|
|
@@ -24,6 +24,7 @@ |
|
|
|
namespace OC\AppFramework\Middleware\PublicShare; |
|
|
|
|
|
|
|
use OC\AppFramework\Middleware\PublicShare\Exceptions\NeedAuthenticationException; |
|
|
|
use OC\Security\Bruteforce\Throttler; |
|
|
|
use OCP\AppFramework\AuthPublicShareController; |
|
|
|
use OCP\AppFramework\Http\NotFoundResponse; |
|
|
|
use OCP\AppFramework\Middleware; |
|
|
@@ -34,6 +35,7 @@ use OCP\IRequest; |
|
|
|
use OCP\ISession; |
|
|
|
|
|
|
|
class PublicShareMiddleware extends Middleware { |
|
|
|
|
|
|
|
/** @var IRequest */ |
|
|
|
private $request; |
|
|
|
|
|
|
@@ -43,10 +45,14 @@ class PublicShareMiddleware extends Middleware { |
|
|
|
/** @var IConfig */ |
|
|
|
private $config; |
|
|
|
|
|
|
|
public function __construct(IRequest $request, ISession $session, IConfig $config) { |
|
|
|
/** @var Throttler */ |
|
|
|
private $throttler; |
|
|
|
|
|
|
|
public function __construct(IRequest $request, ISession $session, IConfig $config, Throttler $throttler) { |
|
|
|
$this->request = $request; |
|
|
|
$this->session = $session; |
|
|
|
$this->config = $config; |
|
|
|
$this->throttler = $throttler; |
|
|
|
} |
|
|
|
|
|
|
|
public function beforeController($controller, $methodName) { |
|
|
@@ -54,6 +60,11 @@ class PublicShareMiddleware extends Middleware { |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
$controllerClassPath = explode('\\', get_class($controller)); |
|
|
|
$controllerShortClass = end($controllerClassPath); |
|
|
|
$bruteforceProtectionAction = $controllerShortClass . '::' . $methodName; |
|
|
|
$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $bruteforceProtectionAction); |
|
|
|
|
|
|
|
if (!$this->isLinkSharingEnabled()) { |
|
|
|
throw new NotFoundException('Link sharing is disabled'); |
|
|
|
} |
|
|
@@ -68,6 +79,8 @@ class PublicShareMiddleware extends Middleware { |
|
|
|
$controller->setToken($token); |
|
|
|
|
|
|
|
if (!$controller->isValidToken()) { |
|
|
|
$this->throttle($bruteforceProtectionAction, $token); |
|
|
|
|
|
|
|
$controller->shareNotFound(); |
|
|
|
throw new NotFoundException(); |
|
|
|
} |
|
|
@@ -88,6 +101,7 @@ class PublicShareMiddleware extends Middleware { |
|
|
|
throw new NeedAuthenticationException(); |
|
|
|
} |
|
|
|
|
|
|
|
$this->throttle($bruteforceProtectionAction, $token); |
|
|
|
throw new NotFoundException(); |
|
|
|
} |
|
|
|
|
|
|
@@ -128,4 +142,10 @@ class PublicShareMiddleware extends Middleware { |
|
|
|
|
|
|
|
return true; |
|
|
|
} |
|
|
|
|
|
|
|
private function throttle($bruteforceProtectionAction, $token): void { |
|
|
|
$ip = $this->request->getRemoteAddress(); |
|
|
|
$this->throttler->sleepDelay($ip, $bruteforceProtectionAction); |
|
|
|
$this->throttler->registerAttempt($bruteforceProtectionAction, $ip, ['token' => $token]); |
|
|
|
} |
|
|
|
} |