def check_password_provider_3pid(
self, medium: str, address: str, password: str
Expand Down

0 comments on commit d2794e5

Please sign in to comment.