Commit 27f01259 authored by Carsten  Rose's avatar Carsten Rose
Browse files

#3770 / Attack Delay: merge processing to one codeplace

Config.php: new function attackDetectedExitNow().
Sip.php: replace local sleep(PENALTY_TIME_BROKEN_SIP) with central function attackDetectedExitNow().
parent c11f75ad
......@@ -374,6 +374,7 @@ const SYSTEM_LDAP_1_PASSWORD = 'LDAP_1_PASSWORD'; // Credentials to access LDAP
const SYSTEM_ESCAPE_TYPE_DEFAULT = 'ESCAPE_TYPE_DEFAULT';
const SYSTEM_SECURITY_VARS_HONEYPOT = 'SECURITY_VARS_HONEYPOT'; // Fake variables
const SYSTEM_SECURITY_ATTACK_DELAY = 'SECURITY_ATTACK_DELAY'; // Detected attack causes x seconds delay
const SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT = 5; // Detected attack causes x seconds delay
const SYSTEM_SECURITY_SHOW_MESSAGE = 'SECURITY_SHOW_MESSAGE'; // Detected attack shows an error message
const SYSTEM_SECURITY_GET_MAX_LENGTH = 'SECURITY_GET_MAX_LENGTH'; // Trim every character (before conversion) to SECURITY_GET_MAX_LENGTH chars;
......@@ -910,8 +911,6 @@ const COLUMN_ZIP = "zip";
const FORM_NAME_FORM = 'form';
const FORM_NAME_FORM_ELEMENT = 'formElement';
const PENALTY_TIME_BROKEN_SIP = 5;
// DOWNLOAD
const DOWNLOAD_MODE = 'mode';
const DOWNLOAD_MODE_FILE = 'file';
......
......@@ -88,11 +88,24 @@ class Config {
return;
}
// Sleep
if (!empty($config[SYSTEM_SECURITY_ATTACK_DELAY])) {
sleep($config[SYSTEM_SECURITY_ATTACK_DELAY]);
self::attackDetectedExitNow($config);
}
/**
* @throws UserFormException
*/
public static function attackDetectedExitNow(array $config = array()) {
if (count($config) == 0) {
$config = self::readConfig();
}
// Sleep
$penalty = (empty($config[SYSTEM_SECURITY_ATTACK_DELAY]) || !is_numeric($config[SYSTEM_SECURITY_ATTACK_DELAY])) ?
SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT : $config[SYSTEM_SECURITY_ATTACK_DELAY];
sleep($penalty);
if ($config[SYSTEM_SECURITY_SHOW_MESSAGE] == 'true' || $config[SYSTEM_SECURITY_SHOW_MESSAGE] == 1) {
echo "Attack detected - stop process";
}
......@@ -119,7 +132,7 @@ class Config {
Support::setIfNotSet($config, F_BUTTON_ON_CHANGE_CLASS, 'btn-info alert-info');
Support::setIfNotSet($config, SYSTEM_EDIT_FORM_PAGE, 'form');
Support::setIfNotSet($config, SYSTEM_SECURITY_VARS_HONEYPOT, 'email,username,password');
Support::setIfNotSet($config, SYSTEM_SECURITY_ATTACK_DELAY, '5');
Support::setIfNotSet($config, SYSTEM_SECURITY_ATTACK_DELAY, SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT);
Support::setIfNotSet($config, SYSTEM_SECURITY_SHOW_MESSAGE, 'true');
Support::setIfNotSet($config, SYSTEM_SECURITY_GET_MAX_LENGTH, '50');
Support::setIfNotSet($config, SYSTEM_ESCAPE_TYPE_DEFAULT, TOKEN_ESCAPE_SINGLE_TICK);
......
......@@ -13,9 +13,10 @@ use qfq\UserFormException;
use qfq\OnArray;
use qfq\KeyValueStringParser;
require_once(__DIR__ . '/../../qfq/helper/OnArray.php');
require_once(__DIR__ . '/../../qfq/Constants.php');
require_once(__DIR__ . '/../../qfq/exceptions/CodeException.php');
require_once(__DIR__ . '/../helper/OnArray.php');
require_once(__DIR__ . '/../Constants.php');
require_once(__DIR__ . '/../store/Config.php');
require_once(__DIR__ . '/../exceptions/CodeException.php');
require_once(__DIR__ . '/Session.php');
......@@ -264,8 +265,7 @@ class Sip {
# Check if parameter is manipulated
if (strlen($s) != SIP_TOKEN_LENGTH) {
sleep(PENALTY_TIME_BROKEN_SIP);
throw new UserFormException("Broken Parameter", ERROR_BROKEN_PARAMETER);
Config::attackDetectedExitNow();
}
// Validate: Check if still the same fe_user is logged in.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment