Skip to content
Permalink
Browse files Browse the repository at this point in the history
Check if host is denied before verifying password
  • Loading branch information
leonelcamara committed May 4, 2016
1 parent 33c1144 commit 944d8bd
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 2 deletions.
3 changes: 3 additions & 0 deletions applications/admin/controllers/default.py
Expand Up @@ -121,6 +121,9 @@ def index():
send = URL('site')
if session.authorized:
redirect(send)
elif failed_login_count() >= allowed_number_of_attempts:
time.sleep(2 ** allowed_number_of_attempts)
raise HTTP(403)
elif request.vars.password:
if verify_password(request.vars.password[:1024]):
session.authorized = True
Expand Down
8 changes: 6 additions & 2 deletions applications/admin/models/access.py
Expand Up @@ -104,13 +104,12 @@ def write_hosts_deny(denied_hosts):
portalocker.unlock(f)
f.close()


def login_record(success=True):
denied_hosts = read_hosts_deny()
val = (0, 0)
if success and request.client in denied_hosts:
del denied_hosts[request.client]
elif not success and not request.is_local:
elif not success:
val = denied_hosts.get(request.client, (0, 0))
if time.time() - val[1] < expiration_failed_logins \
and val[0] >= allowed_number_of_attempts:
Expand All @@ -121,6 +120,11 @@ def login_record(success=True):
write_hosts_deny(denied_hosts)
return val[0]

def failed_login_count():
denied_hosts = read_hosts_deny()
val = denied_hosts.get(request.client, (0, 0))
return val[0]


# ###########################################################
# ## session expiration
Expand Down

1 comment on commit 944d8bd

@carnil
Copy link

@carnil carnil commented on 944d8bd Apr 10, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has been assigned CVE-2016-10321

Please sign in to comment.