diff options
| author | Joas Schilling <coding@schilljs.com> | 2023-08-10 12:01:22 +0200 |
|---|---|---|
| committer | backportbot-nextcloud[bot] <backportbot-nextcloud[bot]@users.noreply.github.com> | 2023-08-10 12:19:08 +0000 |
| commit | d3f3dd5c6616c1410d5abb5b031c39010774d39d (patch) | |
| tree | 953ade374643102cdad0756342defbafaa3f32b5 | |
| parent | b6c1db53c7cd6ff36dcbd1f0ffb0ae50e8dbe975 (diff) | |
fix(bruteforce): Fix resetting the bruteforce protection
Since the metadata field was extended to track the password and token
separately the metadata comparison on the reset did not match anymore.
Signed-off-by: Joas Schilling <coding@schilljs.com>
| -rw-r--r-- | lib/Controller/PageController.php | 4 | ||||
| -rw-r--r-- | lib/Controller/RoomController.php | 3 |
2 files changed, 4 insertions, 3 deletions
diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php index 0909e3fec..caad0ae60 100644 --- a/lib/Controller/PageController.php +++ b/lib/Controller/PageController.php @@ -238,7 +238,7 @@ class PageController extends Controller { if ($passwordVerification['result']) { $this->talkSession->renewSessionId(); $this->talkSession->setPasswordForRoom($token, $password); - $this->throttler->resetDelay($this->request->getRemoteAddress(), 'talkRoomPassword', ['token' => $token]); + $this->throttler->resetDelay($this->request->getRemoteAddress(), 'talkRoomPassword', ['token' => $token, 'action' => 'talkRoomPassword']); } else { $this->talkSession->removePasswordForRoom($token); $showBruteForceWarning = $this->throttler->getDelay($this->request->getRemoteAddress(), 'talkRoomPassword') > 5000; @@ -381,7 +381,7 @@ class PageController extends Controller { if ($passwordVerification['result']) { $this->talkSession->renewSessionId(); $this->talkSession->setPasswordForRoom($token, $password); - $this->throttler->resetDelay($this->request->getRemoteAddress(), 'talkRoomPassword', ['token' => $token]); + $this->throttler->resetDelay($this->request->getRemoteAddress(), 'talkRoomPassword', ['token' => $token, 'action' => 'talkRoomPassword']); } else { $this->talkSession->removePasswordForRoom($token); $showBruteForceWarning = $this->throttler->getDelay($this->request->getRemoteAddress(), 'talkRoomPassword') > 5000; diff --git a/lib/Controller/RoomController.php b/lib/Controller/RoomController.php index dae1542ce..9d7e8d7af 100644 --- a/lib/Controller/RoomController.php +++ b/lib/Controller/RoomController.php @@ -1196,7 +1196,8 @@ class RoomController extends AEnvironmentAwareController { } else { $participant = $this->participantService->joinRoomAsNewGuest($this->roomService, $room, $password, $result['result'], $previousParticipant); } - $this->throttler->resetDelay($this->request->getRemoteAddress(), 'talkRoomToken', ['token' => $token]); + $this->throttler->resetDelay($this->request->getRemoteAddress(), 'talkRoomPassword', ['token' => $token, 'action' => 'talkRoomPassword']); + $this->throttler->resetDelay($this->request->getRemoteAddress(), 'talkRoomToken', ['token' => $token, 'action' => 'talkRoomToken']); } catch (InvalidPasswordException $e) { $response = new DataResponse([], Http::STATUS_FORBIDDEN); $response->throttle(['token' => $token, 'action' => 'talkRoomPassword']); |