[SECURITY] Add hook to implement login protection methods 23/40823/2
authorNicole Cordes <typo3@cordes.co>
Wed, 17 Jun 2015 13:39:41 +0000 (15:39 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:23:08 +0000 (16:23 +0200)
Currently only the backend login is protected with an implement sleep
time after login failure. This patch adds a new hook which can be used
to implement a protection functionality (e.g. for detecting brute force)
and moves the sleep time as default protection in the abstract user
authentication class.

Resolves: #59231
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-006
Change-Id: Idd105d07e016dbbb901c04ae6e1ff4f46b92ac49
Reviewed-on: http://review.typo3.org/40823
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
typo3/sysext/backend/Classes/Controller/LoginController.php
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php

index 1e00ffc..8dbe2f0 100644 (file)
@@ -415,9 +415,6 @@ class LoginController {
                                        }
                                ');
                        }
-               } elseif (empty($GLOBALS['BE_USER']->user['uid']) && $this->isLoginInProgress()) {
-                       // Wrong password, wait for 5 seconds
-                       sleep(5);
                }
        }
 
index c4ce61e..827bbd9 100644 (file)
@@ -857,6 +857,21 @@ abstract class AbstractUserAuthentication {
                        if ($this->writeDevLog) {
                                GeneralUtility::devLog('Call checkLogFailures: ' . GeneralUtility::arrayToLogString(array('warningEmail' => $this->warningEmail, 'warningPeriod' => $this->warningPeriod, 'warningMax' => $this->warningMax)), 'TYPO3\\CMS\\Core\\Authentication\\AbstractUserAuthentication', -1);
                        }
+
+                       // Hook to implement login failure tracking methods
+                       if (
+                               !empty($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'])
+                               && is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'])
+                       ) {
+                               $_params = array();
+                               foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'] as $_funcRef) {
+                                       GeneralUtility::callUserFunction($_funcRef, $_params, $this);
+                               }
+                       } else {
+                               // If no hook is implemented, wait for 5 seconds
+                               sleep(5);
+                       }
+
                        $this->checkLogFailures($this->warningEmail, $this->warningPeriod, $this->warningMax);
                }
        }