Commit 51c4d530 authored by Melissa Draper's avatar Melissa Draper Committed by Francois Marier
Browse files

Add a lock for accounts after 5 tries (bug #843561)



To deter brute-forcing of passwords (and prevent ensuing DoS attacks),
this patch temporarily lock accounts after 5 tries, and every 5 minutes
counts above 0 get reset.

Change-Id: Iee9739a69b95b906b6f485f7d90041b50968dcc6
Signed-off-by: default avatarMelissa Draper <melissa@catalyst.net.nz>
parent 01488dfa
......@@ -1647,6 +1647,10 @@ function reset_password($user, $resetpasswordchange=true) {
}
}
function user_login_tries_to_zero() {
execute_sql('UPDATE {usr} SET logintries = 0 WHERE logintries > 0');
}
class PluginAuth extends Plugin {
public static function get_event_subscriptions() {
......
......@@ -26,6 +26,7 @@
*/
defined('INTERNAL') || die();
define('MAXLOGINTRIES', 5);
$put = array();
......@@ -1124,6 +1125,12 @@ class LiveUser extends User {
throw new AuthUnknownUserException("\"$username\" is not known");
}
if (isset($user->logintries) && $user->logintries >= MAXLOGINTRIES) {
global $SESSION;
$SESSION->add_error_msg(get_string('toomanytries', 'auth'));
return false;
}
$siteclosedforupgrade = get_config('siteclosed');
if ($siteclosedforupgrade && get_config('disablelogin')) {
global $SESSION;
......@@ -1183,6 +1190,16 @@ class LiveUser extends User {
$SESSION->add_info_msg(clean_html($auth->authloginmsg), false);
}
if (empty($user->logintries)) {
$user->logintries = 0;
}
if ($user->logintries < MAXLOGINTRIES) {
$record =get_record('usr', 'id', $user->id, null, null, null, null, 'id, logintries');
$record->logintries = ($user->logintries + 1);
update_record('usr', $record, false);
}
return false;
}
......
......@@ -72,6 +72,7 @@ $string['errnoxmlrpcuser'] = "We were unable to authenticate you at this ti
* Your SSO session might have expired. Go back to the other application and click the link to sign into Mahara again.
* You may not be allowed to SSO to Mahara. Please check with your administrator if you think you should be allowed to.";
$string['toomanytries'] = 'You have exceeded the maximum login attempts. The account has been locked for up to 5 minutes.';
$string['unabletosigninviasso'] = 'Unable to sign in via SSO';
$string['xmlrpccouldnotlogyouin'] = 'Sorry, could not log you in :(';
$string['xmlrpccouldnotlogyouindetail'] = 'Sorry, we could not log you into Mahara at this time. Please try again shortly, and if the problem persists, contact your administrator';
......
......@@ -140,6 +140,7 @@
<FIELD NAME="authinstance" TYPE="int" LENGTH="10" NOTNULL="true" DEFAULT="1" />
<FIELD NAME="ctime" TYPE="datetime" NOTNULL="false" />
<FIELD NAME="showhomeinfo" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" />
<FIELD NAME="logintries" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="0" />
</FIELDS>
<KEYS>
<KEY NAME="primary" TYPE="primary" FIELDS="id" />
......
......@@ -2758,5 +2758,22 @@ function xmldb_core_upgrade($oldversion=0) {
set_field('blocktype_installed', 'artefactplugin', 'blog', 'name', 'taggedposts');
}
if ($oldversion < 2011102700) {
$table = new XMLDBTable('usr');
$field = new XMLDBField('logintries');
$field->setAttributes(XMLDB_TYPE_INTEGER, '1', null, XMLDB_NOTNULL, null, null, null, 0);
add_field($table, $field);
// Every 5 minutes, reset everyone's login attempts to 0
$cron = new StdClass;
$cron->callfunction = 'user_login_tries_to_zero';
$cron->minute = '*/5';
$cron->hour = '*';
$cron->day = '*';
$cron->month = '*';
$cron->dayofweek = '*';
insert_record('cron', $cron);
}
return $status;
}
......@@ -848,6 +848,7 @@ function core_install_firstcoredata_defaults() {
'cron_clean_internal_activity_notifications'=> array(45, 22, '*', '*', '*'),
'cron_sitemap_daily' => array(0, 1, '*', '*', '*'),
'file_cleanup_old_cached_files' => array(0, 1, '*', '*', '*'),
'user_login_tries_to_zero' => array('*/5', '*', '*', '*', '*'),
);
foreach ($cronjobs as $callfunction => $times) {
$cron = new StdClass;
......
......@@ -28,7 +28,7 @@
defined('INTERNAL') || die();
$config = new StdClass;
$config->version = 2011092600;
$config->version = 2011102700;
$config->release = '1.5.0dev';
$config->minupgradefrom = 2008040200;
$config->minupgraderelease = '1.0.0 (release tag 1.0.0_RELEASE)';
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment