mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-27 16:00:59 +01:00
Don't rate limit users clicking "Wait Patiently" at an MFA gate even if they typed some text earlier
Summary: Depends on D20017. Ref T13222. Currently, if you: - type some text at a TOTP gate; - wait ~60 seconds for the challenge to expire; - submit the form into a "Wait patiently" message; and - mash that wait button over and over again very patiently ...you still rack up rate limiting points, because the hidden text from your original request is preserved and triggers the "is the user responding to a challenge" test. Only perform this test if we haven't already decided that we're going to make them wait. Test Plan: - Did the above; before patch: rate limited; after patch: not rate limited. - Intentionally typed a bunch of bad answers which were actually evaluated: rate limited properly. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D20018
This commit is contained in:
parent
bb20c13651
commit
e91bc26da6
1 changed files with 9 additions and 0 deletions
|
@ -557,9 +557,18 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
|||
// Limit factor verification rates to prevent brute force attacks.
|
||||
$any_attempt = false;
|
||||
foreach ($factors as $factor) {
|
||||
$factor_phid = $factor->getPHID();
|
||||
|
||||
$provider = $factor->getFactorProvider();
|
||||
$impl = $provider->getFactor();
|
||||
|
||||
// If we already have a result (normally "wait..."), we won't try
|
||||
// to validate whatever the user submitted, so this doesn't count as
|
||||
// an attempt for rate limiting purposes.
|
||||
if (isset($validation_results[$factor_phid])) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if ($impl->getRequestHasChallengeResponse($factor, $request)) {
|
||||
$any_attempt = true;
|
||||
break;
|
||||
|
|
Loading…
Reference in a new issue