EuskadiTech/Axia4
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security: improve login auth check to use if/elseif structure for clarity

Browse Source 
Remove the intermediate variable pattern that could potentially allow
authentication without a valid password_hash, using an if/elseif pattern instead.

Co-authored-by: naielv <109038805+naielv@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-02-21 18:56:35 +00:00
parent ffb6b6ce45
commit 56918315ea
1 changed files with 2 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
public_html/_login.php
View File

@@ -166,12 +166,9 @@ if (isset($_POST["user"])) {
$password = $_POST["password"];
$user_filename = safe_username_to_filename($user);
$userdata = ($user_filename !== "") ? json_decode(@file_get_contents("/DATA/Usuarios/" . $user_filename . ".json"), true) : null;
if (!isset($userdata["password_hash"])) {
if (!is_array($userdata) || !isset($userdata["password_hash"])) {
$_GET["_result"] = "El usuario no existe.";
}
$hash = $userdata["password_hash"] ?? null;
if ($hash && password_verify($password, $hash)) {
} elseif (password_verify($password, $userdata["password_hash"])) {
session_regenerate_id(true);
$_SESSION['auth_user'] = $user;
$_SESSION['auth_data'] = $userdata;