From 805419bb952b937ae980c198162f8f7dd30ff6d2 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 18 Apr 2017 17:55:51 +0200
Subject: Add bruteforce protection to changePersonalPassword

While the risk is actually quite low because one would already have the user session and could potentially do other havoc it makes sense to throttle here in case of invalid previous password attempts.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 settings/Controller/ChangePasswordController.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'settings/Controller/ChangePasswordController.php')

diff --git a/settings/Controller/ChangePasswordController.php b/settings/Controller/ChangePasswordController.php
index b82751bcac2..2f61d36c3ff 100644
--- a/settings/Controller/ChangePasswordController.php
+++ b/settings/Controller/ChangePasswordController.php
@@ -85,6 +85,7 @@ class ChangePasswordController extends Controller {
 	/**
 	 * @NoAdminRequired
 	 * @NoSubadminRequired
+	 * @BruteForceProtection(action=changePersonalPassword)
 	 *
 	 * @param string $oldpassword
 	 * @param string $newpassword
@@ -95,12 +96,14 @@ class ChangePasswordController extends Controller {
 		/** @var IUser $user */
 		$user = $this->userManager->checkPassword($this->userId, $oldpassword);
 		if ($user === false) {
-			return new JSONResponse([
+			$response = new JSONResponse([
 				'status' => 'error',
 				'data' => [
 					'message' => $this->l->t('Wrong password'),
 				],
 			]);
+			$response->throttle();
+			return $response;
 		}
 
 		try {
-- 
cgit v1.2.3