Merge branch 'master' of https://github.com/owncloud/core into downstream-160611

1 files changed, 3 insertions, 2 deletions

diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index c64f58ae2cc..7806e1de904 100644
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -171,6 +171,7 @@ class LoginController extends Controller {
 	 * @return RedirectResponse
 	 */
 	public function tryLogin($user, $password, $redirect_url) {
+		$originalUser = $user;
 		// TODO: Add all the insane error handling
 		/* @var $loginResult IUser */
 		$loginResult = $this->userManager->checkPassword($user, $password);
@@ -186,8 +187,8 @@ class LoginController extends Controller {
 			$this->session->set('loginMessages', [
 				['invalidpassword']
 			]);
-			// Read current user and append if possible
-			$args = !is_null($user) ? ['user' => $user] : [];
+			// Read current user and append if possible - we need to return the unmodified user otherwise we will leak the login name
+			$args = !is_null($user) ? ['user' => $originalUser] : [];
 			return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args));
 		}
 		// TODO: remove password checks from above and let the user session handle failures