Skip to content
Permalink
Browse files

Check if host is denied before verifying password

  • Loading branch information...
leonelcamara committed May 4, 2016
1 parent 33c1144 commit 944d8bd8f3c5cf8ae296fc03d149056c65358426
Showing with 9 additions and 2 deletions.
  1. +3 −0 applications/admin/controllers/default.py
  2. +6 −2 applications/admin/models/access.py
@@ -121,6 +121,9 @@ def index():
send = URL('site')
if session.authorized:
redirect(send)
elif failed_login_count() >= allowed_number_of_attempts:
time.sleep(2 ** allowed_number_of_attempts)
raise HTTP(403)
elif request.vars.password:
if verify_password(request.vars.password[:1024]):
session.authorized = True
@@ -104,13 +104,12 @@ def write_hosts_deny(denied_hosts):
portalocker.unlock(f)
f.close()


def login_record(success=True):
denied_hosts = read_hosts_deny()
val = (0, 0)
if success and request.client in denied_hosts:
del denied_hosts[request.client]
elif not success and not request.is_local:
elif not success:
val = denied_hosts.get(request.client, (0, 0))
if time.time() - val[1] < expiration_failed_logins \
and val[0] >= allowed_number_of_attempts:
@@ -121,6 +120,11 @@ def login_record(success=True):
write_hosts_deny(denied_hosts)
return val[0]

def failed_login_count():
denied_hosts = read_hosts_deny()
val = denied_hosts.get(request.client, (0, 0))
return val[0]


# ###########################################################
# ## session expiration

1 comment on commit 944d8bd

@carnil

This comment has been minimized.

Copy link

commented on 944d8bd Apr 10, 2017

This has been assigned CVE-2016-10321

Please sign in to comment.
You can’t perform that action at this time.