Commit e4a42173 authored by Carsten  Rose's avatar Carsten Rose
Browse files

Merge branch 'F13333Option_Switch_off_Attack_Detect' into 'develop'

Implements #13333. Skip Attack detection by not destroying SIP.

See merge request !363
parents b89d0701 d7f6dec4
Pipeline #6165 passed with stages
in 3 minutes and 2 seconds
......@@ -499,7 +499,8 @@ Extension Manager: QFQ Configuration
+-----------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+
| securityVarsHoneypot | email,username,password | If empty: no check. All named variables will rendered as INPUT elements. |
+-----------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+
| securityAttackDelay | 5 | If an attack is detected, sleep 'x' seconds and exit PHP process. |
| securityAttackDelay | 5 | If an attack is detected, sleep 'x' seconds and exit PHP process. '-1' |
| | | Reports the attack and returns normally - use this with care. |
+-----------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+
| securityShowMessage | true | If an attack is detected, show a message. |
+-----------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+
......
......@@ -341,15 +341,19 @@ class Config {
Logger::logMessage(Logger::linePre() . 'Security: attack detected' . PHP_EOL . $reason, Path::absoluteQfqLogFile());
// In case of an attack: log out the current user.
Session::destroy();
// Sleep
$penalty = (empty($config[SYSTEM_SECURITY_ATTACK_DELAY]) || !is_numeric($config[SYSTEM_SECURITY_ATTACK_DELAY])) ?
SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT : $config[SYSTEM_SECURITY_ATTACK_DELAY];
if (!defined('PHPUNIT_QFQ')) {
sleep($penalty);
// In case of an attack: log out the current user.
// $penalty of -1 means: no destroy, no sleep, no exit
if ($penalty != -1) {
Session::destroy();
if (!defined('PHPUNIT_QFQ')) {
sleep($penalty);
}
}
if ($config[SYSTEM_SECURITY_SHOW_MESSAGE] == 'true' || $config[SYSTEM_SECURITY_SHOW_MESSAGE] == 1) {
......@@ -368,6 +372,11 @@ class Config {
throw new \UserFormException('Attack detected', 1);
}
// $penalty of -1 means: no destroy, no sleep, no exit
if ($penalty != -1) {
return;
}
exit;
}
......
......@@ -128,7 +128,7 @@ escapeTypeDefault = m
# cat=security/security; type=string; label=List of honeypot input elements:Default is 'email,username,password'. If empty: no check. All named strings will rendered as hidden INPUT elements. If a form submit contains values for those inputs, the POST is treated as an attack.
securityVarsHoneypot = email,username,password
# cat=security/security; type=string; label=Attack delay in seconds:Default is '5'. After a detected attack, the number of seconds to wait before the PHP process dies (and therefore the browser request deliver nothing).
# cat=security/security; type=string; label=Attack delay in seconds:Default is '5'. After a detected attack, the number of seconds to wait before the PHP process dies (and therefore the browser request deliver nothing). '-1' report attacks but skip wait and process as normal.
securityAttackDelay = 5
# cat=security/security; type=string; label=Show an attack detected message:Default is 'true'. Show (return to browser) a message, that an attack has been detected. Should be 'false' for production sites.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment