Commit 51c4d530 authored by Melissa Draper's avatar Melissa Draper Committed by Francois Marier
Browse files

Add a lock for accounts after 5 tries (bug #843561)



To deter brute-forcing of passwords (and prevent ensuing DoS attacks),
this patch temporarily lock accounts after 5 tries, and every 5 minutes
counts above 0 get reset.

Change-Id: Iee9739a69b95b906b6f485f7d90041b50968dcc6
Signed-off-by: default avatarMelissa Draper <melissa@catalyst.net.nz>
parent 01488dfa
...@@ -1647,6 +1647,10 @@ function reset_password($user, $resetpasswordchange=true) { ...@@ -1647,6 +1647,10 @@ function reset_password($user, $resetpasswordchange=true) {
} }
} }
function user_login_tries_to_zero() {
execute_sql('UPDATE {usr} SET logintries = 0 WHERE logintries > 0');
}
class PluginAuth extends Plugin { class PluginAuth extends Plugin {
public static function get_event_subscriptions() { public static function get_event_subscriptions() {
......
...@@ -26,6 +26,7 @@ ...@@ -26,6 +26,7 @@
*/ */
defined('INTERNAL') || die(); defined('INTERNAL') || die();
define('MAXLOGINTRIES', 5);
$put = array(); $put = array();
...@@ -1124,6 +1125,12 @@ class LiveUser extends User { ...@@ -1124,6 +1125,12 @@ class LiveUser extends User {
throw new AuthUnknownUserException("\"$username\" is not known"); throw new AuthUnknownUserException("\"$username\" is not known");
} }
if (isset($user->logintries) && $user->logintries >= MAXLOGINTRIES) {
global $SESSION;
$SESSION->add_error_msg(get_string('toomanytries', 'auth'));
return false;
}
$siteclosedforupgrade = get_config('siteclosed'); $siteclosedforupgrade = get_config('siteclosed');
if ($siteclosedforupgrade && get_config('disablelogin')) { if ($siteclosedforupgrade && get_config('disablelogin')) {
global $SESSION; global $SESSION;
...@@ -1183,6 +1190,16 @@ class LiveUser extends User { ...@@ -1183,6 +1190,16 @@ class LiveUser extends User {
$SESSION->add_info_msg(clean_html($auth->authloginmsg), false); $SESSION->add_info_msg(clean_html($auth->authloginmsg), false);
} }
if (empty($user->logintries)) {
$user->logintries = 0;
}
if ($user->logintries < MAXLOGINTRIES) {
$record =get_record('usr', 'id', $user->id, null, null, null, null, 'id, logintries');
$record->logintries = ($user->logintries + 1);
update_record('usr', $record, false);
}
return false; return false;
} }
......
...@@ -72,6 +72,7 @@ $string['errnoxmlrpcuser'] = "We were unable to authenticate you at this ti ...@@ -72,6 +72,7 @@ $string['errnoxmlrpcuser'] = "We were unable to authenticate you at this ti
* Your SSO session might have expired. Go back to the other application and click the link to sign into Mahara again. * Your SSO session might have expired. Go back to the other application and click the link to sign into Mahara again.
* You may not be allowed to SSO to Mahara. Please check with your administrator if you think you should be allowed to."; * You may not be allowed to SSO to Mahara. Please check with your administrator if you think you should be allowed to.";
$string['toomanytries'] = 'You have exceeded the maximum login attempts. The account has been locked for up to 5 minutes.';
$string['unabletosigninviasso'] = 'Unable to sign in via SSO'; $string['unabletosigninviasso'] = 'Unable to sign in via SSO';
$string['xmlrpccouldnotlogyouin'] = 'Sorry, could not log you in :('; $string['xmlrpccouldnotlogyouin'] = 'Sorry, could not log you in :(';
$string['xmlrpccouldnotlogyouindetail'] = 'Sorry, we could not log you into Mahara at this time. Please try again shortly, and if the problem persists, contact your administrator'; $string['xmlrpccouldnotlogyouindetail'] = 'Sorry, we could not log you into Mahara at this time. Please try again shortly, and if the problem persists, contact your administrator';
......
...@@ -140,6 +140,7 @@ ...@@ -140,6 +140,7 @@
<FIELD NAME="authinstance" TYPE="int" LENGTH="10" NOTNULL="true" DEFAULT="1" /> <FIELD NAME="authinstance" TYPE="int" LENGTH="10" NOTNULL="true" DEFAULT="1" />
<FIELD NAME="ctime" TYPE="datetime" NOTNULL="false" /> <FIELD NAME="ctime" TYPE="datetime" NOTNULL="false" />
<FIELD NAME="showhomeinfo" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" /> <FIELD NAME="showhomeinfo" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" />
<FIELD NAME="logintries" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="0" />
</FIELDS> </FIELDS>
<KEYS> <KEYS>
<KEY NAME="primary" TYPE="primary" FIELDS="id" /> <KEY NAME="primary" TYPE="primary" FIELDS="id" />
......
...@@ -2758,5 +2758,22 @@ function xmldb_core_upgrade($oldversion=0) { ...@@ -2758,5 +2758,22 @@ function xmldb_core_upgrade($oldversion=0) {
set_field('blocktype_installed', 'artefactplugin', 'blog', 'name', 'taggedposts'); set_field('blocktype_installed', 'artefactplugin', 'blog', 'name', 'taggedposts');
} }
if ($oldversion < 2011102700) {
$table = new XMLDBTable('usr');
$field = new XMLDBField('logintries');
$field->setAttributes(XMLDB_TYPE_INTEGER, '1', null, XMLDB_NOTNULL, null, null, null, 0);
add_field($table, $field);
// Every 5 minutes, reset everyone's login attempts to 0
$cron = new StdClass;
$cron->callfunction = 'user_login_tries_to_zero';
$cron->minute = '*/5';
$cron->hour = '*';
$cron->day = '*';
$cron->month = '*';
$cron->dayofweek = '*';
insert_record('cron', $cron);
}
return $status; return $status;
} }
...@@ -848,6 +848,7 @@ function core_install_firstcoredata_defaults() { ...@@ -848,6 +848,7 @@ function core_install_firstcoredata_defaults() {
'cron_clean_internal_activity_notifications'=> array(45, 22, '*', '*', '*'), 'cron_clean_internal_activity_notifications'=> array(45, 22, '*', '*', '*'),
'cron_sitemap_daily' => array(0, 1, '*', '*', '*'), 'cron_sitemap_daily' => array(0, 1, '*', '*', '*'),
'file_cleanup_old_cached_files' => array(0, 1, '*', '*', '*'), 'file_cleanup_old_cached_files' => array(0, 1, '*', '*', '*'),
'user_login_tries_to_zero' => array('*/5', '*', '*', '*', '*'),
); );
foreach ($cronjobs as $callfunction => $times) { foreach ($cronjobs as $callfunction => $times) {
$cron = new StdClass; $cron = new StdClass;
......
...@@ -28,7 +28,7 @@ ...@@ -28,7 +28,7 @@
defined('INTERNAL') || die(); defined('INTERNAL') || die();
$config = new StdClass; $config = new StdClass;
$config->version = 2011092600; $config->version = 2011102700;
$config->release = '1.5.0dev'; $config->release = '1.5.0dev';
$config->minupgradefrom = 2008040200; $config->minupgradefrom = 2008040200;
$config->minupgraderelease = '1.0.0 (release tag 1.0.0_RELEASE)'; $config->minupgraderelease = '1.0.0 (release tag 1.0.0_RELEASE)';
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment