[SECURITY] Prevent time based information disclosure

To prevent a time based information disclosure in backend password reset, this patch adds a random delay between 200 milliseconds and 3 seconds before sending the response to the client. Resolves: #91243 Releases: master Change-Id: I0362db283145e0bed414ecdb06fff81b2cff0d4b Security-Bulletin: TYPO3-CORE-SA-2020-001 Security-References: CVE-2020-11063 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64466 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · May 12, 2020 · 14929b9 · 14929b9
1 parent dcac1c7
commit 14929b9
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/typo3/sysext/backend/Classes/Controller/LoginController.php b/typo3/sysext/backend/Classes/Controller/LoginController.php
@@ -211,6 +211,11 @@ public function initiatePasswordResetAction(ServerRequestInterface $request): Re
             $this->view->assign('resetInitiated', true);
         }
         $this->moduleTemplate->setContent($this->view->render());
+        // Prevent time based information disclosure by waiting a random time
+        // before sending a response. This prevents that the reponse time
+        // can be an indicator if the used email exists or not.
+        // wait a random time between 200 milliseconds and 3 seconds.
+        usleep(random_int(200000, 3000000));
         return new HtmlResponse($this->moduleTemplate->renderContent());
     }