diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2014-09-26 10:36:05 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2014-09-26 10:36:05 +0200 |
| commit | 5e9e1054045318cfb23f64db7be36a677dc9481a (patch) | |
| tree | 307f63ca6a0c490c71180cf97df90c0597f146b5 /inc | |
| parent | 395c2f0ff3e87977ea2573587a11f4ef294433f2 (diff) | |
| download | rpg-5e9e1054045318cfb23f64db7be36a677dc9481a.tar.gz rpg-5e9e1054045318cfb23f64db7be36a677dc9481a.tar.bz2 | |
do not allow empty passwords
When a username but no password is submitted, the login is denied right
away instead of relying on the backend to refuse the login.
Diffstat (limited to 'inc')
| -rw-r--r-- | inc/auth.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/inc/auth.php b/inc/auth.php index 7477ae7ef..037f7e78f 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -229,7 +229,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { if(!empty($user)) { //usual login - if($auth->checkPass($user, $pass)) { + if(!empty($pass) && $auth->checkPass($user, $pass)) { // make logininfo globally available $INPUT->server->set('REMOTE_USER', $user); $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session |