Add two new protections : REQUESTS_MIN_DELAY and MAX_PASSWORDS_PER_REQUEST (see conf.php)
This commit is contained in:
Gregory Soutade
parent
cc66b612ef
commit
6604fbb6e1
32
server/_user
32
server/_user
|
|
@ -1,6 +1,6 @@
|
|||
<?php
|
||||
/*
|
||||
Copyright (C) 2013-2014 Grégory Soutadé
|
||||
Copyright (C) 2013-2015 Grégory Soutadé
|
||||
|
||||
This file is part of gPass.
|
||||
|
||||
|
|
@ -22,14 +22,40 @@ include("conf.php");
|
|||
|
||||
function load_database()
|
||||
{
|
||||
global $REQUESTS_MIN_DELAY;
|
||||
|
||||
try {
|
||||
$db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READONLY);
|
||||
$db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READWRITE);
|
||||
}
|
||||
catch(Exception $e)
|
||||
{
|
||||
die("<b>Unable to load database for user $user !</b><br/>");
|
||||
return null;
|
||||
}
|
||||
|
||||
list($usec, $sec) = explode(" ", microtime());
|
||||
$usec = $usec + $sec*1000;
|
||||
|
||||
try {
|
||||
$last_time = $db->querySingle("SELECT last_access_time FROM conf");
|
||||
if ($last_time <= $usec &&
|
||||
($usec - $last_time) < $REQUESTS_MIN_DELAY)
|
||||
{
|
||||
// Brute force ??
|
||||
$db->close();
|
||||
return null;
|
||||
}
|
||||
$db->query("UPDATE conf SET last_access_time=$usec");
|
||||
$db->close();
|
||||
$db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READONLY);
|
||||
}
|
||||
catch(Exception $e)
|
||||
{
|
||||
$db->close();
|
||||
die("<b>Unable to load database for user $user !</b><br/>");
|
||||
return null;
|
||||
}
|
||||
|
||||
return $db;
|
||||
}
|
||||
|
||||
|
|
@ -45,7 +71,7 @@ echo "protocol=gpass-$PROTOCOL_VERSION\n";
|
|||
if ($PKDBF2_LEVEL != 1000)
|
||||
echo "pkdbf2_level=$PKDBF2_LEVEL\n";
|
||||
|
||||
for ($i=0; isset($_POST["k$i"]); $i++)
|
||||
for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++)
|
||||
{
|
||||
$statement->bindValue(":login", addslashes($_POST["k$i"]));
|
||||
$result = $statement->execute();
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
<?php
|
||||
/*
|
||||
Copyright (C) 2013-2014 Grégory Soutadé
|
||||
Copyright (C) 2013-2015 Grégory Soutadé
|
||||
|
||||
This file is part of gPass.
|
||||
|
||||
|
|
@ -60,4 +60,23 @@ $PKDBF2_LEVEL=1000;
|
|||
standard crypto API will be stable it will be enabled by default.
|
||||
*/
|
||||
$USE_SHADOW_LOGINS=0;
|
||||
|
||||
/*
|
||||
Protection against DDoS.
|
||||
Each request can contains multiple password combination
|
||||
(to support wildcards for example) and multiple names.
|
||||
Currently only two passwords are sent from addon :
|
||||
www.example.com
|
||||
*.example.com
|
||||
But, on future we may also consider 'www.example.*', '*.example.*' and lower case username.
|
||||
For maximum security, you can set it to 2.
|
||||
*/
|
||||
$MAX_PASSWORDS_PER_REQUEST=10;
|
||||
|
||||
/*
|
||||
Protection against brute force.
|
||||
Minimum delay (in milliseconds) between two requests.
|
||||
*/
|
||||
$REQUESTS_MIN_DELAY=1000;
|
||||
|
||||
?>
|
||||
Loading…
Reference in New Issue