summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
58380b4)
Currently only the backend login is protected with an implement sleep
time after login failure. This patch adds a new hook which can be used
to implement a protection functionality (e.g. for detecting brute force)
and moves the sleep time as default protection in the abstract user
authentication class.
Resolves: #59231
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-006
Change-Id: I1fd1ebdc32ce7797651b5ead284dcff1eb511b94
Reviewed-on: http://review.typo3.org/40809
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
* @throws \UnexpectedValueException
*/
protected function checkRedirect() {
* @throws \UnexpectedValueException
*/
protected function checkRedirect() {
- if (empty($this->getBackendUserAuthentication()->user['uid'])) {
- // a) if either the login is just done (isLoginInProgress) or
- if ($this->isLoginInProgress()) {
- // Wrong password, wait for 5 seconds
- sleep(5);
- return;
- // b) a loginRefresh is done
- } elseif (!$this->loginRefresh) {
- return;
- }
+ if (
+ empty($this->getBackendUserAuthentication()->user['uid'])
+ && ($this->isLoginInProgress() || !$this->loginRefresh)
+ ) {
+ return;
/*
* If no cookie has been set previously, we tell people that this is a problem.
* This assumes that a cookie-setting script (like this one) has been hit at
/*
* If no cookie has been set previously, we tell people that this is a problem.
* This assumes that a cookie-setting script (like this one) has been hit at
if ($this->writeDevLog) {
GeneralUtility::devLog('Call checkLogFailures: ' . GeneralUtility::arrayToLogString(array('warningEmail' => $this->warningEmail, 'warningPeriod' => $this->warningPeriod, 'warningMax' => $this->warningMax)), \TYPO3\CMS\Core\Authentication\AbstractUserAuthentication::class, -1);
}
if ($this->writeDevLog) {
GeneralUtility::devLog('Call checkLogFailures: ' . GeneralUtility::arrayToLogString(array('warningEmail' => $this->warningEmail, 'warningPeriod' => $this->warningPeriod, 'warningMax' => $this->warningMax)), \TYPO3\CMS\Core\Authentication\AbstractUserAuthentication::class, -1);
}
+
+ // Hook to implement login failure tracking methods
+ if (
+ !empty($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'])
+ && is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'])
+ ) {
+ $_params = array();
+ foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'] as $_funcRef) {
+ GeneralUtility::callUserFunction($_funcRef, $_params, $this);
+ }
+ } else {
+ // If no hook is implemented, wait for 5 seconds
+ sleep(5);
+ }
+
$this->checkLogFailures($this->warningEmail, $this->warningPeriod, $this->warningMax);
}
}
$this->checkLogFailures($this->warningEmail, $this->warningPeriod, $this->warningMax);
}
}
--- /dev/null
+============================================================================
+Feature: #59231 - Hook for AbstractUserAuthentication::checkAuthentication()
+============================================================================
+
+Description
+===========
+
+Hook to post-process login failures in ``AbstractUserAuthentication::checkAuthentication``.
+By default the process sleeps for five seconds in case of failing. Using this hook
+different solutions for brute force protection could be implemented.
+
+Register like this:
+
+.. code-block:: php
+
+ $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'][] = 'My\\Package\\HookClass->hookMethod';
\ No newline at end of file