1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-10 08:52:39 +01:00

Don't rate limit users clicking "Wait Patiently" at an MFA gate even if they typed some text earlier

Summary:
Depends on D20017. Ref T13222. Currently, if you:

  - type some text at a TOTP gate;
  - wait ~60 seconds for the challenge to expire;
  - submit the form into a "Wait patiently" message; and
  - mash that wait button over and over again very patiently

...you still rack up rate limiting points, because the hidden text from your original request is preserved and triggers the "is the user responding to a challenge" test. Only perform this test if we haven't already decided that we're going to make them wait.

Test Plan:
  - Did the above; before patch: rate limited; after patch: not rate limited.
  - Intentionally typed a bunch of bad answers which were actually evaluated: rate limited properly.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D20018
This commit is contained in:
epriestley 2019-01-23 07:09:20 -08:00
parent bb20c13651
commit e91bc26da6

View file

@ -557,9 +557,18 @@ final class PhabricatorAuthSessionEngine extends Phobject {
// Limit factor verification rates to prevent brute force attacks.
$any_attempt = false;
foreach ($factors as $factor) {
$factor_phid = $factor->getPHID();
$provider = $factor->getFactorProvider();
$impl = $provider->getFactor();
// If we already have a result (normally "wait..."), we won't try
// to validate whatever the user submitted, so this doesn't count as
// an attempt for rate limiting purposes.
if (isset($validation_results[$factor_phid])) {
continue;
}
if ($impl->getRequestHasChallengeResponse($factor, $request)) {
$any_attempt = true;
break;