Make the throttling O(2^n) instead of O(n^n)

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php
index 10e5061b9e815e5e902b4309ea414324117e9e9f..f2bdd9986b643f44f0aa2a6c226e63c0373e5809 100644 (file)
--- a/lib/private/Security/Bruteforce/Throttler.php
+++ b/lib/private/Security/Bruteforce/Throttler.php
@@ -53,6 +53,7 @@ use OCP\Security\Bruteforce\MaxDelayReached;
 class Throttler {
        public const LOGIN_ACTION = 'login';
        public const MAX_DELAY = 25;
+       public const MAX_ATTEMPTS = 10;
 
        /** @var IDBConnection */
        private $db;
@@ -260,18 +261,17 @@ class Throttler {
                        return 0;
                }
 
-               $maxDelay = self::MAX_DELAY;
                $firstDelay = 0.1;
-               if ($attempts > (8 * PHP_INT_SIZE - 1)) {
+               if ($attempts > self::MAX_ATTEMPTS) {
                        // Don't ever overflow. Just assume the maxDelay time:s
-                       $firstDelay = $maxDelay;
-               } else {
-                       $firstDelay *= pow(2, $attempts);
-                       if ($firstDelay > $maxDelay) {
-                               $firstDelay = $maxDelay;
-                       }
+                       return self::MAX_DELAY;
+               }
+
+               $delay = $firstDelay * 2**$attempts;
+               if ($delay > self::MAX_DELAY) {
+                       return self::MAX_DELAY;
                }
-               return (int) \ceil($firstDelay * 1000);
+               return (int) \ceil($delay * 1000);
        }
 
        /**