Skip to content

Commit

Permalink
Fixed issue #19228: Setting Bruteforce timeout values to empty string…
Browse files Browse the repository at this point in the history 
… causes the administrator to be locked out (#3617)
  • Loading branch information
@Shnoulle
Shnoulle committed Nov 23, 2023
1 parent 3f5781b commit e4f78cc
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 16 deletions.
13 changes: 9 additions & 4 deletions application/models/FailedLoginAttempt.php
View file
Expand Up @@ -91,16 +91,20 @@ public function isLockedOut(string $attemptType): bool

switch ($attemptType) {
case FailedLoginAttempt::TYPE_LOGIN:
$timeOut = Yii::app()->getConfig('timeOutTime');
$maxLoginAttempt = Yii::app()->getConfig('maxLoginAttempt');
$timeOut = intval(App()->getConfig('timeOutTime'));
$maxLoginAttempt = intval(App()->getConfig('maxLoginAttempt'));
break;
case FailedLoginAttempt::TYPE_TOKEN:
$timeOut = Yii::app()->getConfig('timeOutParticipants');
$maxLoginAttempt = Yii::app()->getConfig('maxLoginAttemptParticipants');
$timeOut = intval(App()->getConfig('timeOutParticipants'));
$maxLoginAttempt = intval(App()->getConfig('maxLoginAttemptParticipants'));
break;
default:
throw new InvalidArgumentException(sprintf("Invalid attempt type: %s", $attemptType));
}
// Return false if disable
if ($maxLoginAttempt <= 0) {
return false;
}

if (Yii::app()->getConfig('DBVersion') <= 480) {
$criteria = new CDbCriteria();
Expand All @@ -124,6 +128,7 @@ public function isLockedOut(string $attemptType): bool
if ($row != null) {
$lastattempt = strtotime($row->last_attempt);
if (time() > $lastattempt + $timeOut) {
// always true if $timeOut = 0
$this->deleteAttempts($attemptType);
} else {
$isLockedOut = true;
Expand Down
28 changes: 16 additions & 12 deletions application/views/admin/globalsettings/_security.php
View file
Expand Up @@ -127,27 +127,29 @@ class='text-warning'><?php eT("If you disable this option : user with XSS restri
</label>
<textarea class="form-control" id='loginIpWhitelist'
name='loginIpWhitelist'><?php echo htmlspecialchars(Yii::app()->getConfig('loginIpWhitelist')); ?></textarea>
<span
class='hint'><?php eT("List of IP addresses to exclude from the maximum login attempts check. Separate each IP address with a comma or a new line."); ?></span>
<p
class='help-block'><?php eT("List of IP addresses to exclude from the maximum login attempts check. Separate each IP address with a comma or a new line."); ?></p>
</div>

<div class="form-group">
<label class="control-label" for='maxLoginAttempt'>
<?php eT("Maximum number of attempts:"); ?>
</label>
<div class="">
<input class="form-control" type="number" min="0" name="maxLoginAttempt"
value="<?= Yii::app()->getConfig('maxLoginAttempt') ?>"/>
<input class="form-control" type="number" min="1" step="1" pattern="^\d*$" name="maxLoginAttempt" placeholder="<?= gT("Disabled") ?>"
value="<?= App()->getConfig('maxLoginAttempt') !== "" ? intval(App()->getConfig('maxLoginAttempt')) : "" ?>"/>
<p class="help-block"><?= gT("Set an empty value to disable brute force protection. Number of attempts are never checked.") ?></p>
</div>
</div>
<div class="form-group">
<label class="control-label" for='timeOutTime'>
<?php eT("Lockout time in seconds (after maximum number of attempts):"); ?>
</label>
<div class="">
<input class="form-control" type="number" min="0" name="timeOutTime"
value="<?= Yii::app()->getConfig('timeOutTime') ?>"/>
<input class="form-control" type="number" min="0" step="1" pattern="^\d*$" name="timeOutTime" placeholder="<?= gT("Disabled") ?>"
value="<?= App()->getConfig('timeOutTime') !== "" ? intval(App()->getConfig('timeOutTime')) : "" ?>"/>
</div>
<p class="help-block"><?= gT("Set an empty value or 0 to disable brute force protection. Number of attempts are deleted each time.") ?></p>
</div>

</div>
Expand All @@ -161,26 +163,28 @@ class='hint'><?php eT("List of IP addresses to exclude from the maximum login at
</label>
<textarea class="form-control" id='tokenIpWhitelist'
name='tokenIpWhitelist'><?php echo htmlspecialchars(Yii::app()->getConfig('tokenIpWhitelist')); ?></textarea>
<span
class='hint'><?php eT("List of IP addresses to exclude from the maximum token validation attempts check. Separate each IP address with a comma or a new line."); ?></span>
<p
class='help-block'><?php eT("List of IP addresses to exclude from the maximum token validation attempts check. Separate each IP address with a comma or a new line."); ?></p>
</div>

<div class="form-group">
<label class="control-label" for='maxLoginAttemptParticipants'>
<?php eT("Maximum number of attempts:"); ?>
</label>
<div class="">
<input class="form-control" type="number" min="0" name="maxLoginAttemptParticipants"
value="<?= Yii::app()->getConfig('maxLoginAttemptParticipants') ?>"/>
<input class="form-control" type="number" min="1" step="1" pattern="^\d*$" name="maxLoginAttemptParticipants" placeholder="<?= gT("Disabled") ?>"
value="<?= App()->getConfig('maxLoginAttemptParticipants') !== "" ? intval(App()->getConfig('maxLoginAttemptParticipants')) : "" ?>"/>
<p class="help-block"><?= gT("Set an empty value to disable brute force protection. Number of attempts are never checked.") ?></p>
</div>
</div>
<div class="form-group">
<label class="control-label" for='timeOutParticipants'>
<?php eT("Lockout time in seconds (after maximum number of attempts):"); ?>
</label>
<div class="">
<input class="form-control" type="number" min="0" name="timeOutParticipants"
value="<?= Yii::app()->getConfig('timeOutParticipants') ?>"/>
<input class="form-control" type="number" min="0" step="1" pattern="^\d*$" name="timeOutParticipants" placeholder="<?= gT("Disabled") ?>"
value="<?= App()->getConfig('timeOutParticipants') !== "" ? intval(App()->getConfig('timeOutParticipants')) : "" ?>"/>
<p class="help-block"><?= gT("Set an empty value or 0 to disable brute force protection. Number of attempts are deleted each time.") ?></p>
</div>
</div>

Expand Down

0 comments on commit e4f78cc

Please sign in to comment.