From 8bf2d4ac52a40323f0797bf8c2ce36277b2bae7b Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Mon, 15 May 2023 09:21:07 +0200 Subject: [PATCH] fix(lostpassword): Also rate limit the setPassword endpoint Signed-off-by: Joas Schilling --- core/Controller/LostController.php | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index 1fda92fb500..96579b278cf 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -283,11 +283,13 @@ class LostController extends Controller { /** * @PublicPage + * @BruteForceProtection(action=passwordResetEmail) + * @AnonRateThrottle(limit=10, period=300) * @param string $token * @param string $userId * @param string $password * @param boolean $proceed - * @return array + * @return JSONResponse */ public function setPassword($token, $userId, $password, $proceed) { if ($this->config->getSystemValue('lost_password_link', '') !== '') { @@ -301,7 +303,7 @@ class LostController extends Controller { $instance = call_user_func($module['callback']); // this way we can find out whether per-user keys are used or a system wide encryption key if ($instance->needDetailedAccessList()) { - return $this->error('', ['encryption' => true]); + return new JSONResponse($this->error('', ['encryption' => true])); } } } @@ -323,12 +325,16 @@ class LostController extends Controller { $this->config->deleteUserValue($userId, 'core', 'lostpassword'); @\OC::$server->getUserSession()->unsetMagicInCookie(); } catch (HintException $e) { - return $this->error($e->getHint()); + $response = new JSONResponse($this->error($e->getHint())); + $response->throttle(); + return $response; } catch (\Exception $e) { - return $this->error($e->getMessage()); + $response = new JSONResponse($this->error($e->getMessage())); + $response->throttle(); + return $response; } - return $this->success(['user' => $userId]); + return new JSONResponse($this->success(['user' => $userId])); } /** -- 2.39.5