diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2016-07-20 23:09:27 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2016-07-20 23:09:27 +0200 |
| commit | c1589f163c44839fba9b2d3dcfb1e45ee7fa47ef (patch) | |
| tree | 0f460493ed97959e22f9b1713a641c22cf088ba0 /lib/private | |
| parent | adf67fac9632788a86d710fc8fbdb76f041b434f (diff) | |
| download | nextcloud-server-c1589f163c44839fba9b2d3dcfb1e45ee7fa47ef.tar.gz nextcloud-server-c1589f163c44839fba9b2d3dcfb1e45ee7fa47ef.zip | |
Mitigate race condition
Diffstat (limited to 'lib/private')
| -rw-r--r-- | lib/private/User/Session.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 79bd7c22848..8d12982dd1a 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -310,6 +310,7 @@ class Session implements IUserSession, Emitter { $password, IRequest $request, OC\Security\Bruteforce\Throttler $throttler) { + $currentDelay = $throttler->getDelay($request->getRemoteAddress()); $throttler->sleepDelay($request->getRemoteAddress()); $isTokenPassword = $this->isTokenPassword($password); @@ -326,6 +327,9 @@ class Session implements IUserSession, Emitter { } $throttler->registerAttempt('login', $request->getRemoteAddress(), ['uid' => $user]); + if($currentDelay === 0) { + $throttler->sleepDelay($request->getRemoteAddress()); + } return false; } @@ -405,7 +409,6 @@ class Session implements IUserSession, Emitter { public function tryBasicAuthLogin(IRequest $request, OC\Security\Bruteforce\Throttler $throttler) { if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) { - $throttler->sleepDelay(\OC::$server->getRequest()->getRemoteAddress()); try { if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request, $throttler)) { /** |