diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2017-04-18 17:55:51 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2017-04-18 17:55:51 +0200 |
| commit | 805419bb952b937ae980c198162f8f7dd30ff6d2 (patch) | |
| tree | 90e4b587e1ee0547ddc6ada57c799b4c91a57c31 /settings/Controller/ChangePasswordController.php | |
| parent | b072d2c49d6f61c2b55abf12e04bdf2166dbd4f4 (diff) | |
| download | nextcloud-server-805419bb952b937ae980c198162f8f7dd30ff6d2.tar.gz nextcloud-server-805419bb952b937ae980c198162f8f7dd30ff6d2.zip | |
Add bruteforce protection to changePersonalPassword
While the risk is actually quite low because one would already have the user session and could potentially do other havoc it makes sense to throttle here in case of invalid previous password attempts.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'settings/Controller/ChangePasswordController.php')
| -rw-r--r-- | settings/Controller/ChangePasswordController.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/settings/Controller/ChangePasswordController.php b/settings/Controller/ChangePasswordController.php index b82751bcac2..2f61d36c3ff 100644 --- a/settings/Controller/ChangePasswordController.php +++ b/settings/Controller/ChangePasswordController.php @@ -85,6 +85,7 @@ class ChangePasswordController extends Controller { /** * @NoAdminRequired * @NoSubadminRequired + * @BruteForceProtection(action=changePersonalPassword) * * @param string $oldpassword * @param string $newpassword @@ -95,12 +96,14 @@ class ChangePasswordController extends Controller { /** @var IUser $user */ $user = $this->userManager->checkPassword($this->userId, $oldpassword); if ($user === false) { - return new JSONResponse([ + $response = new JSONResponse([ 'status' => 'error', 'data' => [ 'message' => $this->l->t('Wrong password'), ], ]); + $response->throttle(); + return $response; } try { |