[SECURITY] Add hook to implement login protection methods

Currently only the backend login is protected with an implement sleep time after login failure. This patch adds a new hook which can be used to implement a protection functionality (e.g. for detecting brute force) and moves the sleep time as default protection in the abstract user authentication class. Resolves: #59231 Releases: master, 6.2 Security-Bulletin: TYPO3-CORE-SA-2015-006 Change-Id: Idd105d07e016dbbb901c04ae6e1ff4f46b92ac49 Reviewed-on: http://review.typo3.org/40823 Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org> Tested-by: Helmut Hummel <helmut.hummel@typo3.org> Reviewed-by: Benjamin Mack <benni@typo3.org> Tested-by: Benjamin Mack <benni@typo3.org>
TYPO3 · Jul 1, 2015 · 0f3fb37 · 0f3fb37
1 parent 2973b57
commit 0f3fb37
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/typo3/sysext/backend/Classes/Controller/LoginController.php b/typo3/sysext/backend/Classes/Controller/LoginController.php
@@ -415,9 +415,6 @@ public function checkRedirect() {
 					}
 				');
 			}
-		} elseif (empty($GLOBALS['BE_USER']->user['uid']) && $this->isLoginInProgress()) {
-			// Wrong password, wait for 5 seconds
-			sleep(5);
 		}
 	}
 

diff --git a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
@@ -857,6 +857,21 @@ public function checkAuthentication() {
 			if ($this->writeDevLog) {
 				GeneralUtility::devLog('Call checkLogFailures: ' . GeneralUtility::arrayToLogString(array('warningEmail' => $this->warningEmail, 'warningPeriod' => $this->warningPeriod, 'warningMax' => $this->warningMax)), 'TYPO3\\CMS\\Core\\Authentication\\AbstractUserAuthentication', -1);
 			}
+
+			// Hook to implement login failure tracking methods
+			if (
+				!empty($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'])
+				&& is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'])
+			) {
+				$_params = array();
+				foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'] as $_funcRef) {
+					GeneralUtility::callUserFunction($_funcRef, $_params, $this);
+				}
+			} else {
+				// If no hook is implemented, wait for 5 seconds
+				sleep(5);
+			}
+
 			$this->checkLogFailures($this->warningEmail, $this->warningPeriod, $this->warningMax);
 		}
 	}