mirror of
https://github.com/the-djmaze/snappymail.git
synced 2026-07-08 22:18:28 +03:00
Improved loginErrorDelay to prevent timing attacks
This commit is contained in:
parent
c4df524a06
commit
b859cd6aec
4 changed files with 9 additions and 13 deletions
|
|
@ -281,7 +281,9 @@ fetch_new_messages = On
|
|||
; Display message RFC 2822 date and time header, instead of the arrival internal date.
|
||||
date_from_headers = On
|
||||
allow_message_append = Off
|
||||
login_fault_delay = 1
|
||||
|
||||
; When login fails, wait N seconds before responding
|
||||
login_fault_delay = 5
|
||||
log_ajax_response_write_limit = 300
|
||||
allow_html_editor_biti_buttons = Off
|
||||
allow_ctrl_enter_on_compose = On
|
||||
|
|
|
|||
|
|
@ -890,19 +890,14 @@ class Actions
|
|||
return $aResult;
|
||||
}
|
||||
|
||||
protected function requestSleep(int $iDelay = 1): void
|
||||
{
|
||||
$time = \microtime(true) - $_SERVER['REQUEST_TIME_FLOAT'];
|
||||
if ($iDelay > $time) {
|
||||
\usleep(\intval(($iDelay - $time) * 1000000));
|
||||
}
|
||||
}
|
||||
|
||||
protected function loginErrorDelay(): void
|
||||
{
|
||||
$iDelay = (int)$this->oConfig->Get('labs', 'login_fault_delay', 0);
|
||||
$iDelay = (int) $this->oConfig->Get('labs', 'login_fault_delay', 0);
|
||||
if (0 < $iDelay) {
|
||||
$this->requestSleep($iDelay);
|
||||
$seconds = $iDelay - (\microtime(true) - $_SERVER['REQUEST_TIME_FLOAT']);
|
||||
if (0 < $seconds) {
|
||||
\usleep(\intval($seconds * 1000000));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -128,7 +128,6 @@ trait Attachments
|
|||
break;
|
||||
}
|
||||
|
||||
// $this->requestSleep();
|
||||
return $this->DefaultResponse($bError ? false : $mResult);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -379,7 +379,7 @@ Enables caching in the system'),
|
|||
'labs' => array(
|
||||
'date_from_headers' => array(true, 'Display message RFC 2822 date and time header, instead of the arrival internal date.'),
|
||||
'allow_message_append' => array(false),
|
||||
'login_fault_delay' => array(1),
|
||||
'login_fault_delay' => array(5, 'When login fails, wait N seconds before responding'),
|
||||
'log_ajax_response_write_limit' => array(300),
|
||||
'allow_html_editor_biti_buttons' => array(false),
|
||||
'allow_ctrl_enter_on_compose' => array(true),
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue