#3770 / Attack Delay: merge processing to one codeplace

Config.php: new function attackDetectedExitNow().
Sip.php: replace local sleep(PENALTY_TIME_BROKEN_SIP) with central function attackDetectedExitNow().

extension/qfq/qfq/Constants.php

@@ -374,6 +374,7 @@ const SYSTEM_LDAP_1_PASSWORD = 'LDAP_1_PASSWORD'; // Credentials to access LDAP
 const SYSTEM_ESCAPE_TYPE_DEFAULT = 'ESCAPE_TYPE_DEFAULT';
 const SYSTEM_SECURITY_VARS_HONEYPOT = 'SECURITY_VARS_HONEYPOT'; // Fake variables
 const SYSTEM_SECURITY_ATTACK_DELAY = 'SECURITY_ATTACK_DELAY'; // Detected attack causes x seconds delay
+const SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT = 5; // Detected attack causes x seconds delay
 const SYSTEM_SECURITY_SHOW_MESSAGE = 'SECURITY_SHOW_MESSAGE'; // Detected attack shows an error message
 const SYSTEM_SECURITY_GET_MAX_LENGTH = 'SECURITY_GET_MAX_LENGTH'; // Trim every character (before conversion) to SECURITY_GET_MAX_LENGTH chars;
 
@@ -910,8 +911,6 @@ const COLUMN_ZIP = "zip";
 const FORM_NAME_FORM = 'form';
 const FORM_NAME_FORM_ELEMENT = 'formElement';
 
-const PENALTY_TIME_BROKEN_SIP = 5;
-
 // DOWNLOAD
 const DOWNLOAD_MODE = 'mode';
 const DOWNLOAD_MODE_FILE = 'file';

extension/qfq/qfq/store/Config.php

@@ -88,11 +88,24 @@ class Config {
             return;
         }
 
-        // Sleep
-        if (!empty($config[SYSTEM_SECURITY_ATTACK_DELAY])) {
-            sleep($config[SYSTEM_SECURITY_ATTACK_DELAY]);
+        self::attackDetectedExitNow($config);
+    }
+
+    /**
+     * @throws UserFormException
+     */
+    public static function attackDetectedExitNow(array $config = array()) {
+
+        if (count($config) == 0) {
+            $config = self::readConfig();
         }
 
+        // Sleep
+        $penalty = (empty($config[SYSTEM_SECURITY_ATTACK_DELAY]) || !is_numeric($config[SYSTEM_SECURITY_ATTACK_DELAY])) ?
+            SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT : $config[SYSTEM_SECURITY_ATTACK_DELAY];
+
+        sleep($penalty);
+
         if ($config[SYSTEM_SECURITY_SHOW_MESSAGE] == 'true' || $config[SYSTEM_SECURITY_SHOW_MESSAGE] == 1) {
             echo "Attack detected - stop process";
         }
@@ -119,7 +132,7 @@ class Config {
         Support::setIfNotSet($config, F_BUTTON_ON_CHANGE_CLASS, 'btn-info alert-info');
         Support::setIfNotSet($config, SYSTEM_EDIT_FORM_PAGE, 'form');
         Support::setIfNotSet($config, SYSTEM_SECURITY_VARS_HONEYPOT, 'email,username,password');
-        Support::setIfNotSet($config, SYSTEM_SECURITY_ATTACK_DELAY, '5');
+        Support::setIfNotSet($config, SYSTEM_SECURITY_ATTACK_DELAY, SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT);
         Support::setIfNotSet($config, SYSTEM_SECURITY_SHOW_MESSAGE, 'true');
         Support::setIfNotSet($config, SYSTEM_SECURITY_GET_MAX_LENGTH, '50');
         Support::setIfNotSet($config, SYSTEM_ESCAPE_TYPE_DEFAULT, TOKEN_ESCAPE_SINGLE_TICK);

extension/qfq/qfq/store/Sip.php

@@ -13,9 +13,10 @@ use qfq\UserFormException;
 use qfq\OnArray;
 use qfq\KeyValueStringParser;
 
-require_once(__DIR__ . '/../../qfq/helper/OnArray.php');
-require_once(__DIR__ . '/../../qfq/Constants.php');
-require_once(__DIR__ . '/../../qfq/exceptions/CodeException.php');
+require_once(__DIR__ . '/../helper/OnArray.php');
+require_once(__DIR__ . '/../Constants.php');
+require_once(__DIR__ . '/../store/Config.php');
+require_once(__DIR__ . '/../exceptions/CodeException.php');
 require_once(__DIR__ . '/Session.php');
 
 
@@ -264,8 +265,7 @@ class Sip {
 
         # Check if parameter is manipulated
         if (strlen($s) != SIP_TOKEN_LENGTH) {
-            sleep(PENALTY_TIME_BROKEN_SIP);
-            throw new UserFormException("Broken Parameter", ERROR_BROKEN_PARAMETER);
+            Config::attackDetectedExitNow();
         }
 
         // Validate: Check if still the same fe_user is logged in.