Add bruteforce protection to the shareinfo endpoint

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

1 files changed, 11 insertions, 5 deletions

diff --git a/apps/files_sharing/lib/Controller/ShareInfoController.php b/apps/files_sharing/lib/Controller/ShareInfoController.php
index 315a562abef..0fe98a32c7d 100644
--- a/apps/files_sharing/lib/Controller/ShareInfoController.php
+++ b/apps/files_sharing/lib/Controller/ShareInfoController.php
@@ -48,7 +48,7 @@ class ShareInfoController extends ApiController {
 	 * @param IRequest $request
 	 * @param IManager $shareManager
 	 */
-	public function __construct($appName,
+	public function __construct(string $appName,
 								IRequest $request,
 								IManager $shareManager) {
 		parent::__construct($appName, $request);
@@ -59,26 +59,32 @@ class ShareInfoController extends ApiController {
 	/**
 	 * @PublicPage
 	 * @NoCSRFRequired
+	 * @BruteForceProtection(action=shareinfo)
 	 *
 	 * @param string $t
 	 * @param null $password
 	 * @param null $dir
 	 * @return JSONResponse
-	 * @throws ShareNotFound
 	 */
 	public function info($t, $password = null, $dir = null) {
 		try {
 			$share = $this->shareManager->getShareByToken($t);
 		} catch (ShareNotFound $e) {
-			return new JSONResponse([], Http::STATUS_NOT_FOUND);
+			$response = new JSONResponse([], Http::STATUS_NOT_FOUND);
+			$response->throttle(['token' => $t]);
+			return $response;
 		}
 
 		if ($share->getPassword() && !$this->shareManager->checkPassword($share, $password)) {
-			return new JSONResponse([], Http::STATUS_FORBIDDEN);
+			$response = new JSONResponse([], Http::STATUS_FORBIDDEN);
+			$response->throttle(['token' => $t]);
+			return $response;
 		}
 
 		if (!($share->getPermissions() & Constants::PERMISSION_READ)) {
-			return new JSONResponse([], Http::STATUS_FORBIDDEN);
+			$response = new JSONResponse([], Http::STATUS_FORBIDDEN);
+			$response->throttle(['token' => $t]);
+			return $response;
 		}
 
 		$permissionMask = $share->getPermissions();