[BUGFIX] Send warning email for backend login failure on all DBMS

This patch fixes the SQL query retrieving the failed login attempts which was broken due to a missing GROUP BY statement on PostgreSQL and MySQL when using strict mode. Additionally the performance has been improved by reversing the order of query executions: The failed attempts are now only retrieved if more than $max allowed failures have been recorded. Resolves: #91649 Releases: master, 10.4, 9.5 Change-Id: I1778e74cd4fc820d7fd330794b61f068babb9206 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64899 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Markus Klein <markus.klein@typo3.org> Tested-by: Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by: Markus Klein <markus.klein@typo3.org> Reviewed-by: Helmut Hummel <typo3@helhum.io> Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by: Xavier Perseguers <xavier@typo3.org> Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
TYPO3 · Jul 27, 2020 · 0ee1720 · 0ee1720
1 parent 55d9da5
commit 0ee1720
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
@@ -2387,7 +2387,7 @@ public function checkLogFailures($email, $secondsBack = 3600, $max = 3)
         }
 
         $queryBuilder = $connectionPool->getQueryBuilderForTable('sys_log');
-        $result = $queryBuilder->select('*')
+        $rowCount = $queryBuilder->count('uid')
             ->from('sys_log')
             ->where(
                 $queryBuilder->expr()->eq(
@@ -2407,15 +2407,16 @@ public function checkLogFailures($email, $secondsBack = 3600, $max = 3)
                     $queryBuilder->createNamedParameter($theTimeBack, \PDO::PARAM_INT)
                 )
             )
-            ->orderBy('tstamp')
-            ->execute();
-
-        $rowCount = $queryBuilder
-            ->count('uid')
             ->execute()
             ->fetchColumn(0);
+
         // Check for more than $max number of error failures with the last period.
         if ($rowCount > $max) {
+            $result = $queryBuilder
+                ->select('*')
+                ->orderBy('tstamp')
+                ->execute();
+
             // OK, so there were more than the max allowed number of login failures - so we will send an email then.
             $this->sendLoginAttemptEmail($result, $email);
             // Login failure attempt written to log