Cleanup securityAttackDelay, securityShowMessage: change description, check functionality

e3522f6d · Carsten Rose · f82c87e5 · e3522f6d · e3522f6d · e3522f6d
Commit e3522f6d authored 2 years ago by Carsten Rose
--- a/Documentation/Installation.rst
+++ b/Documentation/Installation.rst
@@ -586,10 +586,10 @@ Extension Manager: QFQ Configuration
 +-----------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+
 | securityVarsHoneypot              | email,username,password                               | If empty: no check. All named variables will rendered as INPUT elements.   |
 +-----------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+
-| securityAttackDelay               | 5                                                     | If an attack is detected, sleep 'x' seconds and exit PHP process. '-1'     |
+| securityAttackDelay               | 5                                                     | If an attack is detected: a) clear SIP Store b) wait number of seconds, c) |
-|                                   |                                                       | Reports the attack and returns normally - use this with care.              |
+|                                   |                                                       | quit PHP process. -1: Switch off attack detection.                         |
 +-----------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+
-| securityShowMessage               | true                                                  | If an attack is detected, show a message.                                  |
+| securityShowMessage               | on/off                                                | on: If an attack is detected, show a message.                              |
 +-----------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+
 | securityGetMaxLength              | 50                                                    | GET vars longer than 'x' chars triggers an `attack-recognized`.            |
 |                                   |                                                       | :ref:`ExceptionMaxLength`.                                                 |

--- a/Documentation/Security.rst
+++ b/Documentation/Security.rst
@@ -108,7 +108,7 @@ Violation
 On any violation, QFQ will sleep `securityAttackDelaySeconds` (:ref:`configuration`) and than exit the running PHP process.
 A detected attack leads to a complete white (=empty) page.
-If `securityShowMessage`: true (:ref:`configuration`), at least a message is displayed after the delay.
+If `securityShowMessage`: on (:ref:`configuration`), at least a message is displayed after the delay.
 Client Parameter via SIP
 ------------------------

--- a/extension/Classes/Core/Store/Config.php
+++ b/extension/Classes/Core/Store/Config.php
@@ -117,8 +117,8 @@ class Config {
        }
        // Check for valid encryption method and show error in page if not valid
-        if(!EncryptDecrypt::checkForValidEncryptMethod($config[SYSTEM_ENCRYPTION_METHOD])){
+        if (!EncryptDecrypt::checkForValidEncryptMethod($config[SYSTEM_ENCRYPTION_METHOD])) {
-            Thrower::userFormException("Defined default for encryption method is not valid: '".$config[SYSTEM_ENCRYPTION_METHOD]."' . Please define a valid method.");
+            Thrower::userFormException("Defined default for encryption method is not valid: '" . $config[SYSTEM_ENCRYPTION_METHOD] . "' . Please define a valid method.");
        }
        // End author
@@ -379,18 +379,7 @@ class Config {
        $penalty = (empty($config[SYSTEM_SECURITY_ATTACK_DELAY]) || !is_numeric($config[SYSTEM_SECURITY_ATTACK_DELAY])) ?
            SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT : $config[SYSTEM_SECURITY_ATTACK_DELAY];
+        if ($config[SYSTEM_SECURITY_SHOW_MESSAGE] == 1) {
-        // In case of an attack: log out the current user.
-        // $penalty of -1 means: no destroy, no sleep, no exit
-        if ($penalty != -1) {
-            Session::destroy();
-            if (!defined('PHPUNIT_QFQ')) {
-                sleep($penalty);
-            }
-        }
-        if ($config[SYSTEM_SECURITY_SHOW_MESSAGE] == 'true' || $config[SYSTEM_SECURITY_SHOW_MESSAGE] == 1) {
            echo "Attack detected - stop process <p>" . $reason . '</p>';
 //            $answer[API_STATUS] = API_ANSWER_STATUS_ERROR;
@@ -406,9 +395,14 @@ class Config {
            throw new \UserFormException('Attack detected', 1);
        }
-        // $penalty of -1 means: no destroy, no sleep, no exit
+        if ($penalty == -1) {
-        if ($penalty != -1) {
+            return; // no destroy, no sleep, no exit
-            return;
+        } else {
+            Session::destroy();
+            if (!defined('PHPUNIT_QFQ')) {
+                sleep($penalty);
+            }
        }
        exit;

--- a/extension/ext_conf_template.txt
+++ b/extension/ext_conf_template.txt
@@ -140,11 +140,11 @@ escapeTypeDefault = m
 # cat=security/security; type=string; label=List of honeypot input elements:Default is 'email,username,password'. If empty: no check. All named strings will rendered as hidden INPUT elements. If a form submit contains values for those inputs, the POST is treated as an attack.
 securityVarsHoneypot = email,username,password
-# cat=security/security; type=string; label=Attack delay in seconds:Default is '5'. After a detected attack, the number of seconds to wait before the PHP process dies (and therefore the browser request deliver nothing). '-1' report attacks but skip wait and process as normal.
+# cat=security/security; type=string; label=Attack delay in seconds:Default is '5'. After a detected attack, a) clear SIP Store b) wait number of seconds, c) quit PHP process (and therefore the browser request deliver nothing). '-1': Switch off attack detection.
 securityAttackDelay = 5
-# cat=security/security; type=string; label=Show an attack detected message:Default is 'true'. Show (return to browser) a message, that an attack has been detected. Should be 'false' for production sites.
+# cat=security/security; type=boolean; label=Show an attack detected message:Default is 'off'. Show (return to browser) a message, that an attack has been detected. Should be 'off' for production sites.
-securityShowMessage = true
+securityShowMessage = 0
 # cat=security/security; type=string; label='GET'-Parameter max length:Default is '50'. GET vars longer than 'x' character triggers an `attack-detected`.
 securityGetMaxLength = 50