Item3804: TemplateLogin.pm doesn't return the error from the underlying PasswordManager

The TemplateLogin LoginManager doesn't return the error code from the underlying PasswordManager when the user is denied login. Here is a patch to change the banner to the error returned from the PasswordManager if there is one. Otherwise it will fallback to the normal "Invalid user/password".

This could be considered a security leak if the underlying PasswordManager doesn't return error messages that are generic when appropriate.

Specifically, I use it with my custom PasswordManager to tell the user they need to register if the LoginName -> WikiName conversion fails.

--- lib/TWiki/Client/TemplateLogin.pm   2007-03-03 06:45:57.000000000 -0800
+++ lib/TWiki/Client/TemplateLogin.pm   2007-03-23 15:20:13.000000000 -0700
@@ -129,6 +129,7 @@
     if( $loginName ) {
         my $passwordHandler = $twiki->{users}->{passwords};
         my $validation = $passwordHandler->checkPassword( $loginName, $loginPass );
+        my $error = $passwordHandler->error();

         if( $validation ) {
             $this->userLoggedIn( $loginName );
@@ -139,6 +140,8 @@
             # Redirect with passthrough
             $twikiSession->redirect($origurl, 1 );
             return;
+        } elsif ($error) {
+            $banner = $error;
         } else {
             $banner = $twiki->{templates}->expandTemplate('UNRECOGNISED_USER');
         }

---

Index: twikiplugins/PatternSkin/templates/login.pattern.tmpl
===================================================================
--- twikiplugins/PatternSkin/templates/login.pattern.tmpl   (revision 13247)
+++ twikiplugins/PatternSkin/templates/login.pattern.tmpl   (working copy)
@@ -87,6 +87,7 @@
 %TMPL:P{"passwordstep"}%
 <div class="twikiFormStep twikiLast">
 <input class="twikiSubmit" type="submit" value='%MAKETEXT{"Logon"}%' tabindex="3" />
+%IF{"$ERROR != ''" then="%BR% _Error: %ERROR%_"}%
 </div><!-- /twikiFormStep-->
 </div><!-- /twikiFormSteps-->
 <literal>
@@ -94,7 +95,6 @@
 </literal>
 <input type="hidden" name="origurl" value="%ORIGURL%" />
 </form>
-
 %TMPL:P{"seealsonote"}%
 </div><!-- /twikiLogin-->
 </div><!-- /patternTopic-->%TMPL:END%
Index: twikiplugins/ClassicSkin/templates/login.classic.tmpl
===================================================================
--- twikiplugins/ClassicSkin/templates/login.classic.tmpl   (revision 13247)
+++ twikiplugins/ClassicSkin/templates/login.classic.tmpl   (working copy)
@@ -31,6 +31,7 @@
 </literal>
 <input type="hidden" name="origurl" value="%ORIGURL%" />
 <input type='submit' value='Logon' />
+%IF{"$ERROR != ''" then="%BR% _Error: %ERROR%_"}%
 </form>
 <p />
 %TMPL:END%
Index: templates/login.tmpl
===================================================================
--- templates/login.tmpl   (revision 13247)
+++ templates/login.tmpl   (working copy)
@@ -24,6 +24,7 @@
 </literal>
 <input type="hidden" name="origurl" value="%ORIGURL%" />
 <input type='submit' value='Logon' />
+%IF{"$ERROR != ''" then="%BR% _Error: %ERROR%_"}%
 </form>
 <p />
 %TMPL:P{"topicinfo"}%
Index: lib/TWiki/Client/TemplateLogin.pm
===================================================================
--- lib/TWiki/Client/TemplateLogin.pm   (revision 13247)
+++ lib/TWiki/Client/TemplateLogin.pm   (working copy)
@@ -135,9 +135,12 @@
         $note = $twiki->{templates}->expandTemplate( 'NEW_USER_NOTE' );
     }
 
+    my $error = '';
+
     if( $loginName ) {
         my $passwordHandler = $twiki->{users}->{passwords};
         my $validation = $passwordHandler->checkPassword( $loginName, $loginPass );
+        $error = $passwordHandler->error();
 
         if( $validation ) {
             $this->userLoggedIn( $loginName );
@@ -156,9 +159,11 @@
     # TODO: add JavaScript password encryption in the template
     # to use a template)
     $origurl ||= '';
-    $tmpl =~ s/%ORIGURL%/$origurl/g;
-    $tmpl =~ s/%BANNER%/$banner/g;
-    $tmpl =~ s/%NOTE%/$note/g;
+#    $tmpl =~ s/%ORIGURL%/$origurl/g;
+#    $tmpl =~ s/%BANNER%/$banner/g;
+#    $tmpl =~ s/%NOTE%/$note/g;
+#    $tmpl =~ s/%ERROR%/$error/g;
+    $twiki->{prefs}->pushPreferenceValues('SESSION', {ORIGURL=>$origurl, BANNER=>$banner, NOTE=>$note, ERROR=>$error});
 
     $tmpl = $twiki->handleCommonTags( $tmpl, $web, $topic );
     $tmpl = $twiki->{renderer}->getRenderedVersion( $tmpl, '' );
Index: lib/TWiki/Users/HtPasswdUser.pm
===================================================================
--- lib/TWiki/Users/HtPasswdUser.pm   (revision 13247)
+++ lib/TWiki/Users/HtPasswdUser.pm   (working copy)
@@ -237,12 +237,6 @@
     return 0;
 }
 
-sub error {
-    my $this = shift;
-
-    return $this->{error};
-}
-
 sub getEmails {
     my( $this, $user ) = @_;
 
Index: lib/TWiki/Users/Password.pm
===================================================================
--- lib/TWiki/Users/Password.pm   (revision 13247)
+++ lib/TWiki/Users/Password.pm   (working copy)
@@ -47,6 +47,7 @@
     my( $class, $session ) = @_;
 
     my $this = bless( {}, $class );
+    $this->{error} = undef;
     $this->{session} = $session;
     return $this;
 }
@@ -93,6 +94,8 @@
 =cut
 
 sub checkPassword {
+    my $this = shift;
+    $this->{error} = undef;
     return 1;
 }
 
@@ -107,6 +110,8 @@
 =cut
 
 sub deleteUser {
+    my $this = shift;
+    $this->{error} = undef;
     return 1;
 }
 
@@ -165,7 +170,9 @@
 =cut
 
 sub error {
-    return '';
+    my $this = shift;
+
+    return $this->{error};
 }
 
 =pod

-- TWiki:Main.SvenDowideit - 26 Mar 2007

This seems a useful feature.

-- TWiki:Main.ArthurClemens - 03 Apr 2007

commited -- SD

Changed to Minor so it gets in the release note

-- TWiki:Main.KennethLavrsen - 28 Apr 2007