"Username does not exist" warning

PantsManUK

  • [me=PantsManUK]would dearly love to dump SMF 1.X at this juncture...[/me]
  • Posts: 174
Re: "Username does not exist" warning
« Reply #15, on March 23rd, 2012, 03:13 PM »
Personally, I would want the security; don't divulge any information at login other than "one or both of the things you entered is wrong". The forgotten login details process can (and would) be more specific, and would necessarily "leak" if an email address is associated with an account on the forum.
« What is this thing you hoomans call "Facebook"? »

Nao

  • Dadman with a boy
  • Posts: 16,063
Re:
« Reply #16, on March 23rd, 2012, 03:53 PM »
Quote from Arantor on March 23rd, 2012, 02:35 PM
I don't recall SMF adding slashes there...
Make sure to check Post.php out when you have some time to look into rev 1503 ;)
SMF does it in two passes: htmlspecialchars, then addcslashes.
Wedge retains the addcslashes. I also forgot to mention that in the situation where you're editing a draft, it will then reset the subject (protection-free?) after the addcslashes (now str_replace). It's at Post.php:1024 if you're interested. It also does an un_htmlspecialchars on the message body... The code block also has a //!! in it, so I suspect you stopped working on it in the middle.

Oh, and another bug: if a topic is moved (not deleted!) while writing a draft, the draft only offers to create a new topic.

oOo--STAR--oOo

  • @Arantor Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time
  • Posts: 43
Re: "Username does not exist" warning
« Reply #17, on March 23rd, 2012, 04:45 PM »
Nice Project. I would love to see the outcome of this.
I think user feedback is great for those who rarely use a computer.

So I think they should be prompted if the username is invalid.
I think it really does depend on the type of website and user base.
It wouldn't hurt to allow the user using wedge to choose how he wishes to notify incorrect logins.

I would love to get involved with this sometime ;) I am full of ideas and creations XD


Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re:
« Reply #18, on March 23rd, 2012, 04:50 PM »
Quote
Make sure to check Post.php out when you have some time to look into rev 1503
I will do that. I really don't remember it adding slashes. The reason I'm so surprised by it is that when I wrote SimpleDesk, I went over the process very thoroughly and I never added slashes myself.
Quote
I also forgot to mention that in the situation where you're editing a draft, it will then reset the subject (protection-free?) after the addcslashes (now str_replace).
That's sort of how I implemented it. The drafts don't need to have the same level of protection that normal posts do, just enough to prevent XSS injections.
Quote
Oh, and another bug: if a topic is moved (not deleted!) while writing a draft, the draft only offers to create a new topic.
That's a bug. It should still pick up on the topic, even if it's in a different board. Missing board, on the other hand, is known to cause problems at the present time.
Quote
It wouldn't hurt to allow the user using wedge to choose how he wishes to notify incorrect logins.
Interesting approach.
Quote
I would love to get involved with this sometime ;) I am full of ideas and creations XD
Please do share your ideas in the forum here. I can't promise we'll implement them, but we'll certainly read and consider them.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

Nao

  • Dadman with a boy
  • Posts: 16,063
Re:
« Reply #19, on March 23rd, 2012, 05:16 PM »
Quote from Arantor on March 23rd, 2012, 04:50 PM
Quote
Make sure to check Post.php out when you have some time to look into rev 1503
I will do that. I really don't remember it adding slashes.
No, you didn't. That's the point. The draft code doesn't do it, when I think it should turn quotes to their entity equivalent (quot). As for the addcslashes() call, it was added by SMF, not by you. We just never noticed the bug because we don't often have double quotes in topic titles, and the error only shows up when replying.
Quote
That's sort of how I implemented it. The drafts don't need to have the same level of protection that normal posts do, just enough to prevent XSS injections.
But they'll still show double quotes in the subject... Unless you already protected them at auto-save time?
Quote
Quote
Oh, and another bug: if a topic is moved (not deleted!) while writing a draft, the draft only offers to create a new topic.
That's a bug. It should still pick up on the topic, even if it's in a different board. Missing board, on the other hand, is known to cause problems at the present time.
Will you think of fixing this, too?

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re:
« Reply #20, on March 24th, 2012, 06:23 PM »
The draft code should at least preparse, though, right? As far as I remember, it should htmlspecialchars and preparsecode, like the post code flow, which would handle the quot conversion.

I will, once I get everything set up, investigate this thoroughly - but I still don't remember even SMF doing addslashes anywhere, because there is absolutely no reason for it to do so.

Nao

  • Dadman with a boy
  • Posts: 16,063
Re:
« Reply #21, on March 24th, 2012, 06:35 PM »
Quote from Arantor on March 24th, 2012, 06:23 PM
The draft code should at least preparse, though, right?
I don't know. I guess then that it would need to be un_htmlspecialchar'ed or something when retrieved from the DB...?
Quote
I will, once I get everything set up, investigate this thoroughly - but I still don't remember even SMF doing addslashes anywhere, because there is absolutely no reason for it to do so.
Just look at the latest commits that removed it ;)