Improved loginErrorDelay to prevent timing attacks

This commit is contained in:
the-djmaze 2023-02-03 14:36:13 +01:00
parent c4df524a06
commit b859cd6aec
4 changed files with 9 additions and 13 deletions

View file

@ -281,7 +281,9 @@ fetch_new_messages = On
; Display message RFC 2822 date and time header, instead of the arrival internal date.
date_from_headers = On
allow_message_append = Off
login_fault_delay = 1
; When login fails, wait N seconds before responding
login_fault_delay = 5
log_ajax_response_write_limit = 300
allow_html_editor_biti_buttons = Off
allow_ctrl_enter_on_compose = On

View file

@ -890,19 +890,14 @@ class Actions
return $aResult;
}
protected function requestSleep(int $iDelay = 1): void
{
$time = \microtime(true) - $_SERVER['REQUEST_TIME_FLOAT'];
if ($iDelay > $time) {
\usleep(\intval(($iDelay - $time) * 1000000));
}
}
protected function loginErrorDelay(): void
{
$iDelay = (int)$this->oConfig->Get('labs', 'login_fault_delay', 0);
$iDelay = (int) $this->oConfig->Get('labs', 'login_fault_delay', 0);
if (0 < $iDelay) {
$this->requestSleep($iDelay);
$seconds = $iDelay - (\microtime(true) - $_SERVER['REQUEST_TIME_FLOAT']);
if (0 < $seconds) {
\usleep(\intval($seconds * 1000000));
}
}
}

View file

@ -128,7 +128,6 @@ trait Attachments
break;
}
// $this->requestSleep();
return $this->DefaultResponse($bError ? false : $mResult);
}

View file

@ -379,7 +379,7 @@ Enables caching in the system'),
'labs' => array(
'date_from_headers' => array(true, 'Display message RFC 2822 date and time header, instead of the arrival internal date.'),
'allow_message_append' => array(false),
'login_fault_delay' => array(1),
'login_fault_delay' => array(5, 'When login fails, wait N seconds before responding'),
'log_ajax_response_write_limit' => array(300),
'allow_html_editor_biti_buttons' => array(false),
'allow_ctrl_enter_on_compose' => array(true),