diff options
| author | Côme Chilliet <91878298+come-nc@users.noreply.github.com> | 2022-10-18 17:29:17 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-18 17:29:17 +0200 |
| commit | 3d0e8182badf44758d164d65c13661db66559bea (patch) | |
| tree | fd3a404ea7841280dafdae7d950656912f256d9b /core | |
| parent | 39c3907f8b6596f705eb6a65be52f0096954217f (diff) | |
| parent | 1cb0c2ac52bb6dd05a8e822647b0b2e07c857697 (diff) | |
| download | nextcloud-server-3d0e8182badf44758d164d65c13661db66559bea.tar.gz nextcloud-server-3d0e8182badf44758d164d65c13661db66559bea.zip | |
Merge pull request #34632 from nextcloud/fix/rate-limit-recovery-emails
Add rate limiting on lost password emails
Diffstat (limited to 'core')
| -rw-r--r-- | core/Controller/LostController.php | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index e5dc5218cb1..fadfa242b93 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -36,10 +36,6 @@ namespace OC\Core\Controller; use Exception; -use OC\Authentication\TwoFactorAuth\Manager; -use OC\Core\Events\BeforePasswordResetEvent; -use OC\Core\Events\PasswordResetEvent; -use OC\Core\Exception\ResetPasswordException; use OCP\AppFramework\Controller; use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\TemplateResponse; @@ -56,8 +52,14 @@ use OCP\IURLGenerator; use OCP\IUser; use OCP\IUserManager; use OCP\Mail\IMailer; -use OCP\Security\VerificationToken\InvalidTokenException; use OCP\Security\VerificationToken\IVerificationToken; +use OCP\Security\VerificationToken\InvalidTokenException; +use OC\Authentication\TwoFactorAuth\Manager; +use OC\Core\Events\BeforePasswordResetEvent; +use OC\Core\Events\PasswordResetEvent; +use OC\Core\Exception\ResetPasswordException; +use OC\Security\RateLimiting\Exception\RateLimitExceededException; +use OC\Security\RateLimiting\Limiter; use Psr\Log\LoggerInterface; use function array_filter; use function count; @@ -84,6 +86,7 @@ class LostController extends Controller { private IInitialState $initialState; private IVerificationToken $verificationToken; private IEventDispatcher $eventDispatcher; + private Limiter $limiter; public function __construct( string $appName, @@ -100,7 +103,8 @@ class LostController extends Controller { Manager $twoFactorManager, IInitialState $initialState, IVerificationToken $verificationToken, - IEventDispatcher $eventDispatcher + IEventDispatcher $eventDispatcher, + Limiter $limiter ) { parent::__construct($appName, $request); $this->urlGenerator = $urlGenerator; @@ -116,6 +120,7 @@ class LostController extends Controller { $this->initialState = $initialState; $this->verificationToken = $verificationToken; $this->eventDispatcher = $eventDispatcher; + $this->limiter = $limiter; } /** @@ -267,6 +272,12 @@ class LostController extends Controller { throw new ResetPasswordException('Could not send reset e-mail since there is no email for username ' . $input); } + try { + $this->limiter->registerUserRequest('lostpasswordemail', 5, 1800, $user); + } catch (RateLimitExceededException $e) { + throw new ResetPasswordException('Could not send reset e-mail, 5 of them were already sent in the last 30 minutes', 0, $e); + } + // Generate the token. It is stored encrypted in the database with the // secret being the users' email address appended with the system secret. // This makes the token automatically invalidate once the user changes |