[SS-2016-005] FIX Apply brute force protection to default admin

This commit is contained in:
Daniel Hensby 2016-04-18 18:35:14 +01:00
parent 1f820b0b1c
commit f32c893546
No known key found for this signature in database
GPG Key ID: E38EC566FE29EB66
3 changed files with 25 additions and 4 deletions

View File

@ -349,7 +349,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
* Returns true if this user is locked out * Returns true if this user is locked out
*/ */
public function isLockedOut() { public function isLockedOut() {
return $this->LockedOutUntil && time() < strtotime($this->LockedOutUntil); return $this->LockedOutUntil && SS_Datetime::now()->Format('U') < strtotime($this->LockedOutUntil);
} }
/** /**
@ -1565,7 +1565,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
if($this->FailedLoginCount >= self::config()->lock_out_after_incorrect_logins) { if($this->FailedLoginCount >= self::config()->lock_out_after_incorrect_logins) {
$lockoutMins = self::config()->lock_out_delay_mins; $lockoutMins = self::config()->lock_out_delay_mins;
$this->LockedOutUntil = date('Y-m-d H:i:s', time() + $lockoutMins*60); $this->LockedOutUntil = date('Y-m-d H:i:s', SS_Datetime::now()->Format('U') + $lockoutMins*60);
$this->write(); $this->write();
} }
} }

View File

@ -49,8 +49,11 @@ class MemberAuthenticator extends Authenticator {
if($asDefaultAdmin) { if($asDefaultAdmin) {
// If logging is as default admin, ensure record is setup correctly // If logging is as default admin, ensure record is setup correctly
$member = Member::default_admin(); $member = Member::default_admin();
$success = Security::check_default_admin($email, $data['Password']); $success = !$member->isLockedOut() && Security::check_default_admin($email, $data['Password']);
if($success) return $member; //protect against failed login
if($success) {
return $member;
}
} }
// Attempt to identify user by email // Attempt to identify user by email

View File

@ -164,4 +164,22 @@ class MemberAuthenticatorTest extends SapphireTest {
$this->assertEquals('The provided details don&#039;t seem to be correct. Please try again.', $form->Message()); $this->assertEquals('The provided details don&#039;t seem to be correct. Please try again.', $form->Message());
$this->assertEquals('bad', $form->MessageType()); $this->assertEquals('bad', $form->MessageType());
} }
public function testDefaultAdminLockOut()
{
Config::inst()->update('Member', 'lock_out_after_incorrect_logins', 1);
Config::inst()->update('Member', 'lock_out_delay_mins', 10);
SS_Datetime::set_mock_now('2016-04-18 00:00:00');
$controller = new Security();
$form = new Form($controller, 'Form', new FieldList(), new FieldList());
// Test correct login
MemberAuthenticator::authenticate(array(
'Email' => 'admin',
'Password' => 'wrongpassword'
), $form);
$this->assertTrue(Member::default_admin()->isLockedOut());
$this->assertEquals(Member::default_admin()->LockedOutUntil, '2016-04-18 00:10:00');
}
} }