From cdf01feba78696aa74b7f57a43380757d67df4aa Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Tue, 17 Jan 2017 17:21:27 +0100 Subject: add action to existing brute force protection Signed-off-by: Bjoern Schiessle --- core/Controller/LoginController.php | 12 ++++++------ core/Controller/OCSController.php | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) (limited to 'core/Controller') diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php index 3c81ed5242a..187c818b9e1 100644 --- a/core/Controller/LoginController.php +++ b/core/Controller/LoginController.php @@ -205,8 +205,8 @@ class LoginController extends Controller { * @return RedirectResponse */ public function tryLogin($user, $password, $redirect_url, $remember_login = false, $timezone = '', $timezone_offset = '') { - $currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress()); - $this->throttler->sleepDelay($this->request->getRemoteAddress()); + $currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress(), 'login'); + $this->throttler->sleepDelay($this->request->getRemoteAddress(), 'login'); // If the user is already logged in and the CSRF check does not pass then // simply redirect the user to the correct page as required. This is the @@ -230,7 +230,7 @@ class LoginController extends Controller { if ($loginResult === false) { $this->throttler->registerAttempt('login', $this->request->getRemoteAddress(), ['user' => $originalUser]); if($currentDelay === 0) { - $this->throttler->sleepDelay($this->request->getRemoteAddress()); + $this->throttler->sleepDelay($this->request->getRemoteAddress(), 'login'); } $this->session->set('loginMessages', [ ['invalidpassword'], [] @@ -295,15 +295,15 @@ class LoginController extends Controller { * @return DataResponse */ public function confirmPassword($password) { - $currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress()); - $this->throttler->sleepDelay($this->request->getRemoteAddress()); + $currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress(), 'sudo'); + $this->throttler->sleepDelay($this->request->getRemoteAddress(), 'sudo'); $loginName = $this->userSession->getLoginName(); $loginResult = $this->userManager->checkPassword($loginName, $password); if ($loginResult === false) { $this->throttler->registerAttempt('sudo', $this->request->getRemoteAddress(), ['user' => $loginName]); if ($currentDelay === 0) { - $this->throttler->sleepDelay($this->request->getRemoteAddress()); + $this->throttler->sleepDelay($this->request->getRemoteAddress(), 'sudo'); } return new DataResponse([], Http::STATUS_FORBIDDEN); diff --git a/core/Controller/OCSController.php b/core/Controller/OCSController.php index c59b0d7ad3f..dc9775f2603 100644 --- a/core/Controller/OCSController.php +++ b/core/Controller/OCSController.php @@ -128,7 +128,7 @@ class OCSController extends \OCP\AppFramework\OCSController { */ public function personCheck($login = '', $password = '') { if ($login !== '' && $password !== '') { - $this->throttler->sleepDelay($this->request->getRemoteAddress()); + $this->throttler->sleepDelay($this->request->getRemoteAddress(), 'login'); if ($this->userManager->checkPassword($login, $password)) { return new DataResponse([ 'person' => [ -- cgit v1.2.3