Don't send transition data if new_pass === old_pass.

Signed-off-by: Florent Bruneau <florent.bruneau@polytechnique.org>

diff --git a/classes/xorgsession.php b/classes/xorgsession.php
index 3f7b5dd..05c2207 100644 (file)
--- a/classes/xorgsession.php
+++ b/classes/xorgsession.php
@@ -79,7 +79,8 @@ class XorgSession extends PlSession
         if (list($uid, $password) = $res->fetchOneRow()) {
             require_once 'secure_hash.inc.php';
             $expected_response = hash_encrypt("$uname:$password:" . S::v('challenge'));
-            if ($response != $expected_response) {
+            if ($response != $expected_response && Env::has('xorpass')
+                && !preg_match('/^0*$/', Env::v('xorpass'))) {
                 $new_password = hash_xor(Env::v('xorpass'), $password);
                 $expected_response = hash_encrypt("$uname:$new_password:" . S::v('challenge'));
                 if ($response == $expected_response) {

diff --git a/htdocs/javascript/do_challenge_response.js b/htdocs/javascript/do_challenge_response.js
index 0a9c94d..1156c0b 100644 (file)
--- a/htdocs/javascript/do_challenge_response.js
+++ b/htdocs/javascript/do_challenge_response.js
@@ -51,7 +51,9 @@ function doChallengeResponse() {
         document.forms.loginsub.challenge.value;
 
     document.forms.loginsub.response.value = hash_encrypt(str);
-    document.forms.loginsub.xorpass.value = hash_xor(new_pass, old_pass);
+    if (new_pass != old_pass) {
+        document.forms.loginsub.xorpass.value = hash_xor(new_pass, old_pass);
+    }
     document.forms.loginsub.username.value = document.forms.login.username.value;
     document.forms.loginsub.remember.value = document.forms.login.remember.checked;
     document.forms.loginsub.domain.value = document.forms.login.domain.value;