tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-06-28 07:29:26 +02:00
Code Issues Projects Releases Wiki Activity

[SS-2016-005] FIX Apply brute force protection to default admin

Browse Source
This commit is contained in:
Daniel Hensby 2016-04-18 18:35:14 +01:00
parent 1f820b0b1c
commit f32c893546
No known key found for this signature in database
GPG Key ID: E38EC566FE29EB66
3 changed files with 25 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
security/Member.php
View File

@ -349,7 +349,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
* Returns true if this user is locked out
*/
public function isLockedOut() {
return $this->LockedOutUntil && time() < strtotime($this->LockedOutUntil);
return $this->LockedOutUntil && SS_Datetime::now()->Format('U') < strtotime($this->LockedOutUntil);
}
/**
@ -1565,7 +1565,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
if($this->FailedLoginCount >= self::config()->lock_out_after_incorrect_logins) {
$lockoutMins = self::config()->lock_out_delay_mins;
$this->LockedOutUntil = date('Y-m-d H:i:s', time() + $lockoutMins*60);
$this->LockedOutUntil = date('Y-m-d H:i:s', SS_Datetime::now()->Format('U') + $lockoutMins*60);
$this->write();
}
}

7
security/MemberAuthenticator.php
View File

@ -49,8 +49,11 @@ class MemberAuthenticator extends Authenticator {
if($asDefaultAdmin) {
// If logging is as default admin, ensure record is setup correctly
$member = Member::default_admin();
$success = Security::check_default_admin($email, $data['Password']);
if($success) return $member;
$success = !$member->isLockedOut() && Security::check_default_admin($email, $data['Password']);
//protect against failed login
if($success) {
return $member;
}
}
// Attempt to identify user by email

18
tests/security/MemberAuthenticatorTest.php
View File

@ -164,4 +164,22 @@ class MemberAuthenticatorTest extends SapphireTest {
$this->assertEquals('The provided details don&#039;t seem to be correct. Please try again.', $form->Message());
$this->assertEquals('bad', $form->MessageType());
}
public function testDefaultAdminLockOut()
{
Config::inst()->update('Member', 'lock_out_after_incorrect_logins', 1);
Config::inst()->update('Member', 'lock_out_delay_mins', 10);
SS_Datetime::set_mock_now('2016-04-18 00:00:00');
$controller = new Security();
$form = new Form($controller, 'Form', new FieldList(), new FieldList());
// Test correct login
MemberAuthenticator::authenticate(array(
'Email' => 'admin',
'Password' => 'wrongpassword'
), $form);
$this->assertTrue(Member::default_admin()->isLockedOut());
$this->assertEquals(Member::default_admin()->LockedOutUntil, '2016-04-18 00:10:00');
}
}