From 3a22249edaae6a1cd6cc66d0d57a2aac46c5c658 Mon Sep 17 00:00:00 2001 From: Nicole Cordes Date: Wed, 17 Jun 2015 15:39:41 +0200 Subject: [PATCH 1/1] [SECURITY] Add hook to implement login protection methods Currently only the backend login is protected with an implement sleep time after login failure. This patch adds a new hook which can be used to implement a protection functionality (e.g. for detecting brute force) and moves the sleep time as default protection in the abstract user authentication class. Resolves: #59231 Releases: master, 6.2 Security-Bulletin: TYPO3-CORE-SA-2015-006 Change-Id: I1fd1ebdc32ce7797651b5ead284dcff1eb511b94 Reviewed-on: http://review.typo3.org/40809 Reviewed-by: Benjamin Mack Tested-by: Benjamin Mack --- .../Classes/Controller/LoginController.php | 16 ++++++---------- .../AbstractUserAuthentication.php | 15 +++++++++++++++ ...ractUserAuthenticationCheckAuthentication.rst | 16 ++++++++++++++++ 3 files changed, 37 insertions(+), 10 deletions(-) create mode 100644 typo3/sysext/core/Documentation/Changelog/master/Feature-59231-AddHookToAbstractUserAuthenticationCheckAuthentication.rst diff --git a/typo3/sysext/backend/Classes/Controller/LoginController.php b/typo3/sysext/backend/Classes/Controller/LoginController.php index fd8881d71197..afa4cd41f4ec 100644 --- a/typo3/sysext/backend/Classes/Controller/LoginController.php +++ b/typo3/sysext/backend/Classes/Controller/LoginController.php @@ -237,17 +237,13 @@ class LoginController { * @throws \UnexpectedValueException */ protected function checkRedirect() { - if (empty($this->getBackendUserAuthentication()->user['uid'])) { - // a) if either the login is just done (isLoginInProgress) or - if ($this->isLoginInProgress()) { - // Wrong password, wait for 5 seconds - sleep(5); - return; - // b) a loginRefresh is done - } elseif (!$this->loginRefresh) { - return; - } + if ( + empty($this->getBackendUserAuthentication()->user['uid']) + && ($this->isLoginInProgress() || !$this->loginRefresh) + ) { + return; } + /* * If no cookie has been set previously, we tell people that this is a problem. * This assumes that a cookie-setting script (like this one) has been hit at diff --git a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php index 300c0eb53cc6..6030d5e9d136 100644 --- a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php +++ b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php @@ -787,6 +787,21 @@ abstract class AbstractUserAuthentication { if ($this->writeDevLog) { GeneralUtility::devLog('Call checkLogFailures: ' . GeneralUtility::arrayToLogString(array('warningEmail' => $this->warningEmail, 'warningPeriod' => $this->warningPeriod, 'warningMax' => $this->warningMax)), \TYPO3\CMS\Core\Authentication\AbstractUserAuthentication::class, -1); } + + // Hook to implement login failure tracking methods + if ( + !empty($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing']) + && is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing']) + ) { + $_params = array(); + foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'] as $_funcRef) { + GeneralUtility::callUserFunction($_funcRef, $_params, $this); + } + } else { + // If no hook is implemented, wait for 5 seconds + sleep(5); + } + $this->checkLogFailures($this->warningEmail, $this->warningPeriod, $this->warningMax); } } diff --git a/typo3/sysext/core/Documentation/Changelog/master/Feature-59231-AddHookToAbstractUserAuthenticationCheckAuthentication.rst b/typo3/sysext/core/Documentation/Changelog/master/Feature-59231-AddHookToAbstractUserAuthenticationCheckAuthentication.rst new file mode 100644 index 000000000000..7e6839fc5738 --- /dev/null +++ b/typo3/sysext/core/Documentation/Changelog/master/Feature-59231-AddHookToAbstractUserAuthenticationCheckAuthentication.rst @@ -0,0 +1,16 @@ +============================================================================ +Feature: #59231 - Hook for AbstractUserAuthentication::checkAuthentication() +============================================================================ + +Description +=========== + +Hook to post-process login failures in ``AbstractUserAuthentication::checkAuthentication``. +By default the process sleeps for five seconds in case of failing. Using this hook +different solutions for brute force protection could be implemented. + +Register like this: + +.. code-block:: php + + $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'][] = 'My\\Package\\HookClass->hookMethod'; \ No newline at end of file -- 2.20.1