[SECURITY] Add hook to implement login protection methods 09/40809/2
authorNicole Cordes <typo3@cordes.co>
Wed, 17 Jun 2015 13:39:41 +0000 (15:39 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:09:58 +0000 (16:09 +0200)
Currently only the backend login is protected with an implement sleep
time after login failure. This patch adds a new hook which can be used
to implement a protection functionality (e.g. for detecting brute force)
and moves the sleep time as default protection in the abstract user
authentication class.

Resolves: #59231
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-006
Change-Id: I1fd1ebdc32ce7797651b5ead284dcff1eb511b94
Reviewed-on: http://review.typo3.org/40809
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
typo3/sysext/backend/Classes/Controller/LoginController.php
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/core/Documentation/Changelog/master/Feature-59231-AddHookToAbstractUserAuthenticationCheckAuthentication.rst [new file with mode: 0644]

index fd8881d..afa4cd4 100644 (file)
@@ -237,17 +237,13 @@ class LoginController {
         * @throws \UnexpectedValueException
         */
        protected function checkRedirect() {
-               if (empty($this->getBackendUserAuthentication()->user['uid'])) {
-                       // a) if either the login is just done (isLoginInProgress) or
-                       if ($this->isLoginInProgress()) {
-                               // Wrong password, wait for 5 seconds
-                               sleep(5);
-                               return;
-                       // b) a loginRefresh is done
-                       } elseif (!$this->loginRefresh) {
-                               return;
-                       }
+               if (
+                       empty($this->getBackendUserAuthentication()->user['uid'])
+                       && ($this->isLoginInProgress() || !$this->loginRefresh)
+               ) {
+                       return;
                }
+
                /*
                 * If no cookie has been set previously, we tell people that this is a problem.
                 * This assumes that a cookie-setting script (like this one) has been hit at
index 300c0eb..6030d5e 100644 (file)
@@ -787,6 +787,21 @@ abstract class AbstractUserAuthentication {
                        if ($this->writeDevLog) {
                                GeneralUtility::devLog('Call checkLogFailures: ' . GeneralUtility::arrayToLogString(array('warningEmail' => $this->warningEmail, 'warningPeriod' => $this->warningPeriod, 'warningMax' => $this->warningMax)), \TYPO3\CMS\Core\Authentication\AbstractUserAuthentication::class, -1);
                        }
+
+                       // Hook to implement login failure tracking methods
+                       if (
+                               !empty($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'])
+                               && is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'])
+                       ) {
+                               $_params = array();
+                               foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'] as $_funcRef) {
+                                       GeneralUtility::callUserFunction($_funcRef, $_params, $this);
+                               }
+                       } else {
+                               // If no hook is implemented, wait for 5 seconds
+                               sleep(5);
+                       }
+
                        $this->checkLogFailures($this->warningEmail, $this->warningPeriod, $this->warningMax);
                }
        }
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Feature-59231-AddHookToAbstractUserAuthenticationCheckAuthentication.rst b/typo3/sysext/core/Documentation/Changelog/master/Feature-59231-AddHookToAbstractUserAuthenticationCheckAuthentication.rst
new file mode 100644 (file)
index 0000000..7e6839f
--- /dev/null
@@ -0,0 +1,16 @@
+============================================================================
+Feature: #59231 - Hook for AbstractUserAuthentication::checkAuthentication()
+============================================================================
+
+Description
+===========
+
+Hook to post-process login failures in ``AbstractUserAuthentication::checkAuthentication``.
+By default the process sleeps for five seconds in case of failing. Using this hook
+different solutions for brute force protection could be implemented.
+
+Register like this:
+
+.. code-block:: php
+
+       $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'][] = 'My\\Package\\HookClass->hookMethod';
\ No newline at end of file