bug-1341: Restrict to 1 login per 5 seconds
authorBenny Baumann <BenBE@geshi.org>
Tue, 2 Dec 2014 23:37:54 +0000 (00:37 +0100)
committerBenny Baumann <BenBE@geshi.org>
Tue, 2 Dec 2014 23:38:50 +0000 (00:38 +0100)
www/index.php

index e6fc06a..2247b68 100644 (file)
@@ -191,7 +191,9 @@ require_once('../includes/notary.inc.php');
                $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
                                                `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
                $res = mysql_query($query);
-               if(mysql_num_rows($res) > 0)
+               $query = "SELECT 1 FROM `users` WHERE `email`='$email' and (UNIX_TIMESTAMP(`lastLoginAttempt`) < UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - 5 or `lastLoginAttempt` is NULL)" ;
+               $rateLimit = mysql_num_rows(mysql_query($query)) > 0;
+               if(mysql_num_rows($res) > 0 && $rateLimit)
                {
                        $_SESSION['profile'] = "";
                        unset($_SESSION['profile']);
@@ -231,13 +233,17 @@ require_once('../includes/notary.inc.php');
                                header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
                        }
                        exit;
+               } else if($rateLimit){
+                       $query = "update `users` set `lastLoginAttempt`=CURRENT_TIMESTAMP WHERE `email`='$email'";
+                       mysql_query($query);
                }
 
                $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
                                                `password`=password('$pword')) and `verified`=0 and `deleted`=0";
                $res = mysql_query($query);
-               if(mysql_num_rows($res) <= 0)
-               {
+               if(!$rateLimit) {
+                       $_SESSION['_config']['errmsg'] = _("You hit the login rate limit of 1 login per 5 seconds.");
+               } else if(mysql_num_rows($res) <= 0) {
                        $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
                } else {
                        $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");