Improved loginErrorDelay to prevent timing attacks

This commit is contained in:
the-djmaze 2023-02-03 14:36:13 +01:00
parent c4df524a06
commit b859cd6aec
4 changed files with 9 additions and 13 deletions

View file

@ -281,7 +281,9 @@ fetch_new_messages = On
; Display message RFC 2822 date and time header, instead of the arrival internal date. ; Display message RFC 2822 date and time header, instead of the arrival internal date.
date_from_headers = On date_from_headers = On
allow_message_append = Off allow_message_append = Off
login_fault_delay = 1
; When login fails, wait N seconds before responding
login_fault_delay = 5
log_ajax_response_write_limit = 300 log_ajax_response_write_limit = 300
allow_html_editor_biti_buttons = Off allow_html_editor_biti_buttons = Off
allow_ctrl_enter_on_compose = On allow_ctrl_enter_on_compose = On

View file

@ -890,19 +890,14 @@ class Actions
return $aResult; return $aResult;
} }
protected function requestSleep(int $iDelay = 1): void
{
$time = \microtime(true) - $_SERVER['REQUEST_TIME_FLOAT'];
if ($iDelay > $time) {
\usleep(\intval(($iDelay - $time) * 1000000));
}
}
protected function loginErrorDelay(): void protected function loginErrorDelay(): void
{ {
$iDelay = (int) $this->oConfig->Get('labs', 'login_fault_delay', 0); $iDelay = (int) $this->oConfig->Get('labs', 'login_fault_delay', 0);
if (0 < $iDelay) { if (0 < $iDelay) {
$this->requestSleep($iDelay); $seconds = $iDelay - (\microtime(true) - $_SERVER['REQUEST_TIME_FLOAT']);
if (0 < $seconds) {
\usleep(\intval($seconds * 1000000));
}
} }
} }

View file

@ -128,7 +128,6 @@ trait Attachments
break; break;
} }
// $this->requestSleep();
return $this->DefaultResponse($bError ? false : $mResult); return $this->DefaultResponse($bError ? false : $mResult);
} }

View file

@ -379,7 +379,7 @@ Enables caching in the system'),
'labs' => array( 'labs' => array(
'date_from_headers' => array(true, 'Display message RFC 2822 date and time header, instead of the arrival internal date.'), 'date_from_headers' => array(true, 'Display message RFC 2822 date and time header, instead of the arrival internal date.'),
'allow_message_append' => array(false), 'allow_message_append' => array(false),
'login_fault_delay' => array(1), 'login_fault_delay' => array(5, 'When login fails, wait N seconds before responding'),
'log_ajax_response_write_limit' => array(300), 'log_ajax_response_write_limit' => array(300),
'allow_html_editor_biti_buttons' => array(false), 'allow_html_editor_biti_buttons' => array(false),
'allow_ctrl_enter_on_compose' => array(true), 'allow_ctrl_enter_on_compose' => array(true),