box: unify errors about mismatch of password and login during auth
If we raise different errors in case of entering an invalid password and entering the login of a non-existent user during authorization, it will open the door for an unauthorized person to enumerate users. So let's unify raised errors in the cases described above. Closes #tarantool/security#16 NO_DOC=security fix
Showing
- changelogs/unreleased/ghs_16_user_enumeration.md 4 additions, 0 deletionschangelogs/unreleased/ghs_16_user_enumeration.md
- src/box/applier.cc 2 additions, 2 deletionssrc/box/applier.cc
- src/box/authentication.cc 9 additions, 2 deletionssrc/box/authentication.cc
- src/box/errcode.h 1 addition, 1 deletionsrc/box/errcode.h
- test/box-luatest/ghs_16_user_enumeration_test.lua 33 additions, 0 deletionstest/box-luatest/ghs_16_user_enumeration_test.lua
- test/box/error.result 1 addition, 1 deletiontest/box/error.result
- test/box/net.box_incorrect_iterator_gh-841.result 1 addition, 1 deletiontest/box/net.box_incorrect_iterator_gh-841.result
- test/box/net.box_uri_first_arg_gh-398.result 1 addition, 1 deletiontest/box/net.box_uri_first_arg_gh-398.result
Loading