Add reason for not logging exception; correct invalid user error message

closes magento#2066; further details on issue page
davidalger · Nov 4, 2015 · 4c58ee1 · 4c58ee1
1 parent 2fc9834
commit 4c58ee1
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/app/code/Magento/Customer/Controller/Account/LoginPost.php b/app/code/Magento/Customer/Controller/Account/LoginPost.php
@@ -86,8 +86,7 @@ public function executeInternal()
                 } catch (EmailNotConfirmedException $e) {
                     $value = $this->customerUrl->getEmailConfirmationUrl($login['username']);
                     $message = __(
-                        'This account is not confirmed.' .
-                        ' <a href="%1">Click here</a> to resend confirmation email.',
+                        'This account is not confirmed. <a href="%1">Click here</a> to resend confirmation email.',
                         $value
                     );
                     $this->messageManager->addError($message);
@@ -97,7 +96,8 @@ public function executeInternal()
                     $this->messageManager->addError($message);
                     $this->session->setUsername($login['username']);
                 } catch (\Exception $e) {
-                    $this->messageManager->addError(__('Invalid login or password.'));
+                    // PA DSS violation: throwing or logging an exception here can disclose customer password
+                    $this->messageManager->addError(__('Unspecified error occured. Please contact us for assistence!'));
                 }
             } else {
                 $this->messageManager->addError(__('A login and a password are required.'));