From 3a22249edaae6a1cd6cc66d0d57a2aac46c5c658 Mon Sep 17 00:00:00 2001
From: Nicole Cordes <typo3@cordes.co>
Date: Wed, 17 Jun 2015 15:39:41 +0200
Subject: [PATCH 1/1] [SECURITY] Add hook to implement login protection methods

Currently only the backend login is protected with an implement sleep
time after login failure. This patch adds a new hook which can be used
to implement a protection functionality (e.g. for detecting brute force)
and moves the sleep time as default protection in the abstract user
authentication class.

Resolves: #59231
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-006
Change-Id: I1fd1ebdc32ce7797651b5ead284dcff1eb511b94
Reviewed-on: http://review.typo3.org/40809
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
---
 .../Classes/Controller/LoginController.php       | 16 ++++++----------
 .../AbstractUserAuthentication.php               | 15 +++++++++++++++
 ...ractUserAuthenticationCheckAuthentication.rst | 16 ++++++++++++++++
 3 files changed, 37 insertions(+), 10 deletions(-)
 create mode 100644 typo3/sysext/core/Documentation/Changelog/master/Feature-59231-AddHookToAbstractUserAuthenticationCheckAuthentication.rst

diff --git a/typo3/sysext/backend/Classes/Controller/LoginController.php b/typo3/sysext/backend/Classes/Controller/LoginController.php
index fd8881d71197..afa4cd41f4ec 100644
--- a/typo3/sysext/backend/Classes/Controller/LoginController.php
+++ b/typo3/sysext/backend/Classes/Controller/LoginController.php
@@ -237,17 +237,13 @@ class LoginController {
 	 * @throws \UnexpectedValueException
 	 */
 	protected function checkRedirect() {
-		if (empty($this->getBackendUserAuthentication()->user['uid'])) {
-			// a) if either the login is just done (isLoginInProgress) or
-			if ($this->isLoginInProgress()) {
-				// Wrong password, wait for 5 seconds
-				sleep(5);
-				return;
-			// b) a loginRefresh is done
-			} elseif (!$this->loginRefresh) {
-				return;
-			}
+		if (
+			empty($this->getBackendUserAuthentication()->user['uid'])
+			&& ($this->isLoginInProgress() || !$this->loginRefresh)
+		) {
+			return;
 		}
+
 		/*
 		 * If no cookie has been set previously, we tell people that this is a problem.
 		 * This assumes that a cookie-setting script (like this one) has been hit at
diff --git a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
index 300c0eb53cc6..6030d5e9d136 100644
--- a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
@@ -787,6 +787,21 @@ abstract class AbstractUserAuthentication {
 			if ($this->writeDevLog) {
 				GeneralUtility::devLog('Call checkLogFailures: ' . GeneralUtility::arrayToLogString(array('warningEmail' => $this->warningEmail, 'warningPeriod' => $this->warningPeriod, 'warningMax' => $this->warningMax)), \TYPO3\CMS\Core\Authentication\AbstractUserAuthentication::class, -1);
 			}
+
+			// Hook to implement login failure tracking methods
+			if (
+				!empty($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'])
+				&& is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'])
+			) {
+				$_params = array();
+				foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'] as $_funcRef) {
+					GeneralUtility::callUserFunction($_funcRef, $_params, $this);
+				}
+			} else {
+				// If no hook is implemented, wait for 5 seconds
+				sleep(5);
+			}
+
 			$this->checkLogFailures($this->warningEmail, $this->warningPeriod, $this->warningMax);
 		}
 	}
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Feature-59231-AddHookToAbstractUserAuthenticationCheckAuthentication.rst b/typo3/sysext/core/Documentation/Changelog/master/Feature-59231-AddHookToAbstractUserAuthenticationCheckAuthentication.rst
new file mode 100644
index 000000000000..7e6839fc5738
--- /dev/null
+++ b/typo3/sysext/core/Documentation/Changelog/master/Feature-59231-AddHookToAbstractUserAuthenticationCheckAuthentication.rst
@@ -0,0 +1,16 @@
+============================================================================
+Feature: #59231 - Hook for AbstractUserAuthentication::checkAuthentication()
+============================================================================
+
+Description
+===========
+
+Hook to post-process login failures in ``AbstractUserAuthentication::checkAuthentication``.
+By default the process sleeps for five seconds in case of failing. Using this hook
+different solutions for brute force protection could be implemented.
+
+Register like this:
+
+.. code-block:: php
+
+	$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'][] = 'My\\Package\\HookClass->hookMethod';
\ No newline at end of file
-- 
2.20.1