-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
trying to login with incorrect password leads to an empty page #420
Comments
Thanks for the bug report -> it's an issue with dovecot getting an empty password and how we deal with that. Is there anything else in the error_log? |
Not sure if that's what you mean, but that wasn't me trying to login with an empty password.
This is the tail of the log. Before that it repeats the password error a bunch of times because I tried multiple times. |
See also 5827a12 - which should require the password is not empty. |
Do either of those fix things for you? Thanks for the quick response. |
72ded84 partly fixes this. Some observations:
error log for the last case:
|
OK. That's from calling "pacrypt('abc', 'def')" which happens in an attempt to try and make all login branches take a similar time to make it harder for an attacker to evaluate whether accounts exist on the system or not. 8b1adbc might fix this.
Hm, that'll be because we destroy the session, so whatever flash_error stored was lost. Should be fixed with 24eb45b |
I believe this is fixed with 3.3.3. |
When trying to login with an empty password an internal error is thrown and logged but the users just lands on an empty page:
dovecot version:
2.3.13
postfixadmin:
3.3.1
Logging in with the correct passwords still works.
The text was updated successfully, but these errors were encountered: