diff options
| author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2023-05-16 06:35:15 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-16 06:35:15 +0200 |
| commit | b56445b9ad8f391a69553c6b450e78978b9a0cbb (patch) | |
| tree | 6f90bee6a43063150a7c10b51fb83f01e72e6cf4 /core | |
| parent | 816c33c3917167d503e99994472f5ad7c8a380c2 (diff) | |
| parent | 33385d7ecb892a6674caf18647e5f2a6394d70b9 (diff) | |
| download | nextcloud-server-b56445b9ad8f391a69553c6b450e78978b9a0cbb.tar.gz nextcloud-server-b56445b9ad8f391a69553c6b450e78978b9a0cbb.zip | |
Merge pull request #38267 from nextcloud/bugfix/noid/fix-missing-bruteforce-protection
fix(lostpassword): Also rate limit the setPassword endpoint
Diffstat (limited to 'core')
| -rw-r--r-- | core/Controller/LostController.php | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index 51ab8d85a6e..127c6310f6b 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -201,7 +201,7 @@ class LostController extends Controller { } $user = trim($user); - + \OCP\Util::emitHook( '\OCA\Files_Sharing\API\Server2Server', 'preLoginNameUsedAsUserName', @@ -225,8 +225,10 @@ class LostController extends Controller { /** * @PublicPage + * @BruteForceProtection(action=passwordResetEmail) + * @AnonRateThrottle(limit=10, period=300) */ - public function setPassword(string $token, string $userId, string $password, bool $proceed): array { + public function setPassword(string $token, string $userId, string $password, bool $proceed): JSONResponse { if ($this->encryptionManager->isEnabled() && !$proceed) { $encryptionModules = $this->encryptionManager->getEncryptionModules(); foreach ($encryptionModules as $module) { @@ -234,7 +236,7 @@ class LostController extends Controller { $instance = call_user_func($module['callback']); // this way we can find out whether per-user keys are used or a system wide encryption key if ($instance->needDetailedAccessList()) { - return $this->error('', ['encryption' => true]); + return new JSONResponse($this->error('', ['encryption' => true])); } } } @@ -262,12 +264,16 @@ class LostController extends Controller { $this->config->deleteUserValue($userId, 'core', 'lostpassword'); @\OC::$server->getUserSession()->unsetMagicInCookie(); } catch (HintException $e) { - return $this->error($e->getHint()); + $response = new JSONResponse($this->error($e->getHint())); + $response->throttle(); + return $response; } catch (Exception $e) { - return $this->error($e->getMessage()); + $response = new JSONResponse($this->error($e->getMessage())); + $response->throttle(); + return $response; } - return $this->success(['user' => $userId]); + return new JSONResponse($this->success(['user' => $userId])); } /** |