diff options
| author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2023-02-06 22:12:25 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-06 22:12:25 +0100 |
| commit | 59578817f5cef0726f17301396c60dc2c92cba4d (patch) | |
| tree | 9e9289f77dd6056073472e997764d94812b4a09e /core | |
| parent | fa1d50ccce6a220631b625aeda54eaf5555ebc66 (diff) | |
| parent | 875e6cf7e6d5a469922fc6e542db8388cedcff01 (diff) | |
| download | nextcloud-server-59578817f5cef0726f17301396c60dc2c92cba4d.tar.gz nextcloud-server-59578817f5cef0726f17301396c60dc2c92cba4d.zip | |
Merge pull request #36489 from nextcloud/bugfix/noid/brute-force-protection-password-reset
Add bruteforce protection to password reset page
Diffstat (limited to 'core')
| -rw-r--r-- | core/Controller/LostController.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index 6176e3cd5e5..044535c345b 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -128,6 +128,8 @@ class LostController extends Controller { * * @PublicPage * @NoCSRFRequired + * @BruteForceProtection(action=passwordResetEmail) + * @AnonRateThrottle(limit=10, period=300) */ public function resetform(string $token, string $userId): TemplateResponse { try { @@ -137,12 +139,14 @@ class LostController extends Controller { || ($e instanceof InvalidTokenException && !in_array($e->getCode(), [InvalidTokenException::TOKEN_NOT_FOUND, InvalidTokenException::USER_UNKNOWN])) ) { - return new TemplateResponse( + $response = new TemplateResponse( 'core', 'error', [ "errors" => [["error" => $e->getMessage()]] ], TemplateResponse::RENDER_AS_GUEST ); + $response->throttle(); + return $response; } return new TemplateResponse('core', 'error', [ 'errors' => [['error' => $this->l10n->t('Password reset is disabled')]] |