Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] brutefoce protection rules tightened
- as reported by Dawid Czarnecki
  • Loading branch information
iglocska committed Feb 8, 2020
1 parent 3bd30e8 commit c1a0b3b
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions app/Model/Bruteforce.php
Expand Up @@ -49,11 +49,14 @@ public function isBlacklisted($ip, $username)
// first remove old expired rows
$this->clean();
// count
$params = array('conditions' => array(
'Bruteforce.ip' => $ip,
'Bruteforce.username' => $username),);
$params = array(
'conditions' => array(
'Bruteforce.ip' => $ip,
'LOWER(Bruteforce.username)' => trim(strtolower($username)))
);
$count = $this->find('count', $params);
if ($count >= Configure::read('SecureAuth.amount')) {
$amount = Configure::check('SecureAuth.amount') ? Configure::read('SecureAuth.amount') : 5;
if ($count >= $amount) {
return true;
} else {
return false;
Expand Down

0 comments on commit c1a0b3b

Please sign in to comment.